I am personally perplexed by the dilemna related to phishing, and other, scams, and the propensity of people to fall for them. It seems no matter how many different ways we try to pound the message to never disclose sensitive data into users heads, it seems someone will always be fooled by a clever phishing scam, even though they all share the same method; unsolicited requests for sensitive information. Perhaps an answer to the problem, in these days of quick sound bytes and Twitter, can be found in an easily remembered 60s T-shirt/slogan: Question Authority. However in this case the slogan should be amended to say, Question Apparent Authority.
Question apparent authority. Those three simple words nicely sum up the following lengthy explanation. No legitimate system administrator, bank official, credit card company representative, etc., will ever blindly ask you for your password, social security number, or any other personal data, for any reason, via any method; email, phone call, whatever. Any unsolicited request for you to disclose sensitive personal data is fraudulent and perpetrated by a person up to no good.
No matter how convincing an email or request for information appears, never disclose your password, social security number, or other personal information, to anyone, for any reason, unless you personally initiated the communication process.
Think of a legitimate system administrator, such as an email account administrator, as an all-knowing entity. Legitimate system administrators have no need to know your password, their role provides them access to any part of the system and any account, including yours, without the need to know any particular user's password.
Legitimate Requests and Saftey Tips
The only time a legitimate request for sensitive data is made is during the course of a single specific transaction initiated by you. For example, such as filling out a web form on a legitimate banking or financial site, or making a phone call to the institution's published phone number.
When entering sensitive data into a web form, be sure you have verified that the site you are currently browsing is the site you think it is supposed to be.
Use the following checklist as a basic guide to site verification:
- Physically look at the browser location bar and ensure the second level domain shown is the domain it is supposed to be.
- www.bankofamerica.com - the second level domain is bold at the left
- Don't be fooled by an address like www.bankofamerica.banking.com
- Do you see what is wrong with the address above? Banking is the second level domain, not bankofamerica.
- Ensure that the data is being transferred over SSL. Look at the location bar again, it must begin with https
- https://www.bankofamerica.com/index.jsp is safe
- http://www.bankofamerica.com and https://www.bankofamerica.banking.com/index.jsp are not safe. Can you see why?
