Facebook

Big Internet (Facebook, Google) gets serious about Email Scams.

And this time, they seem to be serious, joining together these powerhouses:

* Big Internet: Google, Facebook, Microsoft, Yahoo, AOL, LinkedIn etc.

* Big Money (aka financial service providers): Bank of America, Fidelity Investments and PayPal.

* Big Security: Agari, Cloudmark, eCert, Return Path and the Trusted Domain Project

To fight Email Scams, specifically Phishing Scams. Such scams try to trick people into giving away passwords and other personal information by sending emails that look as if they come from a legitimate bank, retailer or other business. When Bank of America customers see emails that appear to come from the bank, they might click on a link that takes them to a fake site mimicking the real Bank of America’s. There, they might enter personal details, which scam artists can capture and use for fraud.

To combat that, 15 major technology and financial companies have formed an organisation to design a system for authenticating emails from legitimate senders and weeding out fakes. The new system is called DMARC – short for Domain-based Message Authentication, Reporting and Conformance. In a nutshell, it is another way (in addition to the SPF and DKIM checking already available) to make sure hat an email is really form the organization that it says it is.

Most Phishing emails pretend to come from a respected institution and it is a simple matter to claimthat the message came from the domain name of the trusted entity. This is the first step in establishing trust – if an email arrives that seems to come from ‘accounts@paypal.com’, one’s guard is just that little bit lower.

DMARC aims to prevent those emails from ever arriving by intelligent checking and has a feedback mechanism that alerts the real organization that the event has occured.

It’s not going to stop email from addresses that use obfuscated (accounts@paypal.com.asjdgh.gyutut.com) or maliciously mis-spelled (accounts@paypai.com) or just completely fake email addresses (accounts@paypalbillingsupport.com)
…but it’s a start and Scamdex for one applauds it!

More information [than anyone probably needs to know] is available at the DMARC website

Facebook Phishing Attempts and How To Spot Them

Facebook users often use the email notification service to inform them of events on the site, whether it’s a new friend request, a reply to a comment or a photo tag. The notifications always have a handy button to get to the exact point in the site of interest. The problem is trying to work out whether to trust the links.

FaceBook doesn’t exactly help it’s users to feel comfortable – it uses long complex strings in it’s URLs, odd domain names and a range of different email formats and senders. If it just sent a link to the item (eg. http://facebook.com?id=987112) then we could be sure we’re not going to suddenly become friends with a scammer or perform some other action.

Ed Bott over at ZDNet has compiled a set of real and fake Facebook notifications and invites you to try to see which is which. The fact that this is so difficult is a perfect illustration of the problem.
The simple answer is to never click on links purporting to come from Facebook unless they have some obviously personalized information that you recognize (and perhaps not even then). Scam/Spammers don’t often have the time or skills to hand-craft each email so they will be very generic.

Best practice to avoid phishing attempts is to NEVER click on any links received by email. Always type in the URL yourself or use a bookmark then you won’t get any nasty shocks!

Read Ed Bott’s article in full Here

Another good tip is to keep your computer updated with the top cloud security software to make sure that your data does not get phished or other computer data attacks occur. It is less likely to have that happen if you have a good security program installed.