Russ Harvey Consulting - Computer and Internet Services

Phishing & Identity Protection

Phishing | Anti-Phishing Tools | Identity Theft

Any call from “Canada Revenue Agency” telling you that you're under investigation is a SCAM. Over $600 million reportedly has been collected in the U.S. using a similar IRS fraud.

Never give any personal information, such as a Social Security number, to a caller unless you're positive he or she is a legitimate representative of a company with which you regularly do business. If there's any question, ask for the caller's full name, title and department and tell him or her you'll call back. Use the business's phone number as posted on its website or on any mailed statement or correspondence you've received from the company. — ZoneAlarm Security Blog

Note: Telephone Call Display can be faked. The number showing is no guarantee that the caller is who they say they are.

Beware of "Computer Support" Calls

If you receive a phone call from a “technical support” person saying that you have a problem with your computer, just hang up. All such calls are SCAMS.

  • Never provide or confirm any personal or computer information (including passwords, software, credit card numbers, etc.).
  • Never visit websites or install software suggested by the caller.
  • Never provide remote access to your computer.
  • Never follow instructions to navigate to folders or type any instructions via your keyboard.

Unless you initiate the call (and have obtained the number from a legitimate source), you have no idea who you're dealing with (call display can be faked). How to protect yourself from scammers (CRTC).

The caller will attempt to “prove” they are legitimate by getting you to visit their website. Don't! They aren't located in your country regardless of what the site says. Most are located in India or similar countries where consumer protection and fraud law cannot stop the operation of these scam artists.

One trick is to open a location on your computer showing “errors”. These errors are NORMAL, but the caller wants you to panic and follow their advice.

Microsoft estimated the cost of cleaning up after a successful scam at $850.00. More on these sites:

Don't be the next victim! Just hang up.

Other Phone Scams

Computer scams aren't the only risk. From “free” vacations to threats of pending arrest warrants to fake charities scams are perpetrated on innocent victims every day.

Don't be the next victim! Just hang up.

The purpose of the call is to steal from you — your money, your identity, your trust. How to protect your identity.

If You're a Victim

If you've fallen for one of these scams, don't be embarrassed. If you were the only victim, the crooks would be out of business. However, you do need to take some immediate measures to limit the damage, starting with reporting the crime.

Check That Number!

There are resources that let you check out a phone number. These services depend upon reports from people like you that may have fallen victim to the scam or are simply concerned that it may be a scam.

  • 800notes is a free reverse phone number lookup database built by its users.
  • CallerSmart is a free service (or app) that allows you to find out who called or texted you.


How Phishing Works | How to Tell Fake Links

Unfamiliar messages. Passwords that no longer work. These are just two of the many clues that cybercriminals have gotten a hold of your password and broken into your [email] account. — ZoneAlarm Security Blog

Obtaining Information by Deceit

Phishing is a form of spam intended to obtain financial and personal information by deceit.

It takes advantage of vulnerabilities in some browsers and email programs but depends even more upon people's ignorance.

The intent is to steal your on-line identity — a crime commonly referred to as identity theft see the sidebar

The information gained will be used to by gaining access to your accounts or to establish new ones. Crimes will be committed in your name and your reputation may be destroyed.

There are huge personal and financial costs if you allow yourself to become a victim — $37 billion in 2010, (down from $56 billion the year before).

One thing that allows phishing and other identity theft practices to succeed is that most of the victims are using technology they don't understand.

  • They use passwords that are easily guessed and often repeated everywhere.
  • They use obsolete and vulnerable software rather than learning to use newer software with built-in safeguards.
  • They are unwilling to learn about the risks or change their habits to reduce those risks.

Your ignorance is your downfall.

Spear Phishing

“Spear” phishing is harder to detect. It uses information about you obtained online but which makes the user appear to be someone you can trust. It may appear to come from a friend, but it is a scammer looking to steal from you.

The spear phisher thrives on familiarity. He knows your name, your email address, and at least a little about you. The salutation on the email message is likely to be personalized: "Hi Bob" instead of "Dear Sir." The email may make reference to a "mutual friend." Or to a recent online purchase you've made. Because the email seems to come from someone you know, you may be less vigilant and give them the information they ask for. And when it's a company you know asking for urgent action, you may be tempted to act before thinking.

Looks Can Be Deceiving

Phishing involves convincing you that you're seeing information from a legitimate source when you're not.

Phishing emails are designed to look like legitimate messages from actual banks, businesses, and other organizations. In reality, though, criminals created the message, usually in an effort to steal your money, identity, or both. They want you to click links that will take you to a website that looks authentic but is really just there to capture your credit card or other personal information or perhaps to distribute malware. — ZoneAlarm Security Blog

See ZoneAlarm's blog to learn more:

Identity Theft is a Long-Term Problem

If you are the victim of identity theft, you can expect to fight to regain your credit rating for years — over and over again.

Victims report that it takes months or years to regain their credit rating, only to find that a new report forces them to start all over again.

While electronic data can quickly get you into trouble, financial institutions want physical (on paper) evidence that you're not responsible.

Return to top

How Phishing Works

Going on a Phishing Expedition

Becoming a victim is easier than you might think. Let's have a look at the process from the perpetrator's point of view.

Remember, YOU are the intended victim of this trap.

Step One: Create a Fake Website

If a site invites you to use your email and password to log into Yahoo!, Gmail, Windows Live, AOL or other email account, DON'T!

The first step is to set up a look-alike site that closely resembles a site that your victims are already using or could be using. The company's logo and other trademarked images are used to convey authenticity. (See the section on abusing transfer of trust.)

Proprietary Images Can be Hijacked

The image on the right was captured from a fake site but I've seen a similar layout enbeddd into an email (one of the reasons you DON'T want to allow your email program to automatically load images).

I Could Exploit Anybody

The message could exploit a bank (most have been targeted), Google Docs, e-Bay, PayPal or any site where you conduct business using a credit card or enter with a user name and password.

Step Two: Send Out an Email

Next, send an email message to thousands of potential victims (like you) indicating that there is a problem with their account, or that their account will be closed unless they go to the website and re-enter personal information, including their user name and password (or bank PIN).

This message is NOT from who you think:

Look at this sample phishing email sent to customers

Legitimate businesses will never ask for account or personal information; definitely not via email.

Not From Who You Think

This example* is a real message sent to customers. See part of the headers* from this same message (the blurring is intentional).

*These links open in a new tab or window in your browser so you can compare them with the text above.

The message obviously didn't come from Note the following problems:

  • The “sender's” address ( isn't from
  • Companies seldom use a free email service like Yahoo!. They use emails based upon a domain they own (e.g.
  • The headers show routing inconsistent with a message from Islandnet.

Scammers Getting Smarter

But you can't count on knowing based upon the email sender's address. Scammers often know how to forge headers to make it appear to come from a legitimate company.

Recently spam from the same scammer seems to come from a different email address every time (probably using addresses stolen because of lax password security).

Deceit Getting Cheaper

According to Symantec's 2015 Website Security Threat Report Part I, it costs as little as $0.50 to $10 per 1000 stolen email addresses on the black market.

The Anatomy of an Email Scam

The Anatomy of an Email Scam

Don't get hooked.

Click on the image to the right to see The Anatomy of an Email Scam (posted on the ZoneAlarm Blog) to learn how to recognize an email scam.

HTML Email Hides Details

One of the dangers of "enhanced" or HTML email is that stuff can be hidden. How to look for it.

Firefox security features help you avoid problems with invalid or insecure sites.

Step Three: Collect the Information

The victim (you) clicks on the link and finds themselves on what they believe to be the correct site (remember, the perpetrator has created the site to look like the original), so they enter their user name or email address and password.

Of course, this information is not going where you think it is — you're sending it directly to thieves.

Step Four: Assume Your Identity

Taking your electronic identity (which you've just provided to them on the phishing site), the thieves go to the real site (such as your bank) and log into your account.

The information obtained in this manner is then used to either obtain funds from your account or to set up credit in your name.

Another Sort of Phishing Email

The example above is designed to lure you into providing account information and/or to visit a bogus website where you'll enter that information.

Scam with a Different Purpose

A message can also be designed to get you to send money via Western Union or some other method.

The following is the text of a message I received from a friend (with some identity information removed — indicated by the square brackets):

URGENT HELP NEEDED.......[my friend's first and last name]

I'm so sorry to bother you,but i really need your help at the moment,  I came down here to Manila Philippines for a short vacation,unfortunately i got mugged at the park of the hotel i'm staying ,everything i had on me was stolen including,cash,credit cards and cell phone....I need help to settle the bills and flying back home, I'll surely pay back as soon as I get back home.The amount needed now is just $2,500 .. I'll surely pay back as soon as i get back home. I'm so confused right now and also want to let you know I was beaten up while trying to protect myself and had some scratches on me but his doing well now,You can have the money wire  to my name and the address below via western union;

Receiver's Name: [my friend's first and last name]
Location: Manila, Philippines

Get back to me with the details, would definitely refund it back to you once i arrive Hopefully.

Am freaked out at the moment..... I need your Help

The sender hoped I'd reply with financial details so they could collect the funds themselves.

How I Knew It Was a Scam

The message appeared to come from this person's current email address, but there are several evident clues that this wasn't legitimate:

  • The use of ALL CAPS in the subject line usually indicates a scam.
  • The inconsistent or incorrect use of capitalization and punctuation indicates that English is not the sender's native language or they have poor grammar skills (the person they were impersonating is a professional writer and editor).
  • The message was sent from the IP address (found in the headers) which is in Ebene, Africa. (Remember, this person is supposed to be broke and in the Philippines.)
  • The person was supposedly “beaten up” (yet only has “some scratches”).
  • The person had no cash, credit cards or cell phone but was able to send an email to me.
  • The message was sent to an email address that the sender would be unlikely to use when corresponding to me in such a circumstance.

The victim could have resolved her issues with a call to the credit card company. Not only would the hotel would have obtained a copy of a guest's credit card when the reservation was made (and verified when the person checked in) but credit card companies provide the necessary help in such circumstances.

Address Owner Reports Bogus Message & Tightens Password

The real owner of the address did the smart thing and sent out a message to her contacts indicating that the original message was bogus and changed their account's password to something more secure.

Fake Emails Getting Better

Scammers are improving their techniques and their language skills. Grammar is improving and spear phishing techniques are resulting in more realistic looking email scams.

However, they'll still try to get you to respond quickly and without thinking too hard. Beware of these signals:

  • The sender indicates they are out of contact but in dire need (like the example above).
  • Any attempt to get your user name and password, especially when the form is either attached or embedded in the email message.
  • Altered or unusual links in the body of the message or its attachments.
  • The presence of official looking logos attached to the message (most companies now use images hosted on a server).

Return to top

How to Tell Fake Links

One of the methods commonly used to scam people are fake links in email messages.

Fake links drive unsuspecting traffic to sites that either

  • pretend to be a legitimate site like a bank (in order to steal account information); or
  • infect their computers with a virus (turning their computer into part of a botnet that attacks legitimate sites or attempts to infect other computers).

Decent antivirus software and detection provided by web browsers like Firefox can help prevent such attacks, but it is best not to click on these links in the first place.

You'd never click on a link that said, “scamming site” or “get your computer infected here.” That's why fake links exist.

Links Have Two Components

Hyperlinks on a website (and in an email) have at least two components:

  1. the hidden encoded address (the hyperlink where you are being sent); and
  2. the linked text (what you see highlighted in the link).

Only the hyperlink itself (the hidden part) determines where the link sends you.

Just as placing a Mercedes license holder onto your Ford doesn't turn it into a Mercedes, a misleading description doesn't change the link's destination.

Using the Status Bar

Remember I told you that the status bar was a valuable tool? If you hover over the link in a website or email message and look at the status bar at the bottom of the message, you'll see where the hyperlink is actually sending you.

Take a look at the following link and then see where it leads you (a new window opens):

If you hover over the link and look in the status bar (some browsers show the hyperlink address in a small box above or below the link itself) you can tell without visiting the link's destination (strongly recommended when dealing with unknown sites and emails).

Just because the linked text says it is pointing towards doesn't mean that is the real destination.

Learning More of the Mechanics

If you are interested in the mechanics of this process, have a look at Cut 'N Paste HTML Editing. It explains simple HTML and demonstrates how a simple HTML link works.

Shortened Addresses

It is common for phishing emails to use shortened URLs (web addresses) created by services like TinyURL, bitly and SnipURL hide the destination address, but you can check these links before visiting the site. Paste the address into your browser's address bar with the changes noted below, then hit enter:

You're taken to TinyURL, bitly or SnipURL (respectively) with information showing about the true (full) destination for the shortened link. In these examples, all shortened links point back to this page.

How Can a Fake Site Exist?

First of all, people that set these fake sites up and send out the phishing emails wish to remain anonymous. They are breaking the law and don't want you (or the police) to be able to find them after they steal your identity.

Short-Term Links

The provided links are only up for a short time before they are removed by the financial institutions affected or by the legal authorities.

Forged links often point to a site in an educational institution where passwords and access are easy to come by. By their very nature, universities house a lot of smart and curious people. Smart as they are, too many don't view the issue of security as their problem. Because of a few people's lax attitudes, many will suffer significant financial setbacks.

Delete Attached Forms

More recent phishing attempts have provided an attachment to their messages which, when opened, replace the fake site with a form which accomplishes the same nefarious purpose — to get your information using deception. Don't be fooled.

Configuring Your Software to Protect You

Whatever choices you make with your software, you'll want to take advantage of some advanced (and often hidden) features:

  • Enable the status bar on your browser and other software so that you can see hints when your mouse hovers over a link or other hot spots.
  • Use stronger passwords. There are complex online password generators as well as software to help remember more complex passwords.
  • Learn how to view the headers in an email message, and the signs of a risky message.
  • Ensure your antivirus, firewall and other security software (usually combined into one product) is current and updated.
  • Windows users should ensure that all critical Windows Updates are installed, including the latest service pack.
  • Ensure your browser and email software are current and updated.

Advanced features are often hidden to provide for a cleaner, simpler look. Remember, software vendors don't have to pay to clean up problems that could have been prevented were these features enabled in a standard (default) installation.

If you need help determining how to configure your software and security protection, contact someone knowledgeable. Be careful when selecting your “expert” helper (especially if they call you). Remember, you're putting your trust in this person. I provide these services in Greater Victoria.

Get Help From Your ISP

Use whatever tools your ISP makes available to identify potential spam, phishing and other problematic email messages. Check your ISP's help or support website or call their help line.

I strongly recommend hosting with They specialize in website hosting and can provide personal support when you need it. Their friendly, knowledgeable staff can deal with most email programs and services. Unlike some major ISPs, you're dealing with a real person that is knowledgable, not someone overseas with a script in front of them.

This site hosted by
Check out
Islandhosting is owned/operated by Islandnet

Return to top

Transfer of Trust

The successful phishing scheme depends upon your trust for your financial institution (or other authority) being carried into the fraudulent email and the website link it contains.

You trust the link because it appears to be someone you trust.

The Internet Can Be Exploited

The original Internet was used only by scientists exchanging data. There was no need for high security.

But this has changed. The Web is used for e-commerce, personal transactions and more.

Browsers and enhanced (HTML) email messages can be exploited, particularly if you don't understand the language (HTML markup) or how to protect yourself.

Preventing Successful Phishing

There are a number of things that you can use to avoid being the victim of this type of attack:

  • Be wary of any threats to close your account or emailed requests to re-submit billing and other personal information. Such requests for account information or passwords are never legitimate.
  • Be wary when using public computers. Your passwords, accounts and personal information can be retained by the browser's cache for later retrieval by anyone with access to that computer.
  • Keyloggers can capture private information on any computer.
  • Do not use open or untrusted secured wireless networks. Someone can be "listening in" on the transaction and obtain your user ID and password.
  • Do not trust information emailed to you including any links to sites.
  • Do not trust information on an unknown website.

Always use trusted sources to obtain the telephone number or website address to contact your financial institution or any site requiring personal information or a password. Google is not necessarily that trusted source, especially if you click on the sponsored links.

Report Identity Theft

If you have been a victim of identity theft (or suspect you have), contact the police to report identity theft.

Return to top

Use a Safer Browser

Your Choice Matters

Your choice of web browser can make a difference in your ability to protect yourself online. Whichever browser you choose, the most recent will usually have improved security features and/or have known security issues patched.

Internet Explorer is not recommended for routine surfing and browsing sites on the Web. While IE may be convenient, it is so tightly integrated into Windows that any security issue in any Microsoft product puts your computer at risk.

Google Chrome has huge privacy risks, especially if you sign into your Google account when surfing (even if it is only for checking your Gmail). Google makes their money by exploiting information you provide. Google NEVER forgets.

Firefox Recommended

Firefox's warning page for a reported attack site

Firefox is a much safer browser to use.

As an independent stand-alone product it is less vulnerable to cross-program security issues. It still retains the ability to perform the intended functions and call to outside features like email programs.

Have a look at some of the built-in security features of Firefox:

Return to top

Anti-Phishing Tools & Information

These tools and information sites will help you to learn more about phishing and provide you with tools to verify suspect websites and files.

I urge caution when using these tools. Be sure you understand the terminology and understand the risks.

Checking Out Suspicious Websites

Check to see if a site has been flagged for phishing:

  • PhishTank is a collaborative clearing house for data and information about phishing on the Internet.
  • is a service for detecting and analyzing web-based malware.
  • CSI: ACE Insight allows you to check for malicious sites.

Check the site's information and/or disclaimer pages so you understand the capabilities and shortcomings of the service. The following is from urlQuery's About page but can be applied to most such services:

Currently no service or security solution provides 100% detection of malicious content. The data provided is to help give a second opinion and should not be taken as fact. As with other sandbox technologies it can be detected which can skew or make the results inaccurate. Other issues might include browser incompatibilities or settings/configurations within the browser.

Checking Out Suspicious Files

Be cautious when checking out suspect files. In most cases you're safer simply deleting the email along with the unopened suspect file unless you were expecting it from a trusted source.

If your antivirus program detects a problem with an attachment, you'd best delete it rather than having the antivirus program treat it even if it is an essential file sent from a trusted computer.

You're best to discard it rather than risk infecting your own computer by opening the attachment. Instead, print out a copy of the file on the original computer while disconnected from the Internet. The original computer needs to have a full security scan with a current and updated software.

More About Phishing

The following sites deal with phishing.

Recommended Reading

419, fiction by Will Ferguson, looks at the issue of phishing from both the victim's and perpetrators views. Strongly recommended.

“419” by Will Ferguson
419 takes readers behind the scene of the world's most insidious internet scam. When Laura's father gets caught up in one such swindle and pays with his life, she is forced to leave the comfort of North America to make a journey deep into the dangerous back streets and alleyways of the Lagos underworld to confront her father's killer. What she finds there will change her life forever… — GoodReads

Return to top
Updated: January 22, 2016

Protecting yourself from identity theft requires being aware of the danger signs.

Identity Theft

Reporting It | Protecting Identity

Identity theft, in a nutshell, is the obtaining of information about you that will enable someone else to impersonate "you" — allowing them to steal in your name.

Identity theft is, unfortunately, a rapidly growing crime.

If you become a victim, it will probably take you hundreds of hours and an average of $1,000 to recover from ID theft. Even worse, some innocent victims have ended up in prison because identity thieves have committed crimes in their names. —

It Used to Be Harder

Obtaining personal information is much easier than it used to be.

At one time you had to go to your bank, speak to a real person who would then compare your signature with a physical sample stored at the bank to ensure that you were who you said you were before releasing funds or a providing new credit card.

ID Easily Accessed

These days credit card applications appear unsolicited in your mailbox and are easily available online.

Verification depends upon electronic data rather than hard copies (original documents in the teller's hand).

Convenience of inter-branch banking and online transactions has led to poorer security.

Passwords: Your eSignature

Many people using electronic verification technology don't really understand it and view it as something that is imposed upon them rather than something for their own protection.

User Names Public

In many cases your user name is your email address. Your email account often uses your “account name” before the @ symbol (e.g.

That makes the user name either public or easy to guess, leaving only the password to protect your account access.

Weak Passwords = Blank Cheques

Unfortunately, many folks don't take their passwords seriously.

They worry that they'll forget a password, so they make it simple and use the same password (or a slight variation) for every account.

You'd never leave a series of signed blank cheques unsecured. Your passwords are just as important.

Ignorance is Your Undoing

Folks don't really understand the risks. Many continued to use Outlook Express long after it was obsolete (and dangerous to use), just like Windows XP, the operating system it came bundled with.

These programs are the electronic equivalent of a skeleton key — both easy to use and ineffective in providing protection.

Just as seat belts, car alarms and ignition keys are inconvenient, security is too. But they also share the provision of protection otherwise unavailable.

Secure Your Computer

You probably wouldn't leave your car unlocked while unattended on a late Friday night in a crime-ridden area of town with the keys in the ignition and the windows rolled down.

If you were foolish enough to do so, you shouldn't be surprised to find it gone when you returned.

Have the same respect for the protection of your computer, especially when in the bad area of town (the Internet) where anonymity provides opportunities to take advantage of your ignorance.

Return to top

Protect Your Identity

Everyone is Gathering Information

Everyone is collecting information about you. They want all the tools at their disposal to get you to buy their products and services.

If they can get your email address, they can send their advertising right to your inbox. If they know your marital status and how many children you have they can identify potential markets.

Learn how to opt out as well as how to get off these lists if you didn't ask to be put on them in the first place.

Beware of Phone Callers

A phone call about your computer is scamming you. Just hang up.

Be wary of any calls you didn't initiate.

  • Call display can be faked.
  • Never give out personal information
  • Never confirm or correct information.
  • Never provide credit details or a credit card.

If YOU contact your bank or credit card company, they need information to identify you. This is normal. Just be sure you obtain that contact number from a trusted source.

They need to verify that they are speaking to someone authorized to manage the account.

However, if you didn't initiate the call using a reliable source for the phone number, the caller has no right to expect you to provide such information.

Never give any personal information, such as a Social Security number, to a caller unless you're positive he or she is a legitimate representative of a company with which you regularly do business. If there's any question, ask for the caller's full name, title and department and tell him or her you'll call back. Use the business's phone number as posted on its website or on any mailed statement or correspondence you've received from the company. — ZoneAlarm Security Blog

No Unnecessary Information

Certain information is your identity when you conduct business on-line.

Personal Information

Do not post or release this personal information:

  • Social Insurance/Social Security Number (only legislated uses require you to disclose your S.I.N.).
  • Mother's maiden name.
  • Where you were born.
  • Your birth year.
  • Bank PINs.
  • Passwords (especially when combined with user names).

Be careful about releasing billing addresses and employment information as well.

While the successful completion of many credit card transactions requires that the shipping address match the credit card's billing address, this information is not necessary for other transactions.

Take Care When Posting on Social Media Sites

People sometimes post things on Facebook or other social media (or over the phone) without thinking about the consequences.

Information that allows you to recover a lost password should be something you remember, but strangers wouldn't (unless you post it on Facebook):

  • Family genealogy.
  • Pets.
  • Former residences and occupational information.
  • Marriage dates and locations.
  • Favourite sports teams, etc. (poor choice as this is a popular conversational topic).

Being "In the Cloud" Has Risks

Cloud computing (“in the cloud”) is becoming more important as we use smart phones, tablets and other portable devices to conduct business on the go.

While it may free you to access your information anywhere at any time, it also provides the same access to anyone in the world.

Return to top

Report Identity Theft

Begin Immediately

If you suspect you've been the victim of identity theft, the sooner you act, the sooner you can begin to resolve the issue.

You should file a report with the police and with credit reporting agencies:

Reporting identity theft or fraudulent transactions on your credit card(s) to the credit reporting agencies helps to prevent further abuse, particularly if someone tries to open credit in your name.

You are entitled to one free credit report each year which discloses who has made requests for your credit report as well as allowing you to dispute errors.

It will likely be harder to prove identity theft than to execute it.

Watch for Unauthorized Purchases

If you do receive bills for unauthorized credit cards or are billed for goods or services you did not receive (particularly from a foreign country) you may have to file a report with your financial institution(s) and to the police.

More About Identity Theft

More information about identity theft and how to prevent it:

Return to top

Related Resources

Related resources on this site:

or check the resources index.

Return to top

If these pages helped you,
buy me a coffee!