I had a visit with a client this last week which involved a successful phishing expedition.
At first my client thought she had been afflicted with the Conficker worm that’s been going around since the event occurred on April 1. On the positive side, she didn’t have any infections as her system was fully updated and the antivirus program was working fine. All other diagnostics pointed toward clean.
However, on April 1 she received an email purporting to be from her provider saying that there was a problem with her account and she needed to confirm some details. She clicked on the link and followed along with the questions that were asked. It was basically over at that point.
The first she heard of a problem was when someone else notified her that she was sending out spam and that maybe her computer had a virus. A likely reason that this was not the case was that she was using one of the popular web-based email services. While using one of these services can be convenient (you don’t have to get a new address if you change your internet service provider and you can read it anywhere), getting support to fix this kind of a problem can be nearly impossible.
Among other things, I did help her get situated with a different e-mail address and started the process of securing other accounts so that anything present in the compromised account couldn’t be used against her.
This situation is not unlike what can happen with offline identity theft. You almost end up having to make the process of correcting the issue a second occupation.
What can you learn from this?
No legitimate company (bank, online service, etc.) will ever send you an email saying that your account has been compromised. If you think about it, if your account was truly compromised, would you actually get an email about it? One of the first things that would be done by the compromiser is to change email information in the account so that the true user wouldn’t be able to know or fix the problem.
In the fine print of an email that received from my bank, it said:
Emails from [bank] are intended to inform you of our offers, promotions, and updates. [Bank] will never ask you for confidential account information to be sent by unsecured email or provide a link to a sign on page that requires you to enter personal information. If you need to communicate sensitive customer information to [bank], you should go to [bank’s web site], sign on to Online Banking, and communicate with us via the secured messaging center.
All other services I’ve used have similar language.
