Just say NO to spam and phishing

There is no technical solution to spam and phishing

Filters and other blocking mechanisms can make it harder for spammers and phishers to reach their targets, but it cannot prevent it (and the closer we get to preventing them from reaching their targets, the more we block legitimate email). With the emergence of botnets made up of hundreds of thousands of infected home and office machines, they'll always be able to distribute and randomize their activities, rendering useless any sort of filtering based on the originating source.

Fake email is a social engineering problem

The only way to stop spam and phishing is for people to stop falling for it. As long as there is profit to be found in sending out phony emails, people will send out phony emails. Only when there is no longer anything to be gained by doing it, will it stop.

This is sort of self-throttling for normal advertising mechanisms. One needs a certain percentage of responses to justify the costs of having sent out the advertising. In the case of spam, the cost to send is so cheap that the required response is very low in order to still consider it a success. So unless nearly everybody stops responding, spam will continue. Phishing will probably always be around because if even one person hands over their personal information, it's probably worth whatever work was required. One does wish these ingenious folks would just get a real job.

Just say no

The sad thing is, there's just no need for people to fall for it. Spam and phishing messages are just not that hard to spot! People fall for them when they succumb to one of a few human frailties, the most common of which are greed or laziness. If everyone would be just a little skeptical of any email they receive that is not obviously from a friend or colleague, and ask themselves a few questions, they would NEVER fall for any spam or phishing message!

  1. Don't buy from spammers.
    2. Never buy something advertised in email from unknown companies or people with whom you don't already have a relationship. Of course, email from places with whom you have really placed orders in the past is legitimate. Those places also give you a way to unsubscribe from their mailings.
  2. Don't click that link!
    3. But don't use the unsubscribe link when you don't know who the sender is or why you got the email. You'll only confirm to a spammer that you did, indeed, get the message. Your address will most likely then be sold to other spammers.
  3. Don't click that link, either!
    4. In fact, you should never click on any link in any email. If you do business with the alleged sender, go to their web site manually (through your own bookmark or by typing in the name of the site). Any function you think you'll accomplish by clicking the link in the email will be available on the website if it's legitimate. If you must use an email link, make very sure it goes to the web site you expect. Criminal spammers redirect you to other web sites of their own making to fool you into handing over personal information. Pay attention to domain names: ebay-security.com is NOT an eBay web site! wachovia-bank.org is NOT Wachovia Bank. To verify the ownership of a domain name, look it up! Never (ever, ever, ever) click on a numeric IP address link since you have no way of knowing where it goes and it's a good bet it won't be any place good. A numeric IP address is used when there is no registered name for the web site. No legitimate business will set up a web site this way.
  4. Never (ever, ever) open attachments from unknown sources.
    5. This includes attachments that claim to be such things as patches from Microsoft or an invoice for an order. Nobody (and ESPECIALLY not Microsoft!) sends patches to individual users by email (the new ploy is to try to get you to reconfigure Outlook with an attached "setup file." All the attached file will do is infect your PC with a virus. Normal invoices come as text or maybe HTML, but almost never as Word documents and never as zip files. If you think one might be legit, reply and request verification. If it's a scam, the reply will fail and you'll never get a response. DON'T OPEN IT. Word documents, Powerpoint and Excel files, and images and videos may not be safe if you don't know the sender (in fact, they probably are NOT safe if you don't know the sender, ask what stranger would send you such things?). All viewers for these types of files have been found to have bugs that allow malicious code execution. Many have been fixed if you have the latest patches, but no one can guarantee that future exploits will not occur.
  5. Don't take candy or investment advice from strangers.
    6. Don't invest based on information you get in email, especially when you don't know the source. Why is ANYONE surprised when they lose money doing this? This is the on-line equivalent to a guy on the street saying "Psst. Hey, buddy, got a stock tip for ya'." If this is how you invest, then you should close your brokerage account today!
  6. You didn't win.
    7. If you didn't enter a lottery then you didn't win one. Even if you did win something, you never have to pay any up-front fee to claim your winnings. These are very old scams that are now being perpetrated on the Internet.
  7. No one needs your help to move money into the country.
    8. They won't be sharing a fraction of their huge sum of money with you, because there is no money. They only need you to be greedy so you'll send them your bank account number so they can suck all the money out of your account.
  8. Don't refinance your home with that stranger
    9. Legitimate mortgage companies do not send out spam. Any message that says you can get a great rate, just go here and fill out or confirm your information is phishing for personal information. If you give it to them, you won't get a home loan, you'll get your bank account drained or your identity stolen. Even if you really did recently apply for a loan on-line, a message thanking you for your loan request would come FROM THAT ORGANIZATION. Don't answer anything not from them.
  9. Don't take that job.
    10. No legitimate business makes random job offers to strangers via email. No company you've ever heard of sends out job offers or communicates with candidates via a hotmail or gmail or yahoo (or any other) "free" email account. If you've never heard of them, it's a scam. If you've heard of them but the email isn't from the company's domain or they want you to email "some other address," it's a scam.

    No legitimate business needs their representatives to collect and wire money to them or to ship anything anywhere. That job "accepting payments" for others is a criminal money laundering scheme, most likely for merchandise purchased with stolen credit cards. Shippers ship overseas. The reason they want you to reship the item is to break the chain of tracability to them. Amazon would be able to provide the police an address months later, they're betting you won't. Not only will you not make the huge amount of money they claim, but when the police figure out what's going on, it's you they'll be coming after.

  10. Don't wire those funds.
    11. Usually related to the above, but also true in general, never wire money (e.g. Western Union, MoneyGram) to anyone you don't know personally. If you're sending money to your relatives back in the homeland, fine. Wiring money is secure in the sense that it arrives properly, but it is not secure from the standpoint of authenticating the recipient. Anyone you don't know or with whom you don't already have an established relationship would not require that you wire money. This is especially true for forwarding funds or sending back "change" in a transaction. I mean, really, who writes a check for an overage and then expects you to send back what you don't need!? Has this EVER happened to you in real life in a non-cash transaction? Of course not.
  11. You can't get a diploma without any work or exams
    12. These fly-by-night places want you to believe your life experience is worth a college degree. As reasonable as you might wish this was, it's bull. No accredited institution or organization with any credibility whatsoever does this. Even if you ultimately get a piece of paper (which is doubtful) that looks like a degree, no employer is going to recognize it. All you will have learned is how to lose your money to a scammer in the school of hard knocks. Learn it now for free instead. You wind up with the same number of degrees either way.
  12. No investment is risk-free
    13. The new thing is the guaranteed investment. Of course, this should make you feel all warm and fuzzy since your capital is not at risk. Except that since no investment is risk-free, the fact that they tell you this is a dead give-away of a scammer. Therefore, not only is your money at risk, it's almost a guarantee that you will lose ANYTHING YOU SEND THEM.
  13. They didn't lose your information.
    14. Never give out personal information that is requested in email (or by phone, for that matter!). Any company with whom you do business doesn't need you to confirm anything. They didn't lose your data or corrupt their database. No legitimate business could stay in business long being that clueless.
  14. You did not receive an ecard from someone if they have no name.
    15. Wow, I never realized how popular I was! I have received ecards and on-line postcards from "class mates," "colleagues," "friends," "mates," "neighbors," "school friends," "school mates," "school friends," "family members," "worshippers," and "partners." The fascinating thing is not ONE of them has a name. I recently got one from "Mother," but of course it was not my mother's email address (since she doesn't have one!). If you receive any third-party notice or invitation from anyone you're supposed to know but it doesn't tell you who the person is, then-- can we all say it together boys and girls?-- IT'S A SCAM! In this case, the link will install a virus that will make you a member of a spam botnet. These usually have numeric IP addresses in the link, too (see above about never clicking on numeric links), another give-away.

    This scam has mutated lately, too, now they're giving away "free" games or NFL betting information and who knows what it will be next. Let's be clear: NEVER click on ANY numeric IP address link because you have no idea where it goes. I guarantee it won't go anyplace good.

  15. That stranger isn't interested in you.
    16. When a stranger emails you, especially from a foreign country, they say they found your photo or profile "on the net" and they're intereseted in meeting you. They didn't find your profile online (even if you have one, they'd tell you where they saw it, but they never do). The only thing they're interested in is your money. They say vague things like they plan to be in your area soon and would like to meet. Even better, nude pictures may be involved, if only you'd reply! The email address they want you to contact is often different than the one sending the message. The last one I got said it was a 25 year old woman but the name in the From: line was Alberto. Right. "Hi, I'd like you to meet my new Russian bride, Alberto."
  16. Don't re-order those (fake) pills.
    17. Real pharmacies don't usually e-mail you to remind you to refill a prescription. Only you know when you're running low. Spam asking you to re-order is really just asking you to order from them. Any implication that your order process is in progress is an attempt to fool (or guilt) you into using their site. Why would anybody buy medication from a stranger. There's more to it than price! Plus, price only counts if you get legitimate product, which in the case of these guys, you won't. You'll be lucky if you get sugar pills. If you're very unlucky you'll get something that will actually hurt you! It isn't a Canadian pharmacy if the domain ends in .hk, that's Hong Kong!
If everyone was a little more skeptical of unknown email, they wouldn't fall for these ploys, and spammers and phishers would disappear virtually overnight. But EVERYONE has to do it, as long as even a few people respond to them, spammers and phishers will keep sending out their phony email.