While stores will be packed this weekend with holiday shoppers looking for Black Friday bargains, another group of shoppers will be sitting at home – safely and comfortably looking for Christmas bargains.
But home-shopping isn’t risk-free.
High-tech “phishers” are also trolling the Internet, looking for account data and personal information of unsuspecting computer-users all across the country.
“The idea behind phishing is that an attacker will try to get you to enter your information into a decoy website that looks exactly like the legitimate one you are used to using,” Wesley McGrew, a scientist at Mississippi State University‘s Center for Cyber Security Research, said in an MSU release. “The decoy site will allow them to collect your username and password, and once they have that, they can access any personal or financial information you’ve stored on that account.
“If you receive an e-mail directing you to log in to a site, that should be your first warning that you might be going to a phishing site,” McGrew said. “It’s important to be aware of how you arrive at a website and its always best to be suspicious if anything seems wrong or if your Web browser issues a warning.”
Another security issue can be passwords.
McGrew said people should regularly change their account passwords and, most importantly, use strong passwords that include letters, numbers and symbols. An account doesn’t need to be phished if the password can be easily guessed, like the ones on Mashable.com’s list of the year’s worst passwords, as released by SplashData.com.
The top 10 on this year’s list (with its change from last year in parenthesis):
1. password (unchanged)
2. 123456 (unchanged)
3. 12345678 (unchanged)
4. abc123 (up 1)
5. qwerty (down 1)
6. monkey (unchanged)
7. letmein (up 1)
8. dragon (up 2)
9. 111111 (up 3)
10. baseball (up 1)
11. iloveyou (up 2)
12. trustno1 (down 3)
13. 1234567 (down 6)
14. sunshine (up 1)
15. master (down 1)
16. 123123 (up 4)
17. welcome (new)
18. shadow (up 1)
19. ashley (down 3)
20. football (up 5)
21. jesus (new)
22. michael (up 2)
23. ninja (new)
24. mustang (new)
25. password1 (new)
McGrew has several tips to help people recognize and avoid phishing attacks:
>> Never reply to an e-mail that directly asks for username and password information.
>> Don’t follow links from an e-mail to log in to a website. Type in the Web address and use the site directly.
>> Before entering login information on a website, be sure that the Web address begins with “https” or that there is a lock icon in the address bar, which means information entered on the site will be encrypted during transmission.
If information was entered into the false website, McGrew said users should:
>> Immediately change the password.
>> Monitor the account for unauthorized activity.
>> Change the password for any accounts that might be linked to the one that was compromised.