A long time ago, my father told me his definition of an “expert.”
"An 'x' is an unknown factor,” he said. “And a 'spurt' is a drip. Most people who call themselves 'experts' are 'unknown drips.' "
Now, I’ve been writing this column on personal technology for a long time. I consider myself a bit of an expert on tech topics, particularly on things like computer security and making sure you don’t get swindled by Nigerian e-mail scams or phony bank claims. I’ve issued warnings many times in the past about the need to be on your toes.
Then a week ago Saturday, I had a very clear sense of my father’s words about experts. I suddenly felt like a drip.
I got phished. Totally and completely. And even worse, the information I gave up wasn’t mine – it was my wife’s.
Phishing is when criminals send out phony e-mails telling you that there are problems with your bank statement or your credit card account. They are very clever, these phisher folk. Often the e-mail looks exactly like one that you would expect from your financial institutions. There are ways to detect these scams, none of which I put into practice until it was too late. So allow me to go over my blunder step-by-step in the hope that you won’t fall victim to a similar scam.
First, I wasn’t paying attention. It was early Saturday morning. The kids were buzzing around, the dog hadn’t been fed, and the house needed a good tidy. But I stopped for just a moment to check my e-mail. There was a message from one of our credit card companies about a problem with my wife’s credit card. Not thinking, I opened it.
Warning bell No. 1: Why would I get an e-mail about a problem with my wife’s credit card? If there was a problem, it would have gone to her account, not mine.
So, I opened it. It said there was a message waiting for my wife on her account. To be honest, at this point, news headlines jumped to mind. “Aha,” I thought. “This has to do with the credit card companies upping their rates because of the new credit card rules that will take affect soon. I heard about this.”
So I clicked on the link in the message. It took me to a page that had trouble written all over it. But I was still not paying attention.
The page said that in order to get my wife’s message, I had to give some information: the last four digits of her social security, password, her mother’s maiden name, her mother’s date of birth, and other important credit info.
Warning bell No. 2: This actually is not a bell. It’s more like the sonic boom that happens when you break the sound barrier. No credit card company or bank will EVER, EVER, EVER ask you for this information.
That should have been a gigantic tip-off. But I was still asleep at the wheel. I entered the info and pushed the button and … it took me to the regular credit card sign-in page. And that’s when I got slapped in the head. “Wait a minute,” I thought. “Where’s the message?” It hit me all at once. I quickly went back to the original e-mail and clicked on the link again and I looked at the Web address.
It was a phony. One of the best ways to tell if you are being scammed is to look at the Web address. A real bank or credit card company's address is pretty straight forward: like www.citibank.com, for instance. But a phony Web address will be something like www.hel.ge.citibank.ge. There are ALWAYS extra letters or numbers. If you’re not sure, just call and ask if it’s real.
I immediately called my wife’s credit card company and told them we had been phished. They canceled her card on the spot and we changed the password to get into the account. I also signed up with one of the identity theft protection companies, which immediately sent out a warning to all concerned credit card companies to keep an eye out for strange activity. My stupidity cost me $20 a month for me and my wife to protect ourselves. It’s not a big cost, but it’s a bit like closing the barn door after the horse is already out.
So be vigilant. These folks are extremely tricky. They count on people being distracted to do something dumb like I did.
You don’t have to be an "unknown drip" to get caught on the end of a phishing hook.