Some people are relentless. They want access to your personal bank accounts, your credit cards, your e-mail addresses, your user names and passwords. It never stops. Just because you’ve got your computer locked down and bulletproof, don’t underestimate the subtle attacker who politely rings the doorbell and waits for you to open the door yourself.

This week, we’re going phishing.

“Phishing” is a form of a “social engineering” attack, an attack that uses various tricks to influence people’s behavior. These types of attacks, usually in the form of an e-mail, intend to trick users into believing that the message they’re reading is legitimate and that it originated from the enterprise it claims to be from. The source is usually a well-known entity — someone you might do business with, like eBay or PayPal.

Although many phishing e-mails are obviously written by morons with a tenuous grasp of the English language, poor grammar should never be your only litmus test. Phishers often use highly convincing e-mails with the same graphics and logos as the sites they are pretending to be. Often, even the links on the fake site lead to their true locations on the real site in order to be more convincing. For example, even on a fake PayPal page, clicking the “Contact Us” link will often take you to the contact page on the actual PayPal Web site. Side by side, some of the fake sites appear identical to the originals.

These fake sites accurately simulate the login procedures of the real sites. They’ll ask for your user name, password, Social Security number and many other typical security questions that are designed to harvest your answers. What is your mother’s maiden name? The street you grew up on? The name of your first pet or best friend? You see these questions used as security barriers on many web sites. How many other sites know that your first pet was named “Snookums?” How many of your other accounts could be compromised by the same answers to these same questions?

You can see how, if you were to provide this smattering of personal information to an attacker, your accounts would be compromised.

This isn’t the only potential for damage. Some phishing attacks send an e-mail that looks legitimate, but when you click the link, your browser is sent to a page that attempts to take advantage of known security holes in your operating system.

In other words, the site tries to break into your computer. Worse, it might try to sell you something.

Many eBay phishing scams claim something is wrong with your account, such as a fraudulent purchase, change of password or negative feedback about an item you’ve never bought or sold. It may claim that there was a billing error of some sort and ask you to click the link in the e-mail to log into your eBay account for more information. Don’t do it! If you’re curious, just point your Web browser to eBay and log in normally.

Lately, many phishers have been taking advantage of our love of “breaking news.” The ones I’ve seen personally come in the form of an e-mail purporting to be from CNN, MSNBC, or even the ambiguously named “Top News Agency.” The links inside are often generic, like “Read all (41) breaking news.”

Here’s one of the big tricks: If you investigate the link, even though it looks like it’s going to take you to the real Web site, it won’t. It will either take you to an inconspicuous misspelling of the real site (how about “www.paypa1.com”?), or something else altogether. Depending on the way you’re reading your e-mail, you might be able to hover over the link to see the real target, or right-click the link and “copy” the location to a text editor like Notepad for examination.

Never respond to these e-mails. However, consider forwarding them to the real institution’s “abuse@” e-mail address, such as “abuse@ebay.com.” These institutions often work with law enforcement to have the fake sites disabled as soon as possible to prevent others from falling victim.

Above all, be vigilant!

Links:

• Practical tips from the federal government and the technology industry: http://onguardonline.gov
• National Cyber Security Alliance: http://www.staysafeonline.org/

Kevin McDonald: Writer and professional computer/network administrator. He lives in Amarillo with his wife and children, and owns and operates Definition Computers. E-mail Kevin at askthegeek@definitioncomputers.com with questions you’d like to see answered in this column.

(This article was originally published in the Amarillo Independent newspaper.)