Computerworld

3 ways to save yourself after a phishing attack

Figures don't lie, the old aphorism goes, but liars can figure.

Figures don't lie, the old aphorism goes, but liars can figure. And after nearly 20 years covering technology, I've realized that you could update that saying to: Benchmarks don't lie, but liars can benchmark.

What brings this to mind is a nasty war of words between Microsoft and Mozilla, the publishers of Firefox, over whose browser is more secure. Both are pointing fingers at the other, claiming that their benchmarks really tell the tale.

I'm not saying any of these folks are actually lying, but they're using benchmarks and other statistics to prove a point they want to make and make themselves look as good as possible. My advice is to ignore the argument; the only people who really care about it are the people who work for one side or the other, and tech writers who love nothing more than conflict. As it happens, all three of the major browsers - Microsoft's Internet Explorer, Mozilla's Firefox and Google's Chrome - are more than secure enough for most consumers and businesses.

That's not to say you can forget about security on the Web. The browser is part of your defense, but a bigger part is your brain. That's right, the smart user who pays attention to what he or she sees on the screen is always safer, particularly against a very nasty tactic called "phishing."

By now you've probably heard of phishing. It's an email, or Tweet or Facebook message that appears to come from someone you know or an institution you do business with, like your bank or credit card company. It will contain a link that might do something as harmless, though annoying, as taking you to a site to look at advertising you don't want to see, or in the worst case, download malware onto your computer.

Browsers and your basic security software will detect many phishing attacks, but not all. So, I'll repeat what you should already know. If a message looks odd, look carefully at the address. If you see something from say Chase, that comes from chase@online.com (that came to me the other day), delete it. In fact, never click on a link in an email unless you know for sure who sent it.

Having said that, there are times when all of us let down our guard and get caught. Here are some of the most common problems that phishing can cause, and some solutions, courtesy of an industry coalition called the Anti Phishing Working Group.

Hijacked eBay account: If you think you're eBay account has been hijacked and you can still log in to the site, you should change your password and make sure that any active bids and listings were put there by you or a family member. If you can't log in, try this link. If it doesn't work, here's a number you can call to report fraud. (It's not for routine help requests.) 866-961-9253

Identity theft: OK, someone has gotten their grubby hands on key parts of your identity; social security number, date of birth and so on. You may have given it away by mistakenly filling out a form on a poisoned Web site, or a hacker may have placed a key logger, software that records all of your key strokes, on your PC.

Obviously, you need to notify your bank and credit card companies immediately. If you do so, charges run up by the thieves are not your responsibility. But you also need to notify the major credit reporting agencies. Here's how you contact them: Equifax - www.equifax.com; Experian - www.experian.com; Trans Union - www.transunion.com.

The Privacy Rights Clearinghouse has a good deal of additional information on how to cope with identity theft. Among other tips, that group suggests that you do not call Experian, because: "You will be subject to a marketing pitch for their 'free' credit management tools. If you fail to cancel the service within 30 days, your credit card will automatically be charged for the service."

Remember, the Fair Credit Reporting Act entitles you to free credit reports once a year from each agency as well as free reports when you wish to place a fraud alert in your file.

Computer has a virus or a Trojan that has captured personal information: First update your anti-virus program with the latest definitions, and then run a full scan. If you use a password to access your computer, change it, then check your other accounts and be sure there hasn't been unauthorized activity. And for the next few months, be sure to go over your billing statements carefully to be sure all of the charges are really yours.

The absolute worst case: Reformat your hard drive, which will get rid of the malware once and for all, but will also wipe out your data and applications, so you'd better have an up-to-date backup on hand.

San Francisco journalist Bill Snyder writes frequently about business and technology. He welcomes your comments and suggestions. Reach him at bill.snyder@sbcglobal.net. Follow Bill Snyder on Twitter @BSnyderSF. Follow everything from CIO.com on Twitter @CIOonline

Read more about security in CIO's Security Drilldown.