An Eclectic Mind

Don’t get fooled.

Today I got an e-mail message from American Express. It said, in part:

During our regualry scheduled accounts maintenance and verification procedures,
we have detected a slight error regarding your American Express Account.

This might be due to one of the following reasons:

1. A recent change in your personal information (i.e. address changing)
2. Submitting invalid information during the initial sign up process.
4. Multiple failed logins in your personal account.
3. An inabillity to accurately verify your selected option of payment due to an internal error within our system.

Please update and verify your information by clicking the following link:

Continue To American Express Online Update Form

*If you account information is not updated within 48 hours then your ability to access your account will be restricted.

Thank you,
American Express , Billing Department.

The type was tiny, which is probably why I didn’t notice the typos and spelling/grammar mistakes. Or perhaps I didn’t notice them because I’ve become so accustomed to skimming incoming mail rather than reading it.

The message looked official. It had the Amex logo and used their normal color schemes. But what really made it look genuine was the note near the bottom:

E-mail intended for your account.

If you are concerned about the authenticity of this message, please click here or call the phone number on the back of your credit card. If you would like to learn more about e-mail security or want to report a suspicious e-mail, click here

Note: If you are concerned about clicking links in this e-mail, the American Express mentioned above can be accessed by typing https://www.americanexpress.com directly into your browser.

The hint that this wasn’t as legitimate as it seemed came when I pointed to the link to supposedly update my account information. The URL that appeared in a yellow box in my e-mail client consisted of an IP address followed by /home.americanexpress.com/.

Of course, the e-mail message wasn’t real. When I typed http://www.americanexpress.com/ into my Web browser and logged into my account, there was no indication of any problem.

Phishing, Defined

Wikipedia, everyone’s favorite online encyclopedia, defines phishing as:

In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites (Youtube, Facebook, Myspace), auction sites (eBay), online banks (Wells Fargo, Bank of America, Chase), online payment processors (PayPal), or IT Administrators (Yahoo, ISPs, corporate) are commonly used to lure the unsuspecting. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose URL and look and feel are almost identical to the legitimate one.

My spam protection software is very good at weeding out phishing attempt messages, so I rarely see them. This one almost fooled me. If I’d been suckered in like so many probably were today, I would have clicked the link and entered my American Express login information in the screen that appeared. That information would have been captured in the phishing net and used to access my American Express account online.

It Isn’t PayPal

One of the Web sites I maintain is for a friend of mine who makes and sells helicopter ground handling wheels: HelicopterWheels.com. He’s an older guy who’s only been using computers for a few years. When I set up the original site, he asked me to set up online ordering. I’ll be the first to admit that I know little about setting up ecommerce solutions. So I set him up with the easiest and most secure method of accepting payments that I knew: PayPal.

Now PayPal has a bad reputation with some folks and I’m really not interested in hearing reader complaints about it. I use PayPal for my online ordering needs and although it isn’t a perfect solution, it does work and it seems safe enough to me.

Unfortunately, my friend received an e-mail message telling him that he had to verify some PayPal settings. The message was a phishing scam and my friend fell for it. He got hit for a bunch of money — which I’m not sure if he recovered. He immediately blamed PayPal and had me take the Buy Now buttons off his site.

I felt bad for him. After all, I’d recommended PayPal. But I’m also not the kind of person who gets sucked in by phishing schemes. I assumed he wasn’t either. I was wrong.

Don’t Get Caught

So here’s the only rule you need to prevent yourself from becoming the victim of a phishing scam:

Never click a link in any e-mail message.

If you get a message from your bank or credit card company or PayPal or any other service that requires you to enter a user ID and password to access it, do not click any link in that message. Instead, go directly to the site by typing the URL into your browser’s Address bar or using a Bookmark/Favorite that you’ve already set up. If there is a legitimate problem with your account that requires your attention, you’ll find out after logging in the safe way.

Of course, there are plenty of clues that can help you identify phishing attempts:

• Messages not addressed to your name. For example, Dear Cardholder instead of Dear Maria Langer.
• Typographical, spelling, and grammar errors in the e-mail message. Do you think American Express would spell regularly wrong?
• Messages sent to an e-mail address that you did not register with the organization supposedly sending the e-mail message to you. For example, the message I got today was sent to my Flying M Air e-mail account, which is not on file with American Express.
• URLs that point to IP addresses rather than recognizable domain names. For example, http://35.32.185.43/account rather than http://www.americanexpress.com/account.

But you don’t have to worry about any of this. Just follow the golden rule listed above. Here it is again, in case you’ve forgotten: Never click a link in any e-mail message.

If you follow this rule, you should stay safe from phishing schemes.

Got a story to share? Use the Comments link or form below to speak your piece.

Fighting a new kind of spammer.

I’m an avid Twitter user with 5,000+ tweets to my name since I joined up over a year ago. I tweet from my computer, usually using Twitterrific, and from my Treo smartphone, usually using text messaging. I don’t follow tweets via text message, but while I’m out and about, I occasionally will use the Treo’s Web browser to see if I’m missing anything interesting among the people I follow in the Twitterverse.

If you know Twitter, you know that you can select whether you should be notified by e-mail when you get a new follower. I have this option turned on. Each time someone follows me, I get an e-mail message with a link to his/her page. In the past, this has enabled me to identify new, interesting people to follow.

Twitter, like all online services, has abusers. In the old days, this was limited to people who tweeted more promotional material and links than real “What are you doing?” content. These people used bots to follow everyone they could. And there were just enough idiots out there to follow them, making them look somewhat legit.

For new followers, I’ve always applied the 10% rule. I wrote about this rule in my post, “Twitter Sluts.” This rule states that if the Twitter member is following more than 10 times the number of people who follow him, he’s following indiscriminately and is probably abusing the system. In reality, he’s not “following” anyone at all. He’s just trying to get suckers to follow him.

Now there’s a new breed of spammers. They set up a Twitter account and post a single tweet with something like “This make money fast plan really works: http://www.somebogusplan.com/.” Then they use bots to follow every person who tweets.

People like me, who want to find new, interesting people to follow, get the notification in e-mail and click the link to check out the user’s Twitter page. What I see is the promotional link and stats that include thousands of people being followed and only a few idiots following in return.

Obvious spammer.

This wouldn’t be so bothersome if it were just one or two of these abusers a week. But I’m getting 2 to 5 of them a day. Following up on these people is becoming annoying.

While I could turn off notifications, I’d also miss out on the real Twitter users who are legitimately following me, people who I might want to follow. So that’s not an option.

Now the folks at Twitter have a technique in place to report spammers. It requires me to go to a feedback page, fill in a form with a number of fields that don’t apply, and put in the spammer’s account name. The entire process takes about 3 minutes to complete — when my currently funky Internet connection cooperates. With 5 spammers a day, that’s 15 minutes of my day pissed away on report spammers.

I don’t know about you, but my time is more valuable than that.

While I could simply ignore them, I’ve taken to using the Block button at the bottom of the user’s Twitter page to block them. This feature is designed to prevent the person from bothering me again or from seeing my tweets. But I think that if enough people do this and if the folks at Twitter occasionally glance at who’s being blocked by more than 5 or 10 people, it could be a quick and effective way to identify spammers. Just two clicks — Block, then a confirmation I want to block — the job’s done.

Of course, if the folks at Twitter installed a “This is a Spammer” link on the user’s page, it would make it clear what we’re all trying to say. I’ve put that in as a suggestion, but am still waiting.

The folks at Twitter have enough on their hands right now, just trying to keep Twitter up and running smoothly 24/7. I hope that when they’re done with that daunting task, they’ll tackle this one.

But they should keep in mind that once they put controls in place to prevent spamming, they’ll have a lot less activity on the site to worry about.

And you thought mine was strict.

Reader comments are often what can make a blog far more interesting than it would be without comments. In fact, the commenting feature of blog software can create a community at a blog when regular readers and commenters add their two cents to blog posts.

Unfortunately, not everyone has something of value to add to a conversation. And that doesn’t stop them from adding it.

Comments Here

I review every single comment posted to this blog, so I know the full range of comment quality. Tossing aside the hundreds of daily automated spam comments caught by my spam protection software and the obvious attempts of human readers to redirect my blog’s readers to their sites, the “real” comments can be informative, helpful, interesting, funny, or thoughtful. But they can also be sarcastic, nasty, rude, or offensive.

I state my comment policy in various places throughout this site, including here. Although I occasionally do have to delete a comment that’s overly offensive or one that’s sure to generate a nasty argument, in general, this site has a great group of regular readers and commenters that don’t need to be watched over as if they’re poorly behaved children.

As an example of how much commenting can contribute to a blog, check out one of my posts, “The Helicopter Job Market,” which has accumulated almost 50 comments in just over a year. Many of these comments offer helpful insight to helicopter pilots and wannabes. They’ve created a conversation that just keeps growing — indeed, five comments have been added to that post in just the past week.

Anyway, I welcome comments and won’t prevent one from appearing unless it’s either offensive or totally self-promotional. Get a conversation going. I really enjoy it. And reader comments are often what trigger me to write new blog posts.

A Comment Policy From Down Under

Today, while in search of both images from the Iran missile photo controversy, I stumbled upon an article on the Herald Sun Web site. It showed both photos and provided some commentary about the situation. It mentioned that Iran was firing more test missiles today. The thought that if they kept firing missiles for tests they might run out came to my mind. Since the article had a comment field, I decided to voice that unlikely but amusing thought, mostly to lighten things up.

I posted the comment and submitted it. On the confirmation page, the following comment policy appeared:

Please note that we are not able to publish all the comments that we receive, and that we may edit some comments to ensure their suitability for publishing.

Feedback will be rejected if it does not add to a debate, or is a purely personal attack, or is offensive, repetitious, illegal or meaningless, or contains clear errors of fact.

Although we try to run feedback just as it is received, we reserve the right to edit or delete any and all material.

What I like about this comment policy is how clear it is. It’s warning commenters, almost up front, that what they submit may not appear at all or as it was submitted. I like the second sentence/paragraph. (Oddly enough, the commenter before me said “I Still dont Belive USA went to the Moon” and I’m wondering how that got through the moderation process, being that it’s pretty much meaningless, contains clear errors of fact, and does not add to the debate, but I guess that’s just my opinion.) I find the third sentence/paragraph bothersome, mostly because I don’t believe in editing someone’s comment. If it needs editing, it probably shouldn’t appear at all.

Up for Commenting

Anyway, I’m just tossing this out there, mostly to see what visitors here think about it.

Commenting is one of the good and bad things about blogging. On this site, I really enjoy most of the non-spam comments we receive. As long as you keep commenting, I’ll keep writing.