Russ Harvey Consulting - Computer and Internet Services

Phishing & Identity Protection

Phone Calls | Phishing Emails | Anti-Phishing Tools | Identity Theft

Protecting yourself from identity theft requires being aware of the danger signs.

The information on this page was written with computers in mind, but most of the warnings also apply to mobile devices (smart phones and tablets).

How much do you know about cybersecurity?

Take the cybersecurity knowledge test to see how much you understand about online security and the terminology involved.

Once you've evaluated how well you understand the issue, read the information on this page to help you understand Cyber scams and how to avoid becoming a victim.

Online Criminals

Much like white-collar criminals, online criminals face far lighter repercussions if they are caught than someone physically robbing a store or bank or someone holding a person for ransom because it is assumed that such crime is not as serious. Victims of white collar or Cyber crimes would disagree.

As cybercrime begins to overtake physical offenses for the first time, we need to realize that as our world continues to be dominated by technology so is organized crime. There is a common misconception that these out of sight online attacks are victimless crimes or are not treated with the same level of importance as those that occur offline, and this needs to change. — Daniel Burrus

Phone Calls

There's a special section on “computer support” calls.

While the information below assumes someone called you, unexpected error messages or dire warnings (see an example) are NEVER legitimate.

NEVER call phone numbers listed in error messages. Instead call your local tech support person or hire me.

From bogus “computer support” calls to “free” vacations to fake charities to unexpected “government” calls (even threats of pending arrest warrants) scams are perpetrated on innocent victims every day.

Globally, about two-thirds of the respondents had encountered a technical support scam. About one in five had been duped -- allowed the scammer to continue his or her story -- and nearly one in 10 had actually given money to the fraudster. — ComputerWorld

Fraud experts recommend that you let all unknown numbers, even if they appear familiar, go to voice mail.

Warning Signs

Any of these warning signs should you that you're probably dealing with a scammer. Don't respond; just hang up.

Other Tricks

These are known scam techniques. Don't respond; just hang up.

  • An early morning or late night call (when you're not alert).
  • Any requests to confirm your account number or other details.
  • Any requests for remote access to your computer or to install software.
  • They use a transfer of trust by saying they are “associated” with a well-known agency (e.g. Microsoft, IRS or CRA).
  • Your response to “Can You Hear Me?” or similar questions can be recorded and used as “proof” you ordered a product or service.

Remember, they called you! so it's their identity that is unconfirmed. Providing information or access to your computer allows the caller to scam you. Just hang up. NEVER volunteer information or respond to their questions.

For more information, try these resources:

Microsoft's tips to stay safe online. Don't be the next victim! Just hang up.

  • Be wary of any unsolicited phone call or pop-up message on your device.
  • Microsoft will never proactively reach out to you to provide unsolicited PC or technical support. Any communication we have with you must be initiated by you.
  • Do not call the number in a pop-up window on your device. Microsoft's error and warning messages NEVER include a phone number.
  • Never give control of your computer to a third party unless you can confirm that it is a legitimate representative of a computer support team with whom you are already a customer.
  • If skeptical, take the person's information down and immediately report it to your local authorities.

These Callers are Thieves

The purpose of their call is to steal from you — your money; your identity; your trust. Learn how to protect your identity.

When someone approaches you, remember they always want something. — Frank Catalano

Caller ID Can be Faked

The telephone Caller ID display can be faked. The number showing is no guarantee that the caller is who they say they are.

Unless you initiate the call AND have obtained the number from a legitimate source, you have no certainty who you're dealing with.

Never give any personal information, such as a Social Security number, to a caller unless you're positive he or she is a legitimate representative of a company with which you regularly do business. If there's any question, ask for the caller's full name, title and department and tell him or her you'll call back. Use the business's phone number as posted on its website or on any mailed statement or correspondence you've received from the company. — ZoneAlarm Security Blog

Never depend upon any website provided by the caller. Ensure you use the site indicated on reliable sources such as a recent invoice or billing from the company. Fake websites are common and it is easy to fake a site.

Beware of "Computer Support" Calls

While this section deals specifically with computers, similar motives and techniques are used in other scams including offers to lower your credit card rate and threats of arrest from CRA “security officers.”

I'm calling from Microsoft…

No, they aren't.

If you receive a phone call from a “technical support” person saying that you have a problem with your computer, Just hang up. All such calls are SCAMS.

Telephone scams return around $470 per call. Thanks to robocalling (automated calling), number finding technology, and fake caller IDs, scammers fool more people than ever before. Given how much money the scam makes, and how little call centers pay (e.g., Indian call centers pay around $2 an hour), your decision to "keep them on the line" really isn't helping anyone. — MakeUseOf

If you have reason to believe the call is legitimate, hang up then look up the number from legitimate source such as an invoice or statement and call them back. In most cases, the company won't know what you're talking about.

They are Tricking You

The person calling you is undoubtedly more technically adept than most users.

They will attempt to convince you that your computer needs fixing, then obtain your credit card to bill you for this unnecessary “support call.” Remember, they called you to tell you about problem you weren't experiencing.

All computers run slower over time. The caller will most likely make the problem worse (they are attempting to steal your identity and/or the use of your computer to attack other computers) as well as sell you bogus anti-virus software or services.

If they actually could look into your computer to see errors, they'd be admitting to hacking your computer, an illegal activity.

Fake Websites

The caller will attempt to “prove” they are legitimate by getting you to visit their website. Don't! They are NOT located in your country regardless of what their website indicates. Most (but not all) are located in India or similar countries where consumer protection and fraud law are not easily prosecuted.

I once told one caller that if they called back in a half-hour I'd have a website “proving” I'm the king of Siam. They never called back.

Fake Errors

One trick is to have the victim click on the Windows Key + R keyboard combination to bring up the Run command, then have them type in “msconfig” (they'll spell it out) to open System Configuration and click on the services tab:

Screen capture showing a normal Services tab in MSConfig

They scammer will then point out the stopped Microsoft services, telling you that these are “errors” and that your computer is about to crash.

They Want You to Panic

These stopped services are NORMAL, but the caller wants you to panic and follow their advice. Most users are confused by the use of the keyboard commands and immediately feel out of their depth. This is intentional.

Now they'll get you to enter the same Windows Key + R keyboard combination, then (which opens Google) and have you search for an older (insecure) version of TeamViewer.

NOW They Have Access to Your Computer

When installed, this program will provide the caller with remote access to your computer without any of the newest security measures.

Remember, the caller has no advance information about your computer. All they have is their bag of tricks to try to scam you.

  • Never provide remote access to your computer via TeamViewer or any other product based upon a phone call, email or any unexpected popup warning on your computer.
  • Never follow instructions to navigate to folders or type any instructions via your keyboard.
  • Never provide nor confirm any personal or computer information (including passwords, software versions or serial numbers, credit card numbers, etc.).
  • Never visit websites or install software suggested by the caller.

Providing Remote Access is Dangerous

Remote access or unknown software can allow the remote user to do ANYTHING on your computer, including installing nefarious software or stealing your personal information.

If you follow their advice, you'll waste your money on software that won't help protect your computer. Worse, it will likely make your computer more vulnerable and you'll become a victim of identity theft and credit card abuse for which you'll foot the bill.

Don't be a victim! Just hang up.

Cleanup is Costly

Many people of all ages have fallen for these scams, and the schemes are getting more complex. If you encounter one, don't panic. Stop and think it through.

Microsoft estimated the cost of cleaning up after a successful scam at $875.00 (and that was in 2011). More on these sites:

Don't be the next victim! Just hang up.

If You've Become a Victim

If you become a victim, it will probably take you hundreds of hours and an average of $1,000 to recover from ID theft. Even worse, some innocent victims have ended up in prison because identity thieves have committed crimes in their names. — Scambusters

If you've fallen for one of these scams, don't be embarrassed. If you were the only victim, the crooks would be out of business.

Report the Crime

However, you do need to take some immediate measures to limit the damage, starting with reporting the crime.

Have Your Computer Checked

If your computer was accessed, take your computer to a trusted computer professional to assess the damage. Service personnel can look for the signs of problems but no one can guarantee the computer is clean under these circumstances.

In some cases the computer many need to have a clean install (data backed up, operating system and software reinstalled, data restored) to ensure the computer is not infected.

Change Your Passwords

Your passwords may be compromised. Notify the companies involved and immediately change ALL your passwords.

Notify Financial Institutions and Police

If you used a credit card or provided banking details, you'll need to immediately notify those financial institutions.

Notify the police to report the potential identity theft and contact the Canadian Anti-Fraud Centre at 1-888-495-8501 to report that you've probably become the victim of identity theft.

Check That Number!

Do NOT use any number provided in a suspicious email or phone call. Instead, look up the number in a statement or invoice you've received from the company or organization when doing business with them in the past.

What About Unknown Numbers

There are resources that let you check out a phone number. These services depend upon reports from people like you that may have fallen victim to the scam or are simply concerned that it may be a scam.

  • 800notes is a free reverse phone number lookup database built by its users.
  • CallerSmart is a free service (or app) that allows you to find out who called or texted you.

You don't know if the number showing on your call display is accurate. (Would you allow your real number to display if you were about to steal from someone?)

In many cases the scammer will fake a local or domestic number until it becomes too hot to use, then they'll switch to another. Using Internet-based phone calling, it is easy to fake any number, usually a number that appears to be local because you're more likely to answer a call from “a neighbour” than an unknown long distance number.

Phishing Emails

How Phishing Works | How to Tell Fake Links

Unfamiliar messages. Passwords that no longer work. These are just two of the many clues that cybercriminals have gotten a hold of your password and broken into your account. — ZoneAlarm Security Blog

Phishing license --
Later, walking out of jail after posting $10,000 bail:
"Wait, this isn't the street the county jail is on."

Obtaining Information by Deceit

Phishing is a form of spam intended to obtain financial and personal information by deceit.

  • It takes advantage of vulnerabilities in some browsers and email programs but depends even more upon people's ignorance.
  • The intent is to steal your on-line identity — a crime commonly referred to as identity theft (see the sidebar).
  • The information gained will be used to gain unauthorized access to your existing accounts or to establish new ones. Crimes may be committed in your name and your reputation may be destroyed.
[E]mail isn't the only vector for phishing attacks: Several U.S. state and local government agencies have reported receiving strange letters via snail mail that include malware-laden compact discs (CDs) apparently sent from China. — KrebsOnSecurity

There are huge personal and financial costs if you allow yourself to become a victim — $37 billion in 2010, (down from $56 billion the year before).

One reason phishing and other identity theft practices to succeed is that most of the victims are using technology they don't understand. Unfortunately, neither do the politicians making the rules to protect you.

  • Victims use passwords that are easily guessed and often repeated everywhere. The passwords may have been compromised in a data breach (that's why you change passwords when you're notified of a breach.)
  • Victims don't use a password manager. Instead, they use the same set of passwords or slight variations everywhere.
  • Rather than learning to use newer software with built-in safeguards, victims run obsolete email programs and vulnerable web browsers with obsolete or insecure addons and vulnerable plugins.
  • Victims are unwilling to learn about risky behaviour or change their habits to reduce those risks.

Ignorance is Your Downfall

Your ignorance is your downfall. Learn the signs you're being scammed:

Don't Get Hooked: How to recognize and avoid phishing attacks
Don't Get Hooked: How to recognize and avoid phishing attacks

“Your Computer Hacked”

A relatively recent form of phishing attack is a blackmail email claiming to have hacked your computer demanding payment (in bitcoins, of course) to keep your secrets. Here's some of the text from an example:

I have bad news for you. I hacked into your operating system and obtained full access to your account [email address]. After that, I made a full backup of your disk (I have all your address book, view site history, all files, phone numbers and addresses of all your contacts).

I took a screenshot of the intimate website where you are satisfied (Do you understand what I mean?). After that, I made a video of your pleasure (using the camera of your device). It turned out beautiful! I firmly believe that you would not want to show these photos to your parents, friends or colleagues. I think 300 € is a very small sum for my silence.

P.S. I guarantee that I will not disturb you after the payment because you are not my only victim. It's a code of honor for hackers.

There is no honour among thieves. If you have decent up-to-date computer security software, have changed the default passwords on your router and use good password hygiene it is highly unlikely that you've been hacked.

Unfortunately, in the modern age, data breaches are common and massive sets of passwords make their way to the criminal corners of the Internet. Scammers likely obtained such a list for the express purpose of including a kernel of truth in an otherwise boilerplate mass email. — EFF

The language is quite generic and without details that would clearly indicate that the blackmailer was in possession of your documents. I suggest you ignore the threats.

Spear Phishing

“Spear” phishing is harder to detect. It uses information about you they obtained online (details you shared on Facebook or elsewhere) but which makes the user appear to be someone you can trust. The email may appear to come from a friend, but it is a scammer looking to steal from you.

The spear phisher thrives on familiarity. He knows your name, your email address, and at least a little about you. The salutation on the email message is likely to be personalized: "Hi Bob" instead of "Dear Sir." The email may make reference to a "mutual friend." Or to a recent online purchase you've made. Because the email seems to come from someone you know, you may be less vigilant and give them the information they ask for. And when it's a company you know asking for urgent action, you may be tempted to act before thinking.

Looks Can Be Deceiving

Phishing involves convincing you that you're seeing information from a legitimate source when you're not.

Phishing emails are designed to look like legitimate messages from actual banks, businesses, and other organizations. In reality, though, criminals created the message, usually in an effort to steal your money, identity, or both. They want you to click links that will take you to a website that looks authentic but is really just there to capture your credit card or other personal information or perhaps to distribute malware. — ZoneAlarm Security Blog

ZoneAlarm's blog has some excellent resources:

I use AntispamSniper, an excellent third-party antispam tool, with The Bat!. They have some excellent suggestions on identifying and avoiding phishing attacks.

Identity Theft is a Long-Term Problem

If you are the victim of identity theft, you can expect to fight to regain your credit rating for years — over and over again.

Victims report that it takes months or years to regain their credit rating, only to find that a new report forces them to start all over again.

While electronic data can quickly get you into trouble, financial institutions want physical (on paper) evidence that you're not responsible.

Return to top

How Phishing Works

Going on a Phishing Expedition

Becoming a victim is easier than you might think. Let's have a look at the process from the perpetrator's point of view.

Remember, YOU are the intended victim of this trap.

Step One: Create a Fake Website

The first step is to set up a look-alike site that closely resembles a site that your victims are already using or could be using. The company's logo and other trademarked images are used to convey authenticity. (See the section on abusing transfer of trust.)

Proprietary Images Can be Hijacked

If a site invites you to use your email and password to log into Yahoo!, Gmail, Windows Live, AOL or other email account, DON'T!

The “Google Docs” image (shown beside this text) was captured from a fake website.

I've seen a similar layout embedded into an email (one of the reasons you DON'T want to allow your email program to automatically download images).

Don't follow a website (or email) link to log into Yahoo!, Gmail, Windows Live, AOL or other email account. The email may simply use fake links to take you to their bogus site. Always use an address included in a legitimate source like a paper invoice or account statement.

The message could exploit a bank (most have been targeted), Google Docs, e-Bay, PayPal or any site where you conduct business using a credit card or is protected with a user name (which is usually your email address) plus a password. Only your password is unique in this combination.

What Happens When You Click on Fake Links?

When you click on these links and enter the requested login information, you giving thieves access to your real account(s).

They probably will change the password to lock you out of your own accounts.

If it is your email account, that account is a key recovery mechanism for your other accounts. The scammer would soon control your social media and other accounts linked to it. All they have to do is click on the “forgot password” link on the various sites then check your email account for the recovery information or links. Even the warning would be sent to the hackers.

Step Two: Send Out an Email

Next, send an email message to thousands of potential victims (like you) indicating that there is a problem with their account, or that their account will be closed unless they go to the website and re-enter personal information, including their user name and password (or bank PIN).

Most such messages indicate that you must act quickly or your account will be closed. They don't want you taking time to think about it or contact the actual company where the account is located, do they?

Legitimate businesses will never ask for personal or account information via email and shouldn't over the phone if the business placed the call.

An Example

The following is a message sent to customers a number of years ago:

Look at this sample phishing email sent to customers

The headers show routing inconsistent with a message from Islandnet:

Partial headers from sample phishing email

How to Read Message Headers

Scammers Getting Smarter

You can't count on identifying spam by the email sender's address. Scammers often know how to forge headers to make it appear to come from a legitimate company.

Recently I've noticed that spam with the same message seems to come from a different email address every time (probably the same scammer using stolen addresses).

According to Symantec's 2015 Website Security Threat Report Part I, it costs as little as $0.50 to $10 per 1,000 stolen email addresses on the black market — a testimony as to the poor quality passwords many folks use and how easy it is to obtain them.

The Anatomy of an Email Scam

The Anatomy of an Email Scam

Don't get hooked.

See full-size infographic (posted on the ZoneAlarm Blog) to learn how to recognize an email scam.

HTML Email Hides Details

One of the dangers of "enhanced" or HTML email is that stuff can be hidden. See How to unmask fake links.

Firefox security features help you avoid problems with invalid or insecure sites. Other browsers may have these features, but Firefox is the only major independent browser.

Step Three: Collect the Information

The victim (you) clicks on the link and finds themselves on what they believe to be the correct site (remember, the perpetrator has created the site to look like the original), so they enter their user name or email address and password.

Of course, this information is not going where you think it is — you're sending it directly to thieves.

Step Four: Assume Your Identity

Taking your electronic identity (which you've just provided to them on the phishing site), the thieves go to the real site (such as your bank) and log into your account.

The information obtained in this manner is then used to either obtain funds from your account or to set up credit in your name.

Another Sort of Phishing Email

The example above is designed to lure you into providing account information and/or to visit a bogus website where you'll enter that information.

Scam with a Different Purpose

A message can also be designed to get you to send money via Western Union or some other method.

The following is the text of a message I received from a friend. I've removed identifiable information and replaced it with the text in the square brackets:


I'm so sorry to bother you,but i really need your help at the moment,  I came down here to Manila Philippines for a short vacation,unfortunately i got mugged at the park of the hotel i'm staying ,everything i had on me was stolen including,cash,credit cards and cell phone....I need help to settle the bills and flying back home, I'll surely pay back as soon as I get back home.The amount needed now is just $2,500 .. I'll surely pay back as soon as i get back home. I'm so confused right now and also want to let you know I was beaten up while trying to protect myself and had some scratches on me but his doing well now,You can have the money wire  to my name and the address below via western union;

Receiver's Name: [my friend's first and last name]
Location: Manila, Philippines

Get back to me with the details, would definitely refund it back to you once i arrive Hopefully.

Am freaked out at the moment..... I need your Help

The sender hoped I'd reply with financial details so they could collect the funds themselves.

How I Knew It Was a Scam

The message appeared to come from this person's current email address, but there are several clues that this wasn't legitimate:

  • The use of ALL CAPS in the subject line usually indicates a scam.
  • The inconsistent or incorrect use of capitalization and punctuation indicates that English is not the sender's native language or they have poor grammar skills (the person they were impersonating is a professional writer and editor).
  • The message was sent from the IP address (found in the headers) which is in Ebene, Africa. (Remember, this person is supposed to be broke and in the Philippines.)
  • The person was supposedly “beaten up” (yet only has “some scratches”).
  • The person had no cash, credit cards or cell phone but was able to send an email to me.
  • The message was sent to an email address that the sender would be unlikely to use when corresponding to me in such a circumstance.

The victim could have resolved her issues with a call to the credit card company. The hotel would have obtained a copy of a guest's credit card when the reservation was made (and verified it when the person checked in) and credit card companies provide the necessary help in such circumstances.

Address Owner Reports Bogus Message & Tightens Password

The real owner of the address did the smart thing and sent out a message to her contacts indicating that the original message was bogus and changed her password to something more secure.

Fake Emails Getting Better

Recent phishing email scams are harder to detect. Scammers are improving their techniques as well as their grammar and they employ spear phishing techniques to make the message more believable.

[P]hishing messages only seem to be getting savvier and more authentic-looking, fooling even seasoned experts. Gone are the days when obvious misspellings and grammatical errors provide a dead giveaway that shenanigans are at play. — Trustwave Blog

However, their goal is to try to get you to respond quickly before you can think too hard about the claims in the message. Beware of these signals:

  • The sender indicates they are out of contact but in dire need (like the example above).
  • Any attempt to get your user name and password, especially when the form is either attached or embedded in the email message.
  • Attachments are generally unnecessary in most messages. They are useful when sending documents, photos, etc., but an unexpected attached .docx or .zip file should probably not be opened (most such attachments contain scripts that will infect your computer).
  • Altered or unusual links in the body of the message or its attachments.
  • The presence of official looking logos attached to the message (most companies now use images hosted on their server).

Return to top

One of the methods commonly used to scam people are fake links in email messages.

Fake links drive unsuspecting traffic to websites that:

  • drive traffic to websites that generate revenue for them via pay-per-click ads or similar revenue generators; or
  • pretend to be a legitimate site like a bank (in order to steal account information); or
  • infect their computers with malware (turning their computer into part of a botnet that attacks legitimate sites or attempts to infect other computers).

Decent security software and detection provided by web browsers like Firefox can help prevent such attacks, but it is best not to click on these links in the first place.

Where Does That Link Go?

Would you click on links like the following?

Of course not. Those looking to steal your identity aren't going to unmask themselves. They tell you the link points to something that engages your curiosity or greed.

That's why you can't trust the linked text to tell you where the links actually go.

Links Have Two Components

Hyperlinks on a website (and in an email) have at least two components:

  1. the linked text (what you see highlighted in the link); and
  2. the hyperlink (the actual address where you are being sent).

Only the hyperlink itself (the hidden part) determines where the link sends you.

Just as placing a Mercedes license holder onto a Ford doesn't turn it into a Mercedes, a misleading description doesn't change the link's destination.

Take a look at the following link and then see where it leads you (a new window opens):

Using the Status Bar

If you hover over the link and look in the status bar at the bottom of the program (some browsers show the hyperlink address in a small box above or below the link itself) you can tell the destination without clicking the link (and potentially getting yourself into trouble).

Just because the linked text says it is pointing towards a particular address doesn't mean that is the real destination.

Learning More of the Mechanics

If you are interested in the mechanics of this process, have a look at Cut 'N Paste HTML Editing. It gives some simple HTML lessons and demonstrates how HTML links work.

Short URLs

It is common for phishing emails to use shortened URLs (web addresses) created by services like TinyURL and bitly hide the destination address, but you can check these links before visiting the site. Paste the address into your browser's address bar with the changes noted below, then hit enter:

You're taken to TinyURL or bitly with information showing about the true (full) destination for the shortened link. In these examples, all shortened links point back to this page.

Shortened links are common in Tweets (Twitter messages) because only 140 characters doesn't allow for long complex links. However, they are seldom needed in an email except where the length of a complex address wraps in the email window, potentially causing the link to break.

How Can a Fake Site Exist?

First of all, people that set these fake sites up and send out the phishing emails wish to remain anonymous. They are breaking the law and don't want you (or the police) to be able to find them after they steal your identity.

Short-Term Links

The provided links are only up for a short time before they are removed by the owners of the site affected or by the legal authorities.

Forged links often point to a site in an educational institution where passwords and access are easy to come by.

By their very nature, universities house a lot of smart and curious people. Smart as they are, too many don't view the issue of security as their problem. Because of a few people's lax attitudes, many will suffer significant financial setbacks.

Delete Attached Forms

More recent phishing attempts have provided an attachment to their messages which, when opened, replace the fake site with a form which accomplishes the same nefarious purpose — to get your information using deception. Don't be fooled. An unexpected attached form (or PDF or Zip file) is likely an attempt at identity theft. Even .DOCX and other Microsoft Office documents can be dangerous.

Configuring Your Software to Protect You

Whatever choices you make with your software, you'll want to take advantage of some advanced (and often hidden) features:

  • Ensure that you can see the hints when your mouse hovers over a link or other hot spots on your browser.
  • Use stronger passwords. There are complex online password generators as well as software to help remember more complex passwords. I strongly recommend LastPass password manager.
  • Only shop on encrypted websites — prefixed with https:// and a padlock symbol in the address bar (see examples). Unencrypted sites are more vulnerable to being hacked.
  • Learn how to view the headers in an email message (sidebar), and know the signs of a risky message (read this page completely as phone and email scams have a lot in common).
  • Ensure your security software is current and updated daily.
  • Windows users should ensure that all critical Windows Updates are installed, including the latest service pack. Mac and Linux users need to be vigilant in updating. While infections are not as common, they are vulnerable.
  • Ensure your browser and email software are current and updated.
  • Stop using and uninstall software that is no longer actively supported or maintained.

Advanced features are often hidden to provide for a cleaner, simpler look. Remember, software vendors don't have to pay to clean up problems caused by the shortcomings in their products or within optional downloads installed at the same time as their own product.

If you need help determining how to configure your software and security protection, contact someone knowledgeable. Be careful when selecting your “expert” helper (especially if they call you). Remember, you're putting your trust in this person.

I provide these services, but only in Greater Victoria (located on the west coast of Canada).

Get Help From Your ISP

Use whatever tools your ISP makes available to identify potential spam, phishing and other problematic email messages. Check your ISP's help or support website or call their help line.

I strongly recommend hosting with

This site hosted by
Check out

They specialize in website hosting and can provide personal support when you need it. Their friendly, knowledgeable staff can deal with most email programs and services. Unlike some major ISPs, you're dealing with a real person that is knowledgable, not someone overseas with a script in front of them.

Return to top

Transfer of Trust

A successful phishing scheme, like any con, depends upon gaining your trust.

They'll use your trust of your financial institution, major vendor (e.g. Microsoft) or other authority (CRA, CRTC, FBI, phone company, etc.). They know that if you believe they are who they say they are, then you'll be more likely to follow their instructions.

Your trust in the caller, web page or link is only because it appears to be from someone you know and trust.

The Internet Can Be Exploited

The original Internet was used only by scientists exchanging data. There was no need for high security.

But this has changed. The Web is used for e-commerce, personal transactions and more.

Browsers and enhanced (HTML) email messages can be exploited, particularly if you don't understand the language (HTML markup) and therefore can't protect yourself.

Preventing Successful Phishing

There are a number of things that you can use to avoid being the victim of this type of attack:

  • Be wary of any threats to close your account especially emailed notices. Requests for account information or passwords are NEVER legitimate.
  • Be wary when using public computers. Your passwords, accounts and personal information can be retained by the browser's cache for later retrieval by anyone with access to that computer.
  • Do not use open or untrusted secured wireless networks such as those at coffee shops and other public networks. Someone can be "listening in" on the transaction and obtain your user ID and password.
  • Do not trust information emailed to you including any links to sites.
  • Do not trust information on an unknown website.
  • Keyloggers can capture private information on any computer.

Always use trusted sources to obtain the telephone number or website address to contact any site requiring personal information or a password. Google is not necessarily that trusted source, especially if you click on the sponsored links.

Report Identity Theft

If you have been a victim of identity theft (or suspect you have), contact the police to report identity theft.

Return to top

Use Encrypted HTTPS Sites Where Possible

Choose your web browser for its ability to protect your privacy and security online. More…

I strongly recommend that you only connect to sites that are encrypted. Unsecured sites are not encrypted and are vulnerable to man-in-the-middle attacks.

This is particularly important when using online banking or when shopping online — including anywhere that you are sharing banking or credit card details.

Secure sites are indicated by https:// in front of the address and/or some sort of a padlock symbol. The display varies by browser:

How three browsers display secure (HTTPS) sites

  • Firefox, Google Chrome and Opera all use a green padlock to the left of the address.
  • Chrome includes the word secure.
  • Both Firefox and Chrome display the HTTPS:// prefix; Opera does not.
  • Safari and Internet Explorer both use a grey padlock symbol.
  • Safari displays it to the left of the address but doesn't display the HTTPS:// prefix.
  • Internet Explorer displays the padlock on the far right side of the address window but does display the HTTPS:// prefix.

HTTPS:// Everywhere is a Firefox, Chrome, and Opera extension that encrypts your communications with many major websites, making your browsing more secure.

Return to top

Choose a Safer Browser

Your Browser Choice Matters

Your choice of web browser can make a difference in your ability to protect yourself online. Whichever browser you choose, the most recent version will usually have improved security features and/or have known security issues patched.

Firefox Recommended

Firefox's warning page for a reported attack site

Firefox is a much safer browser to use.

As an independent stand-alone product it is less vulnerable to cross-program security issues.

Because it isn't tied to an operating system or to a search company, it can focus on its users rather than those controlling the purse strings. It can perform all the features needed in a browser without the downside.

Have a look at some of the built-in security features of Firefox:

Firefox is also updated frequently, so security fixes and new benefits are available sooner.

Internet Explorer

Internet Explorer is no longer being developed and is not recommended for routine surfing or browsing sites on the Web. While IE may be convenient, it is so tightly integrated into Windows that any security issue in any Microsoft product puts your entire computer at risk.

Windows 10 includes IE along with Microsoft Edge, however it was not intended to be used as your primary browser:

"You see, Internet Explorer is a compatibility solution," wrote [Microsoft security chief] Jackson in the blog. "We're not supporting new web standards for it and, while many sites work fine, developers by and large just aren't testing for Internet Explorer these days. They're testing on modern browsers. — ZDNet

Google Chrome

Google has paid free software vendors to automatically install Chrome as the user's default browsers (few people check for the preselected options when installing this software) and has replaced Internet Explorer as the dominant browser.

Google Chrome has huge privacy risks, especially if you sign into your Google account while surfing (even if it is only for checking your Gmail). Google makes their money by exploiting information you provide and Google NEVER forgets.

More About Browsers

There is more about web browsers and their options on my Browsers & Plugins page including browser downloads.

Return to top

Anti-Phishing Tools & Information

These tools and information sites will help you to learn more about phishing and provide you with tools to verify suspect websites and files.

I urge caution when using these tools. Be sure you understand the terminology and understand the risks.

Suspicious Popups

Beware of suspicious warnings or popups on websites and on your computer.

  • You suddenly hear an audio-based warning that your computer has been infected. There doesn't seem to be any solution other than to follow the instructions.
  • A website reports that your Windows license key has been corrupted.
  • A red box popup up stating that there is a Firefox critical error telling you to call a number.

These are examples of malware designed to trap you into expensive service contracts that are scams. NEVER call the number on the screen.

Microsoft warnings will NEVER include a phone number. Neither will Firefox. If a recovery phone number is displayed, you're seeing a scam.

If you're having difficulty closing a popup, see Popup Warnings that Won't Go Away for solutions.

Checking Out Suspicious Websites

Check to see if a site has been flagged for phishing:

  • PhishTank is a collaborative clearing house for data and information about phishing on the Internet.
  • is a service for detecting and analyzing web-based malware.
  • CSI: ACE Insight allows you to check for malicious sites.

Check the site's information and/or disclaimer pages so you understand the capabilities and shortcomings of the service. The following is from urlQuery's“ About” page but can be applied to most such services:

Currently no service or security solution provides 100% detection of malicious content. The data provided is to help give a second opinion and should not be taken as fact. As with other sandbox technologies it can be detected which can skew or make the results inaccurate. Other issues might include browser incompatibilities or settings/configurations within the browser.

Checking Out Suspicious Files

Be cautious when checking out suspicious files. In most cases you're safer simply deleting the email along with the unopened suspect file unless you were expecting it from a trusted source.

If your security program detects a problem with an attachment, you'd best delete it rather than having the program treat it even if it is an essential file sent from a trusted computer.

You're best to discard it rather than risk infecting your own computer by opening the attachment. Instead, print out a copy of the file on the original computer while disconnected from the Internet. The original computer needs to have a full security scan with a current and updated software.

  • ZoneAlarm Extreme's Threat Emulation opens unknown files in a virtual sandbox to examine what they do before you risk your computer's security.
  • CSI: ACE Insight allows you to upload suspect files you received as attachments.

More About Phishing

The following sites deal with phishing.

Recommended Reading

419, fiction by Will Ferguson, looks at the issue of phishing from both the victim and perpetrator points of view. Strongly recommended.

“419” by Will Ferguson
419 takes readers behind the scene of the world's most insidious internet scam. When Laura's father gets caught up in one such swindle and pays with his life, she is forced to leave the comfort of North America to make a journey deep into the dangerous back streets and alleyways of the Lagos underworld to confront her father's killer. What she finds there will change her life forever… — GoodReads

Return to top

Identity Theft

Reporting It | Protecting Identity

Identity theft, in a nutshell, is the obtaining of information about you that will enable someone else to impersonate "you" — allowing them to steal in your name.

Identity theft is, unfortunately, a rapidly growing crime:

384 million identities were exposed in 2014 as a result of data breaches. That's equivalent to the whole population of Western Europe. — Symantec
[2015] was truly a watershed year in terms of hacks and it's estimated that over one half of American adults had their identity compromised in some way. — ZoneAlarm Blog
As many as 143 million Americans are said to be affected, the company said, representing about half of the US population. Some UK and Canadian residents are also affected, the statement confirmed. — ZDNet on the 2017 Equifax data breach.

NCIX Computers Never Wiped Customer Data Before Sale

One local example is the sale of personal information (including IP, home and email addresses, passwords, credit card information and social insurance numbers) for former customers following the bankruptcy of computer retailer NCIX in Vancouver.

Not only did the company fail to ensure that the computers containing customer information were wiped, but that data was so poorly encrypted that the information is being sold on Craigslist.

Whoever is responsible for the careless disposal of the company assets is to blame. Bankruptcy protection should not provide leniency for the person(s) responsible for the poor security for that information, including the former officers of that company.

White Collar Crime Punished Lightly

Until such crimes are punished appropriately and to the same degree as a similar blue-collar crime, these breaches will continue.

It Used to Be Harder

Obtaining personal information is much easier than it used to be.

At one time you had to go to your bank, speak to a real person who would then compare your signature with a physical signature card stored at the bank to ensure that you were who you said you were before releasing funds or a providing a new credit card.

ID Easily Accessed

These days credit card applications appear unsolicited in your mailbox and are easily obtained online.

Verification depends upon electronic data rather than hard copies (like the signature card in the teller's hand).

The convenience of inter-branch banking and online transactions has resulted in poorer security.

The move to using your smartphone to do banking has its own risks.

The convenience ends when there is a problem and the bank demands paper documents that prove your innocence.

Passwords: Your eSignature

Many people using electronic verification technology don't really understand it and view it as something that is imposed upon them rather than something for their own protection.

User Names Public

In many cases your user name IS your email address or part of it in the case of those supplying the email address:

That leaves only the password to protect your account access. Learn more about secure passwords and other options to protect your online accounts.

Weak Passwords = Blank Cheques

Unfortunately, many folks don't take their passwords seriously.

Afraid they'll forget a password, they make it simple and use the same password for every account.

Your passwords are like a series of unsecured blank cheques that you've already signed. The only limit is the size of your bank account or credit limit.

Security Breaches Affect You

There are an increasing number of security breaches that affect everyone using online services (that is pretty much all of us).

2016 was a banner year for the number and severity of account breaches highlighted by the Yahoo! breach of 500 million accounts.

It has NOT gotten better.

Learn more about the privacy risks that these breaches entail and how you can better prepare yourself.

Ignorance is Your Undoing

Folks don't understand the risks of using older or unsecured technology.

Many continued to use Outlook Express long after it was obsolete (and dangerous to use), just like Windows XP, the operating system it came bundled with.

Both are like a skeleton key from a security point of view — easy to use but having ineffective security.

Just as seat belts, car alarms and ignition keys are inconvenient, online security is too. Choose a good product and learn how to use it to protect your data and privacy.

Secure Your Computer

You probably wouldn't leave your car unlocked and unattended with the keys in the ignition and the windows rolled down. Especially not in a bad neighbourhood.

If you were foolish enough to do so, you shouldn't be surprised to find it gone when you returned.

The Internet's anonymity provides similar opportunities to exploit your ignorance.

Return to top

Protect Your Identity

Everyone is Gathering Information

Everyone is collecting information about you and your privacy is for sale.

[T]here is another reason websites track you — It's because you're worth a lot of money. Websites record your activity so they can sell your information to third party advertising platforms, essentially delivering ads that they hope are relevant to you. — ZoneAlarm Blog

With your email address, they can send their advertising right to your inbox. If they know your marital status and how many children you have they can identify potential markets.

Facebook knows more about you than your family and friends do. And they never forget anything.

Target has even determined how to identify that a customer is pregnant before the customer themselves knows — based simply upon their product purchases.

Learn deal with spam. Be careful in trying get off these lists if you didn't ask to be put on them in the first place. If the companies were ethical, they wouldn't use opt-out techniques in the first place.

Beware of Phone Callers

A phone call about your computer (or offers of a holiday special or a warning that you're about to get arrested for unpaid taxes) is scamming you. Just hang up.

Be wary of any calls you didn't initiate.

  • Caller ID can be faked.
  • Never give out personal information
  • Never confirm or correct information.
  • Never provide credit details or a credit card.
  • Be wary when calling back a missed number, particularly if it only rang once. Calls to regular numbers in certain (mostly Caribbean) countries can be treated like 900 numbers.

If YOU contact your bank or credit card company, they need information to identify you.

This is normal. Just be sure you obtain that contact number from a trusted source.

However, if you DIDN'T initiate the call using a reliable source for the phone number, the caller has no right to expect you to provide such information.

Never give any personal information, such as a Social Security number, to a caller unless you're positive he or she is a legitimate representative of a company with which you regularly do business.

If there's any question, ask for the caller's full name, title and department and tell him or her you'll call back.

Use the business's phone number as posted on its website or, better still, on any snail-mailed statement or correspondence you've received from the company. — ZoneAlarm Security Blog

Unnecessary Information

Certain information is your identity when you conduct business on-line.

Personal Information

Do not post or release this personal information:

  • Social Insurance/Social Security Number (only legislated uses require you to disclose your S.I.N.).
  • Mother's maiden name.
  • Where you were born.
  • Your birth year.
  • Bank PINs.
  • Passwords.

Be careful about releasing billing addresses and employment information as well.

While the successful completion of many credit card transactions requires that the shipping address match the credit card's billing address, this information is not necessary for other transactions.

Take Care When Posting on Social Media Sites

People sometimes post things on Facebook or other social media (or say them over the phone) without thinking about the consequences.

Information that allows you to recover a lost password should be something you remember, but strangers shouldn't (unless you post it on Facebook).

These personal bits are commonly posted by people:

  • Family genealogy.
  • Pet names.
  • Former residences and occupational information.
  • Marriage dates and locations.

Favourite sports teams are a poor choice as this is a popular conversational topic.

Password Recovery

Most accounts are compromised by using the password recovery mechanism which invariably asks questions that many people know about you (such as those listed above).

They are easy for you to remember, but also often too easy to research or ask about in a casual conversation.

"The Cloud" Has Risks

Cloud computing (“in the cloud”) is becoming more important as we use smart phones, tablets and other portable devices to conduct business on the go.

While it may free you to access your information anywhere at any time, it also provides the same access to ANYONE in the world with an Internet connection.

Banning Encryption Short-sighted

Legislation is pending in some locations (including in the U.S.A. and possibly Canada) to ban encryption or to ensure backdoors are added. This is very short-sighted.

  • Effective encryption could help reduce the risk of hacks like those noted above.
  • Backdoors are vulnerable to unauthorized access. There is no such thing as a vulnerability that is only accessible by the good guys.
  • Weaknesses in software, especially unknown (or zero-day) exploits, make us all more vulnerable.

Yes, encryption is used by criminals. So are our roads, public utilities, telephone systems, etc. Should we remove everyone's access to those as well?

It would be better to close more zero-day loopholes than to hope that criminals and foreign governments don't find them.

Return to top

Report Identity Theft

Begin Immediately

If you suspect you've been the victim of identity theft, the sooner you act, the sooner you can begin to resolve the issue.

The Canadian Anti-Fraud Centre at 1-888-495-8501 can help you through the process. See the RCMP's Identity Theft and Identity Fraud Victim Assistance Guide for further help.

You should file a report with your local police and with credit reporting agencies:

Reporting identity theft or fraudulent transactions on your credit card(s) to the credit reporting agencies helps to prevent further abuse, particularly if someone tries to open new credit in your name.

You are entitled to one free credit report each year which discloses who has made requests for your credit report as well as allowing you to dispute errors.

It will likely be harder to prove identity theft than to execute it.

Equifax Untrustworthy

Equifax was hacked sometime between May and July 2017 but didn't report it until September.

Meanwhile, Some Equifax executives sold off their holdings.

Equifax has no credibility and can't safeguard your credit information. They used the least effective security possible. Shame on them.

Unauthorized Purchases

Check your bills for unauthorized credit cards or charges for goods or services you did not receive (particularly from a foreign country).

However, unsolicited automated calls telling you that your credit card has been used to make a very large purchase are usually fraudulent attempts to secure your credit card information.

You may have to file a report with your financial institution(s) and to the police.

More About Identity Theft

More information about identity theft and how to prevent it:

Return to top

Related Resources

Related resources on this site:

or check the resources index.

Return to top

If these pages helped you,
buy me a coffee!
Updated: August 13, 2019