Thursday, August 18, 2011

Phishing for Jews - and what we can do about it

The other day I received one of those phishing emails, a message presenting itself as coming from a rabbinic colleague of mine, claiming that he had been mugged in Scotland and he needed $1850 to get home.

The hacking job was sophisticated – when I emailed him to let him know his account had been hacked, I received an auto-reply indicating that he was in Glasgow. But the kicker was this sentence in the phishing email: "I would appreciate whatever you can help with , promise to refund you right as soon as I'm back home in a couple of days Be'H."

Yes, the hacker included the classic acronym for "b'ezras HaShem", "with Gd's help", the sort of thing which a rabbi would write, and an observant Jew would recognize. Had the email been in his writing style and had the phish not been so routine, I might actually have believed this was real.

This makes me wonder who is doing the hacking and whether rabbis are being targeted. Is the idea that rabbis are connected to lots of people, and that congregants would all want to reach out and help their rabbis? Or is it an anti-Jewish thing?

And how did the hacker come to recognize this bit of Hebrew lingo as significant - is it just the Jewish equivalent of a Christian, Muslim, etc similar phrasing, and easily recognizable as such? Or is this hacker Jewish?

This also puts me in mind of ways to avoid becoming a hacking victim. We all know the standard ways to avoid it – don't use public computers, for example – but here are some thoughts on additional safeguards. I'd appreciate comment on these ideas, or any additional ideas:

• Change your password after using your email on a public network, like a hotel or airport. Hackers may collect data and use it months later, so changing your password could render their stolen information useless.

• Create a backup email account, and set up email forwarding (Gmail does it for free) so that all email sent to your main account will also be forwarded to your backup account. This will allow you to continue to receive email sent to you, even if your account is hacked.

• Keep an address for a separate email account, which you check regularly, among your contacts. This way you will also receive spam/phishing emails sent from your account.

• Email providers often have you set up a backup email address, to which password information will be sent if you are locked out of your account. Check that address regularly; someone who hacks into your account may change that backup address.

• If you use Gmail, you can see a record of recent logins to your account (bottom right, "Last activity"). Check it regularly.

• Notify people when you will be traveling, so that they won't be fooled by phishing.

Do these make sense? What else?

No comments:

Post a Comment