Important things to remember, in light of the Sony disaster

fishing rodby sandrodacomo

Anatomy of a phish
[Via O’Reilly Radar]

The inevitable consequence of Sony’s massive security screwup is that I’ve drowning in phish: fraudulent emails purporting to be some vendor or other, saying that my account has been deactivated and asking me to “confirm” credit card numbers and other personal data. The personal information of nearly 100 million Sony users was accessed (75 million announced last week, another 23 million this week). Given all the fraudulent credit card activity that must be generating, it’s a great time to go out collecting even more credit card numbers by sending fake email telling people their accounts have been suspended for suspicious activity.

So it’s time for a really brief review of online safety, at least with respect to phishy email:

  • Never trust any email communication asking for your credit card number. If a vendor does business with you, they know your credit card number already. If they need to “confirm” it, they can find some other way to contact you.

[More]

All of these points need to be remembered by anyone, all the time.

As more an more of our identity ends up online, it will become easier for this phishers to mimic real emails. As noted:

In a phone conversation about a year ago, security researcher Jeff Jonas told me that the future of phishing was very scary: phishing mails would come with enough personal information (knowledge of products you’ve bought, people you know) that it would be almost impossible for a victim to detect fraud. The extent of the Sony data breach is so massive that we may be about to fall off that cliff. I don’t know if we’re headed there yet, but it’s clear: Sony has handed Internet criminals a tremendous gift. They’re going to use it. There’s going to be a lot of identity theft and other forms of fraud, and there will be phishers seeking to take further advantage of that situation.

Simply scraping Facebook can provide enough information to make it seem like a legitimate email.