« Another Fake IRS Email Message | Main | Spamming for Electronic Cigarettes »

October 18, 2010

The other day the U.S. Postal Service sent (via snail mail, obviously) a pamphlet educating recipients on how to avoid becoming fraud victims, including Internet fraud. One of the "Play It Safe" recommendations is:

Never click on a link inside an e-mail to visit a Web site. Type the address into your browser instead.

The first sentence is spot-on. The second, however, needs to fill in some important gaps.

It's a well-known fact that people make mistakes — especially typing mistakes. Crooks know this, too, and do their best to profit from that human flaw. If you're in a hurry to visit one of your normally trusted financial sites, you can easily hit a neighboring key along the way. In earlier days, crooks would gobble up domains whose characters were adjacent to those that spell "paypal" and domains for major banks. I suspect this type of activity still goes on whenever a new "hot" domain name gets publicity. Any real site that has login credentials is worth mimicking with a lookalike site to capture a valid username/password pair (that is likely used on other sites of more value).

Even though I'm normally a good typist, I don't trust myself when it comes to visiting sites associated with anything of value to me (like passwords of any type). Sometimes you have to do the typing, as in the first time you visit your bank's web site. But when you do so for that first time, do it slowly and carefully; check the URL that you typed before hitting the Enter/Return key. Once you feel comfortable that you are at the genuine site (and before you log in), create a bookmark/favorite for that page. Thereafter, use only that bookmark to reach the site.

As I was thinking about all of this, it occurred to me that some anti-fraud promoters might suggest copying a link in an unsolicited or suspicious email message and pasting it into the browser's Address field. Yet another round of phony IRS EFTPS spam started arriving today, showing a visible link that looks convincingly real:

Subject lines I've seen:
Subject: We Decline Your Federal Tax Payment ID: 0103767647.
Subject: Your EFTPS Tax Payment has been reejcted. Report ID: 010376138
Subject: Your Tax Payment ID 0103725687 is failed. Udpate Information.

And the message:

Today's series of messages have numerous intentional spelling errors (which vary from message to message), perhaps intended to push recipients' curiosity buttons ("How could the IRS be so sloppy?"). The visible link looks official enough, so I wondered if recipients would try to copy and paste the URL. Copying a live URL can take a bit of rodental dexterity. Unlike inline text, you can't easily click on the text to select it without activating the link. I then wondered if users would try to right-click (or whatever alternate click method they use, including on the Mac) to see if a context-sensitive menu could help.

If you right-click on a link, one of the menu choices is something like "Copy Link." What do typical users think that menu choice does? I'd wager they believe it copies the visible link into the Clipboard. In truth, however, the command copies the hidden URL coded into the HTML element — which could be anything. If you then paste that copied link into your browser, it's as good as directly clicking the link in the email message. D'oh!