Your best first line of computer security defence: you

by  Alan Zisman (c) 2008 First published in Business in Vancouver  February 12-18, 2008; issue 955
High Tech Office



Even though it’s a new year, computer security concerns pop up like it’s 2007. Lately, I’ve received e-mail messages purporting to be from PayPal and TD Canada Trust.

The PayPal message claims “Unusual Activity Detected in Your Account” and requests that I click a link and enter information about myself in order to secure my account. It notes that ignoring this request may result in account limitations or closure.

The TD message claims to be “An Important Message” and assures me that my “accounts and assets are safe.” But in order to meet requirements of “the Financial Services Authority,” they ask all online customers to verify account information, “a smart and simple way to add an additional layer of protection … Click here to securely log on.” It claims to be signed by COO Jarrett Lilien.

Both messages look professional: no glaring spelling or grammar mistakes marking them as amateurish scams. Both are very professional scams – so-called phishing messages, trolling for user log-ins and passwords in order to empty your account. These messages continue to circulate because they work often enough to be profitable.

Both Internet Explorer 7 and Firefox browsers have optional phishing protection, but you have to turn it on. Either can be helpful, warning you if clicking on a link takes you to a web address known to steal user information. But like other computer security options, if you count on software to keep you safe you won’t be.

Always be suspicious of e-mails requesting that you click on a link to log in to a financial website. Banks and services like PayPal don’t e-mail users in these ways. If you’re not sure, phone or e-mail your financial service directly. But don’t use a phone number listed in a possibly suspicious e-mail message – some of these are fraudulent.

A simple step can often prove fraudulent intent. The link in the would-be PayPal message has blue text appearing to be a paypal.com address; the link in the other message just reads “click here.” But hover the mouse over either link, the link’s target appears at the bottom of the screen, at least if the status bar is enabled in the view menu. The would-be www.paypal.comlink actually goes to a U.K.-based page with an address starting “smilesmail,” not PayPal at all. The “click here” link points to a Japanese site named “ent-so” rather than TD. Fraud, apparently, is international.

Everything that comes in your e-mail box can lead you to giving log-in information to strangers. Other messages warning of security dangers also take advantage of credulous users. I got two e-mails forwarded labelled ‘IMPORTANT WARNING!!!’ (yes, all caps and lots of exclamation points) warning of a PowerPoint file entitled Life is Beautiful circulated as an e-mail attachment. Apparently Microsoft, Norton and AOL are warning users that it’s a virus invulnerable to antivirus software.

“PLEASE SEND A COPY OF THIS E-MAIL TO ALL YOUR FRIENDS.”

Again, pause before mass mailing everyone you know. Yes, viruses may arrive as e-mail attachments. But have you ever seen a Microsoft, Norton or AOL e-mail warning about computer viruses? No. That’s because there aren’t any. A quick Googling of some text from the warning, like “PowerPoint Life is Beautiful” brings up a series of links (including one from respected anti-virus company McAfee) suggesting it’s a hoax.

Following the instructions to forward the Life is Beautiful warning to all your friends isn’t actually harmful (unlike a similar hoax message that suggested users delete a Windows system file that it claimed was evidence of a virus infection), but it wastes everybody’s time and adds to a climate of hysteria.

Whenever an e-mail tells you to do something, pause before clicking. Take a deep breath, think about it for a moment, and ask yourself whether PayPal, the TD Trust, Microsoft or Norton is really the source of the message. If need be, a little research will show they aren’t. (Remember, Google is your friend.) Antivirus and anti-phishing software can help, but in the end, you’re your best defence. •