Don't be monstered -- protection from spear-phishing

In last week's story about ransomware victims, Michael Pollitt said: "But even though he had used antivirus and firewall programs, bank account and credit card information had been silently stolen from his web browser sessions." How can we protect ourselves from this attack? Andrew Shelton

This was an example of "spear phishing" where a deceptive email is targeted at a relatively small number of people. The victims were all users of one job site, Monster. They were sent an email telling them to install a new "Monster Job Seeker Tool" (a browser toolbar). If they did, they deliberately breached all their own defences. The victims therefore made at least two mistakes: they believed the phishing email came from Monster, and they believed they were downloading a toolbar from Monster.

The first problem is hard to avoid, but could be minimised by requiring all email to be digitally signed and, ideally, encrypted by the sender. Barring that, just assume all emails are trying to con you. You won't often be wrong. The second problem is easy to avoid: don't click links in emails. Links in phishing emails don't take you where you think (eg, Monster). You can minimise the risk by inspecting a link (eg, paste it into a text editor such as Notepad) to see where it really leads, but obfuscated links can be hard to read. In this case, one user said Norton warned him the download site was not recognised, and he checked with Monster. Recent browsers like Internet Explorer 7, Firefox 2.0, and Opera 9.1 also have anti-phishing features.