Skip Navigation Links
By Dr. Philip Baczewski, Associate Director of Academic Computing
Internet commerce is SO convenient. A few clicks. Some shipping information. Some billing information. Before you know it, you've got a brand new pedometer in your mailbox.
Since the time when the Internet went commercial (about ten years ago) most people would probably say that E-mail and shopping are it's most useful services. Internet commerce has grown up with the network and it is now an integral part of most retail businesses and is the only part of some retail businesses. But with the rise of Internet commerce there has also been a rise in Internet fraud.
A new trend in Internet fraud
A new trend in Internet fraud is a kind of social engineering called "phishing." Just as calling someone "phat" with correct pronunciation of the "ph" shouldn't get you slapped, phishing will not yield anything you can pan fry.
Phishing takes the form of an urgent E-mail which tells you that there is something wrong with your -- fill-in-the-blank -- account and that unless you update your information right away, your account will be cancelled. Usually you are directed to a web site on which you can provide personal or financial information. Usually, the web site is a phony location, just set up to harvest credit card numbers or other security-sensitive information.
PayPal online payment service accounts have been one of the most frequent targets of phishing. The E-mail usually says something like, "unless you update your credit card information, your account will be closed." Doing so, however, would most likely result in your credit card being misappropriated. PayPal states on their site, "If we require information from you, we will notify you in an email and request that you enter the information only after you have safely and securely logged in to your PayPal account." In other words, if you need to communicate with PayPal, do so through secure means and via their site only.
The first rule of computer security is to never give out your password . . .
Whenever you are providing credit card or other sensitive information (including, whenever possible, login name and password) to a Website, you should be sure that the information will be sent via an encrypted connection and that the information is being sent to the site where you think it's being sent. Web pages use a technology called SSL to send information from your browser to the web server in an encrypted manner so that only the remote Website can read your information. You can tell a secure site because its URL starts with "https:" and in most browsers, a lock icon will show up somewhere at the bottom of the browser window. In most cases, clicking on that lock icon will allow you to see what organization issued the security certificate and to what organization it was issued.
Beyond being careful where you Websurf, also use common sense to protect your online information. A recent BBC article revealed that 70 percent of Britons sampled at random in London would give out their computer login name and password in exchange for a bar of chocolate. How much could someone learn about you by logging in and reading your E-mail or accessing your network files? The first rule of computer security is to never give out your password and that anybody who asks for it is probably not entitled to know it.
One of the older social engineering tricks used by hackers is to phone someone up and pretend to be a technical support specialist fixing the network. The conversation usually gets around to asking you to reveal your password so that they can test the network. If you tell them, you've just compromised the network's and your own information security.
The Federal Trade Commission offers some basic advice on how to avoid being hooked by a phishing scam. Another source is an industry group which provides www.antiphishing.org which also provides a page on how to avoid phishing scams. Both urge you to be suspicious of urgent E-mails which ask you to reveal or update financial information. And -- by the way -- don't send your bank account information to anyone claiming to be a former Nigerian government member.