This is a quick warning about phishing scams, which are just ironically low-tech ways of getting the victim to volunteer valuable personal information.
There are two technologies you use every day that are not even a little bit trustworthy: Email and Microsoft Windows. Here are some things you should know about email:
- Email does not guarantee confidentiality. Your messages may persist god-knows-where and who-can-say having access to them.
- Email does not guarantee authorship. If I had more time I would write up an email-based phishing scam myself and attack you all with it to prove how easy it is. You would never know that I was the one who had sent the email.
- Email does not establish undeniability. Anyone who writes an email can just disavow it later unless it is digitally signed or verified some other way.
The big corporations that basically constitute "the Internet" for most of us—Amazon, Facebook, whatever—know this and don't trust email for anything important. The exception is that they let you reset your password merely by proving that you can log in to your own email account. This is a serious weakness in their system but they hold on to it for their own reasons. The point is, legitimate emails from your bank, or Amazon, or whatever, will at most only ever direct you to a secure web connection where you have to log in. It is your job to make sure that when you click the link and your browser opens up, that it really is amazon.com or whatever and that the connection is secure (usually a lock icon or something like that to the left of your address bar). Naturally, email phishers work up convincing-looking emails to their victims that include sign-on links to dummy websites: then you click the link, enter in your login data, and now they have it.
Actually, here is my advice: don't click email links at all. Log in to the site on your own by typing it into your browser's address bar. Email is not trustworthy and that is why legitimate businesses basically don't communicate with you that way (except to tell you go to log in to their website).
Here are some things you should know about Microsoft Windows:
- MS Windows, whatever version they are up to, is the world's most popular target for malware for two simple reasons: it's running on over 90% of the world's home computers, and it's poorly engineered.
- The Microsoft web browser, Internet Explorer, is a particularly shitty piece of shit and there is no excuse whatsoever for running it at home or anywhere else. I understand that I will not convince most of you to stop using Windows but if you got hacked because you were using Internet Explorer you do not deserve sympathy. This used to be a bigger problem as Internet Explorer's market share was close to 50% but people seem to have figured it out and now it is down to 10%. Do not use this software. Firefox, Chrome, or Brave are all much better and all free.
- Do not trust anything that a Windows computer tells you that you don't already know is true.
- Your email software is probably garbage. If it's Microsoft Outlook, it's definitely garbage. Use Gmail on the web or use Sylpheed or Mozilla Thunderbird (you can google these) on your computer to work with your existing account. Have it display the non-html version of emails by default so you are less likely to click on something stupid.
Phishing scams exploit the facts above plus some simple psychology to convince you to furnish your personal information. The main vectors are email, pop-up windows, and ordinary phone calls—it is not at all difficult to convince the average person on the phone to give you his SSN!
Speaking of phone calls: never speak to anyone who has called you, or use a number you got from an untrustworthy source to call a company you deal with. For example, suppose "your bank" calls you and says that you are in jeopardy of some kind of fraud, and would you please confirm certain information. What you should do is hang up, then go to your bank's website or your last bank statement, and call them using the number they provide.
I called this kind of attack low-tech because it relies more than anything on predictable psychological reactions. If you see a message that is exciting, threatening, or concerning, do not trust it. If there are any exclamation points in it, don't trust it. One message I get all the time is from "FedEx" stating that I have a package waiting for me. Well, people love to get stuff sent to them, and that is why they fall for this scam. This was one I had meant to bring to everyone's attention because I figure some of you must have gotten it too. Here is an example:
Subject: Fed Ex Delivery Notification
Unfortunately we were not able to deliver postal package you sent on December the 14 in time because the recipient's address is not correct. Please print out the invoice copy attached and collect the package at our office.
This is pretty crude though; the good ones look a lot more plausible, like they might actually have come from FedEx.
Another way to protect yourself from threats is to back up your data. If you know your photos, emails, business documents, or whatever, are all safe, then when you get a pop-up threatening their annihilation you will not be fazed. There are plenty of ways to do this but you will have to research them yourself because I don't use Windows. Remember that any backup scheme you use must be automatic or else you will not remember to use it, and then you will not have a sense of trust about your data and you will still be vulnerable.
Anyway, welcome to the 21st century, where strangers from all around the world are trying to screw you over. Try not to let them! If you have questions about this message or about anything you've received in particular, email me.