WOW: Surprising Stats on Phishing

hey bob...thank you for the article on virus protection...i switched to avast from avg and i see a distinct difference...i too was a victim of the automatic re-up and the price went from 39 a yr to 54...i give avg credit,they refunded my money in only 3 days

An excellent article Bob! As a long-time computer troubleshooter, I've been advising customers, friends, neighbors and relatives on several of these points. You've also got some great additions to what I've been recommending. Some people take action on them, but unfortunately many don't. I'll send them a link to this page, hoping more will act on your warnings, than mine.

If you want to slow it down, we need to start fining the banks and brokerage houses that encourage phishing. It should be illegal for any financial institution to send out emails with links in them. To make matters worse, half the time you can't access the article or offer if you open your browser and connect to the saved site; the advertised feature is ONLY available if you click on the email link and sign in to the site IT takes you to,

Use False answers to Security questions to stymie their success.
i.e. "Street: Ans: "123 byteme"..
Mothers Maiden Name .."Papa Johns"....
etc.
Googles will find facts and fail the question/answer.

>>>> …according to other researchers there are 2,405,518,376 Internet users…

Whoever claims to know the number of Internet users with that fine resolution is anything but a researcher.

I could accept an ESTIMATE of 2.40 milliard users or, better yet, a more careful estimate of 2.4 milliard users.

While I was typing this comment, numerous users connected to the Internet for the first time and numerous users perished.

>>>> “9 incidents per million users per day.”

Bursztein et al actually referred only to users who lost access to their Google account due to successful phishing. Fortunately, not everyone uses a Google account..!

>>>> ….more education is needed to make Internet users aware of this menace.

ABSOLUTELY!

Users should also be educated about the menace of Google, Facebook, etc. who brutally intrude on their privacy by collecting their personal data.

I've read two tips on passwords. Add symbols in the middle. So if my pw is bobprice, it becomes bob###price.

Second, use other words for secret question,
"Who was your childhood best friend?"
"Lady Gaga"

Speaking of which, received one of these phoney emails from a false Wells Fargo, telling me that a number of people had been trying to enter my account and to protect me, they would have to block my account if I didn't reconfirm my access information. I know that Wells Fargo would never ask for this kind of info via email. When I moused over the link I was to send the data, this is what came up: http://wel.wellknown.co/~geomobilizer/hgtest/. Thanks to my Kaspersky Internet Security it was removed from my laptop. Kaspersky is number one!

I thought I was infallible at spotting phishing spams; it was moreover a satisfying sport to turn them in to SpamCop by the dozens per week. Well, the impossible finally happened—I fell for one, hard. This particular phishing spam was masquerading as a personal e-mail storage overflow/system migration notice from our IT group. I was not paying full attention, and I was also vaguely aware that I was in fact getting close to my e-mail storage limit. Then, WHAM, the blinding white light a millisecond after hitting send, and that sinking feeling that something wasn't right. Sure enough, the following Web page URL was clearly NOT local. Fortunately, in panic mode it took only about 10 minutes to change the password everywhere previously used with that address. Apparently, according to Bob's article, the passwords were changed just in time. The moral is, train yourself to think more than once before revealing passwords, especially on a page you haven't actually seen before!

"Phishers learn and adapt very rapidly. When Google started asking “secret questions” like “what was the name of the street you grew up on?” phishers immediately began looking for the answers, and finding them."

Never stop laughing on people... Why do they spread over all the Internet answers to their secret questions??? Should they refresh the meaning of the word "secret"? Of course, you can not take back whatever you've already talked in public internet resources, but who force you to use this info again and again? Just use something that you never mentioned. Yet.

Are humans really sapiens? The longer I live, the more I doubt about that...

I am very surprised and disappointed at the huge number of banks and financial institutions who do not offer 2-step-verify.

I never get tricked with e-mails (so far),I always go to the site through their real address, if I am not sure it is a real notice. And, I forward the evil e-mail to the real sites to investigate.

Now, the banner ads, I hope I don't weaken and click.

I get many emails about 'Notice to Appear' or a variation which is supposed to be a notice for me to appear in court. Every email uses a different USA lawyer's email address, they've told me it is a bad email. It always contains a zipped virus which makes it through to me. I also get many IT Briefs emails, same thing, different addresses.
I go on many web sites and I see the 'jumping' 'Media Player' update, which is another bad link but I don't know how to delete that.

You think we should use Google's 2-step verification with our phone number? I don't advise giving Google your phone number. I don't even have my real name or zip code for my Google and Yahoo accounts. I ran a small free ad for my business on Google Maps, and they shared my number with 100 or more other companies, who have been spamming my phone for years. See if the major companies give you a choice of various 2-step verifications.

You mention using 2 step verification. I agree that is desirable, but that is not determined by the user, but by the website designer of the site you are trying to log into. Only one of the "sensitive" sites that I use, a bank, uses 2 step verification. I wish the rest did.

Hello from England Bob. I fell for what I think was a very sophisticated Phishing exercise. My Road Tax was due for renewal. I normally did it at the Post Office but forgot so I needed to renew in a hurry before my disc exopired. You can renew online at the DVLA ( Driver and Vehicle Licensing Authority ) website, so I simply googled DVLA and went to the site at the top of the list offered. I filled in my details as requested, Car Registration, Address and card details, pressed enter and got an error message saying the page needed to begin again. It reloaded and I filled in my details again and successfully got to the end. A few days later I got a call from my bank asking if I could confirm if I had made certain payments. They went through a list, DVLA, petrol, shopping etc. and three purchases of jewellery, membership of an online dating site, and a hotel room in Las Vegas. Needless to say, the jewellery, dating and hotel were not me. The bank said straight away I had been to a fake DVLA site which had taken my details and then sent me to the proper site after the fake error message. The DVLA is a Government body, so these phishers had actually faked a British Government website, and somehow got it to number one on Google to sting people. How do we defend against that sort of ingenuity when we cannot even trust a Government website ? ( I imagine some are laughing at the thought of trusting anything to do with the Government, but you know what I mean )

I monitor the spam folder for a business (on gmail) I've seen over 150 spams per day fill that sucker up. What is really silly is how many are listed as coming from separate senders, but have identical subject lines, right down to the mis-spellings (some purposeful in an attempt to get around the spam filters). I can get a dozen or more in a row. The subjects range from "enhancement" products to Open Enrollment for health insurance to floor coatings to luxury yachts (?!). It's always funny to see "Hey, (name of company), please you girlfriend tonights!" I know current law sees corporations as "individuals," but I doubt the said corporation is dating...

Day after day.

We even get dozens of spams in Chinese... go figure.

One other clue to a suspicious email that at least can be done on gmail is to hover over the name of the sender. A pop up will appear with some info about he sender like a photo (if it's a gmail account and they've provided one) or the like. Usually this info is missing so it's a good bet the sender is fake. This is good if you get a suspicious email that was supposedly sent by an individual as most folks I know will have at least *some* profile info that will get displayed.

Rule #1 should be "If in doubt, don't." (or "If in doubt, delete.")

And Rule #2 could be to always provide made-up info for those "security questions." I did a Google search on a friend and found far too much information that even they didn't know was out there.