A tale of stupidity and liability

While viruses and worms relentlessly pound away at our perimeters, the latest challenge to corporate and small office/home office users is phishing. This is where you, the user, are the fish, susceptible to the enticements of the phisherman, and you break down your own security defenses through sheer gullibility.

While viruses and worms relentlessly pound away at our perimeters, the latest challenge to corporate and small office/home office users is phishing. This is where you, the user, are the fish, susceptible to the enticements of the phisherman, and you break down your own security defenses through sheer gullibility.

Say you receive an e-mail purporting to be from service@paypal.com that reads: “It has come to our attention that your account needs to be updated due to inactive members, frauds and spoof reports. If you could please take 5 to 10 minutes to renew your records, you will not run into any future problems with the online service. However, failure to update your records will result in account deletion. Please follow the link below and renew your account information.”

The PayPal logo is omnipresent. The link takes you right to the PayPal personal account identity verification page. You make your changes and are done. Maybe.

Say you receive an e-mail from a financial institution we’ll call the Bank of Stupidity and Liability (S&L) that says: “To enhance the level of service you receive with Bank of S&L Online Services, we’re requiring Online Services customers to change their customer access number, PIN and codeword to a new user ID and password. And we’re enhancing the process for obtaining your password should you ever forget it.”

This e-mail also contains a privacy link, but no bank logo or other banking credentials to verify its authenticity.

What do you do? First of all, as a corporate or SOHO user, you should be suspicious of any e-mail that asks you to perform security-related changes or verifications.

In the PayPal example, I looked at the address bar URL to which I was directed and found that I had landed at www.edenbridals.com/wap/verify.htm, not PayPal. I performed a WhoIs?, then a limited scan of the IP address and found the critical security ports on this server were wide open. A hacker had found a poorly configured server, created HTML pages to echo the PayPal site, then collected users’ private information.

The e-mail from the Bank of S&L was legitimate. Here was a leading financial institution sending out tons of e-mails asking people to change their security parameters and expecting users to trust the e-mail’s authenticity. My guess is that the Bank of S&L’s customer service department needed to make an update, so they embarked on this plan. They probably had to check with corporate communications and the legal department to get the wording just right. But they clearly never talked to the bank’s information security department, which (hopefully) would have screeched, “No bloody way!” because they knew (hopefully) that the proposed e-mail was just like the ones sent out by phishermen in the previous few weeks.

How is the casual user who may receive hundreds of e-mails per week supposed to tell the difference between a criminal phishing expedition and an act of corporate stupidity? Not easily.

What we as corporate users release on the Internet is a reflection of how we do business, and what we think of ourselves and our customers. It also reflects a simple manner in which companies and employees can unintentionally release information by asking the wrong question in a forum and using your real company user name.

If you receive an e-mail purporting to be from some organization and suspect something is amiss, call the company on the telephone. Do not call the number in the suspect e-mail; find a real number on the back of a credit card or in a recent billing statement, or call information for a toll-free number, or visit the company’s Web site. Then, speak to a real human and verify what is being asked of you.

You don’t need to be a technical whiz to be safe. All you need is common sense, a healthy dose of skepticism and a willingness to invest a few minutes to protect you, your company and your family.