When an unsuspecting Chicago-area teacher recently got a surprise call from a merchant in New York about an online purchase he had never made, he discovered someone else was using his credit card number.
It turned out the teacher had earlier complied with an e-mail message directing him to click on a link to resubmit personal information to his credit card company if he wanted to keep his privileges. The only problem was the e-mail and the Web site were both fake. Each was devised by new Internet thieves who trick unsuspecting users into divulging sensitive data online.
Similarly, an administrator in New York reported that a colleague received e-mail to reenter data for her online PayPal account and was taken to a bogus site that even displayed the PayPal URL in the address bar. Not only can crooks forge the addresses of fraudulent sites that users are enticed to visit, they have also been able to copy the small padlock graphic that guarantees "secure" transactions. I receive such phony notices regularly, whether or not I have the accounts in question.
This fast-spreading scam that mimics e-mail and Web sites from legitimate companies is known as "spoofing," or as "phishing," since it fishes for personal information including usernames, passwords and social security numbers. (Phishing is a hacker term, and the "ph" comes from "phone.") An anti-phishing industry group estimates that up to 20 percent of recipients respond to the deceptive messages, which leads to financial loss, identity theft and other fraudulent activity. The FBI calls phishing the "hottest and most troubling new scam on the Internet," and your staff needs to be ready.
Phishing in Schools
As phishing continues to net unsuspecting adults who believe that apparently official requests for personal information are not out of order, children are less equipped to recognize the scams and may be enticed to give away names, addresses and telephone numbers. All school Internet users are therefore potential victims. For this reason, Jerry Taylor, technology integration teacher in New York's Greece School District, sent e-mail to colleagues about how to recognize and avoid being duped by "the realistic and authentic-looking fake Web sites."
Although phishing schemes can target users through many channels, they gained a major foothold because of a flaw in Internet Explorer, the browser used by 95 percent of the online world. According to Microsoft, "a malicious user could create a link to a deceptive (spoofed) Web site that displays the address, or URL, to a legitimate Web site in the status bar, address bar and title bar." Users would therefore believe they were accessing a genuine site, but were really going to one that is fake. Fortunately Microsoft released a critical update last February, and all Internet Explorer users should download the patch. To see if your browser is vulnerable, try the demonstration at the Broadband site listed below.
While technology solutions are important, the first line of defense is always the savvy consumer. Taylor and others recommend the following defensive measures for staff, students and parents:
Do not supply information requested by e-mail, without prior confirmation (children should never release personal information).
If there are legitimate account questions, contact the requesting organizations through other means.
Do not trust "clickable" hyperlinks in e-mail messages, and instead enter URLs manually.
Roll your mouse over included links to see if a suspect address form is displayed in the status line.
Be suspicious of hyperlinks on Web pages you have never visited before.
Experiment with alternate browsers such as Mozilla, Opera or Safari.
Anti-Phishing Working Group www.antiphishing.org
Federal Trade Commission www.ftc.gov
FTC ID Theft www.ftc.gov/idtheft
Microsoft Security www.microsoft.com/security
Odvard Egil Dyrli is senior editor and emeritus professor of education at the University of Connecticut.