What to do if you've been phished

Today's Tech Life column offered five suggestions for avoiding phishing - or at least for avoiding getting hooked by the scammers who try to steal your personal data via bogus emails meant to con you into volunteering it. You can't really avoid the emails, but like a wise old sea creature, you can at least avoid biting.

The most important advice - as the tech savvy already know - is simply to not trust the links that come in any email, unless you are truly certain of its origins. The recent security breach at Epsilon Data Management has raised the likelihood that you'll be getting "spear-phished" - hit with phishing emails specifically targeted to customers of 50 or so particular banks or businesses whose data were compromised.  (Click here for a list.)

As I assembled today's short list of tips, I spoke with phishing and Internet security experts, and also with David M. Nicol, the professor of computer and electrical engineering who heads the University of Illinois' highly respected Information Trust Institute.

Like me, Nicol marvels at the behavior of legitimate companies that contribute to the success of phishing by persistently sending out emails that are in some ways indistinguishable from it. It was a problem when I first wrote a column about phishing eight years ago, and it's a problem still today.

"Reputable companies are still doing that," Nicol told me. "They should know better."

One of Nicol's research interests is in improving the authentication process through which one computer validates the identity of another computer in the series of handshakes, handoffs and other communications that email entails. If the system were more robust, phishing wouldn't be such a big problem.

Nicol used to illustrate the authentication problem by demonstrating how he "could send someone an email that said it came from the President at WhiteHouse.gov."

He doesn't do that anymore, but perhaps that's just because it's lost its entertainment value. Except within the rarefied air of organizations or institutions that use authenticated messaging systems, he says, even the source of an email remains spoofable, to use the hackers' term of art that somehow makes the trickery sound more like a funny little trick than an element of fraud.

"There’s no checking," Nicol says. "This is the root problem with email - it has to do with the lack of validation."

One system of validation is known as IPsec - you can read more about it here. The basic problem with it, Nicol says, is the supporting infrastructure required to institute it, which he estimates could slow email down by as much as a factor of 100, or perhaps even more. Another problem is that all the computers involved - and a typical email transaction involves a half-dozen or more of  them - would have to participate.  “That’s why it’s not happening on a wide scale,” Nicol says.

Phishing isn't especially high on Nicol's list of concerns, largely because it's avoidable by an alert computer user. If you don't fall for the con - if you don't click on the link, or call the phone bogus phone number listed in the voice version of phishers' emails (yes, they call it "vishing") - then you're not at particular risk.

What's higher on his list of concerns? One set of consumer-level perils that Nicol and other experts worry about are botnets, the malware that can install itself on your computer via an infected file or even just by an errant visit to an infected website.

"Last year, the most common attack was through a series of vulnerabilities in Adobe Reader," Nicol says. "All that was required was to open a web page and read a file, or even open one on your computer. The Adobe file contained malicious script that would turn the computer into a zombie."

Zombie computers don't eat people, but they do act as if possessed - because that's what they are.  The authors of botnets use "zombies" or "drones" to send out millions of spam emails that can't be traced - and probably couldn't be even if email systems were better authenticated, because they'd only be traceable to unwitting victims.

Nicol sometimes calls the zombies "grandmas' computers," because older people who don't keep all their software up to date are especially vulnerable. The key is to recognize that the bad guys are constantly finding new vulnerabilities to exploit. The Adobe flaw, now patched if your computer is up-to-date, is the perfect example.

And what kind of spam are the grandmas' computers sending out? One good guess is phishing - apparently because it succeeds often enough, and feeds financial crime and identity theft.

"The fact that we still get this kind of spam indicates that somebody is responding to it. It’s still working, and that is troubling," Nicol says.

What to do with a phishing email, before sending it to the trash? You can forward it to the Anti-Phishing Working Group, an industry organization, at this address: reportphishing@antiphishing.org.

You can also forward it, or other annoying unsolicited commercial email, to the Federal Trade Commission at this address: spam@uce.gov. 

Then hit "delete," and breathe a sigh of relief.