From phishing to vishing to baiting, there’s a world of crooks wanting to steal your identity

• Reprints

Phishing for tips to thwart scammers? Read on. (AP Illustration/Peter Hamlin)

Updated: November 10, 2011 10:36AM

ELGIN — The little old lady behind you in the grocery checkout line. The new employee in your big company who needs some advice about his computer. Whoever dropped that flash drive in the parking lot.

To say nothing of the bank that just sent you an email warning about a security breach on your account, or the high Nigerian government official who wants to split $10 million with you.

Going through life assuming all these people are out to steal everything you own may lead to a paranoid existence. But in a world of “social engineering” crooks trying steal your identity, looking at almost everything with “a healthy level of paranoia” is the sanest way to live, Elgin Community College’s information security officer told an audience at ECC this week.

“Social engineering is one of my biggest fears, because I can’t put anything on a network that will protect my organization from it,” said Jason Marchant, who was speaking in the first of four free programs offered by ECC about identity theft and computer fraud. “The best antivirus software won’t protect you from a phishing phone call or from that person in line behind you who’s reading the numbers on your credit card.”

Marchant said it’s estimated that identity thieves steal $37 million to $56 billion a year in the U.S. — more than is taken in by the illegal drug business. About 68 percent of that is done by some kind of social engineering, with only 11 percent by online viruses and hacking.

The most basic such technique is “pretexting,” he said, in which the crook pretends to be somebody he isn’t. Often these either “exploit the human desire to help” or the crook “will present themselves as a subject matter expert and you are not. They might even present credentials to you. But their whole goal is to get your secret information.”

“Someone who says they’re a technical support person in your company might call and say that ‘we’re doing some maintenance on the system tonight and to make sure you don’t lose any data, we’ll need your password.’ That sounds blatant. But a social engineer is skilled at beating around the bush and he might engage you in lengthy technical conversation that makes the final request for your password seem like just an afterthought.

“They might come posing as a new employee looking for you to help them, or as a salesperson or a policeman or a new neighbor.”

Looking for a bite

“Phishing” emails, sent out by the millions by people announcing that you have won the lottery or that someone in Africa needs your help to smuggle a fortune out of their country, have become notorious. But often phishing emails will seem to come from your own bank, asking you to click on a Web browser link that doesn’t really take you back to that bank’s website at all.

New variations, Marchant said, are “spear phishing,” in which the emailing crook knows your name and something about you, perhaps by reading your blog or studying your Facebook profile or your company’s website. In an approach named “whaling,” the crook even targets a company’s owner or another rich high executive, using large amounts of public information about him to seem legitimate.

“Vishing” is phishing done by phone call, often with a false caller ID displayed so it looks like you’re getting a call from your bank, for example.

“Trojan horses” are programs we download — a video game, perhaps, or a video — that really work as we wanted but also secretly have extra functions built into them that now take up residence on a computer. One of the deadliest, Marchant said, is a “keystroke logger” that secretly records every letter we type and sends that information back to the crook. That’s especially vicious because even changing one’s password on an account won’t help — the crook will learn instantly that you changed it.

Another particularly alarming threat, he said, is skimmers on ATMs and card-swiping machines that can pick up your personal identification number and password. When credit card and debit card info was stolen from customers of the Michael’s stores this year, Marchant said, that skimmer was even hidden in the interior of a card-swiping machine and was the size of a microchip.

ID theft crooks know their psychology, Marchant said. They read research that concludes people respond better to the danger of something bad than to the promise of something good. So rather than announcing that you’ve just won some European lottery you never entered, they now warn that a security breach has been discovered in your Visa account, so they need your sign-in ID and password right away.

One new technique is called “baiting.” A crook will casually drop a thumb drive or a music album in a parking lot or a rest­room, as if it had been lost accidentally. It may be labeled with some intriguing title like “H.R. Records” or “Salary Information.” But when the finder opens it, it installs a Trojan horse program on your computer.

Preventing rip-offs

So what can we do to prevent our identities being ripped off?

Marchant recommends:

Be suspicious of any unsolicited e-mail or phone call, even if it seems to come from some company you do business with or some fellow employee.

Constantly monitor your bank accounts for unexplained charges. A crook with access to your account often will charge relatively insignificant amounts, like $9.76, that he figures will just blend in with your daily spending and never be noticed.

Rather than click on a website link sent to you in an email, type in the name of that website into your browser yourself. The emailed link might really take you to an entirely different site that just looks like the site of your bank, for example.

Be alert for website addresses that are very close to the real thing but slightly different — such as ending in .net when your bank’s real website ends in .com, or such as being misspelled, such as www.besbtuy.com.

Make up passwords with at least nine characters — for technical reasons, he said, those are much harder to guess than one with eight characters, especially if they include a mixture of words, letters and symbols.

Don’t sign onto a website that requires a password if you’re using a public wireless network in, say, a restaurant or airport.

If you believe you’ve been compromised, tell your company’s IT people right away and change your password.

Marchant will lead a similar program about social-engineering scams, but this time aimed at business people, at 5 p.m. on Oct. 20. He also will talk about “How to Protect Your Home Wireless Network” at 7 p.m. on Nov. 14 and “Protecting Your Business Network and PCI Compliance” at 5 p.m. on Dec. 8. All three programs will be in the Seigle Auditorium of ECC’s Fox Valley University and Business Center, at 1700 Spartan Drive, Elgin.