Friendly e-mails and bogus buddies

12/13/2003

Bogus security notifications are one kind of spam that can hoodwink computer users who never in a million years would fall for any other e-mail scam.

The junk email that floods inboxes every day includes a rich assortment of almost laughably obvious schemes and hoaxes.

Earn $5,000 a week working part-time at home. Get bad credit erased instantly. Reconnoiter a body part. Grab a free vacation in a tropical paradise. Get a “free gift.” Share a billion bucks that the treasurer of a foreign country plans to embezzle.

The gullible fall do for it - to the tune of hundreds of millions in losses each year.

Counterfeit security notification e-mails are more subtle.

These wolf-in-sheep s-clothing e-mails prey on security-conscious computer users. They re sent by the same warped folks that they are supposed to safeguard against. And they look like authentic messages.

Some are bogus e-mails that supposedly alert people to new viruses or security flaws in programs. Their message usually is: Open the attached file. It will disinfect your computer or install a patch to plug the security loophole. Click this link for a web page to download the fixes.

Instead, the file attachment or the bogus web page contains a virus or worm that messes up your computer.

Others carry the “customer support” return address from a company where you have an online account that includes credit card numbers or other financial information.

The message: Some crook from a foreign country has finagled access to your online account. Click on this link for a security page to protect yourself. The page looks authentic in every way. But it s really the crooks page, and they re waiting to steal and use your financial information.

Malicious e-mails may use a variety of other ploys to get passwords, user IDs, credit card numbers, and other financial information.

Spoofers have become expert at faking security messages from Microsoft, which routinely issues legitimate security alerts to patch holes in its software. They recently used the hoax to infect computers with the Swen worm.

“A professional appearance and sincere, helpful tone tricked many users into infecting their own computers,” Microsoft observed.

Microsoft now has a web page (HYPERLINK "http://www.microsoft.com/security/antivirus/authenticate_mail.asp"www.microsoft.com/security/antivirus/authenticate_mail.asp) with tips to help determine if a Microsoft security bulletin is authentic. Microsoft, for instance, never sends security patches as file attachments. If you get one, delete the message.

For a look at the amazing variety of hoaxes and frauds, or to check on the validity of an e-mail pitch, visit the hoax information (HYPERLINK "http://hoaxbusters.ciac.org/HoaxBustersHome.html"http://hoaxbusters.ciac.org/HoaxBustersHome.html) pages at the U. S. Department of Energy s Computer Incident Advisory Capability site.

In addition, check the U. S. Federal Trade Commission “Dirty Dozen” list (HYPERLINK "http://www.ftc.gov/bcp/conline/pubs/alerts/doznalrt.htm"www.ftc.gov/bcp/conline/pubs/alerts/doznalrt.htm) of the most common e-mail scams.

Don t let an e-mail s professional appearance and sincere tone hoodwink you into infecting your own computer with a virus, or divulging financial information.

If an e-mail request seems odd wait, think it over, and check – before responding.