The use of X.509 certificates to digitally sign emails would help as well. Most of the vendors that I've contacted (banks, etc.) have no clue what I'm talking about. However, a concerted campaign to educate people here would go a long way. It seems like the companies who are most likely to be targetted by phishing are the least adept in security.

I just got an alleged email from paypal stating that I had just been charged for an ebay purchase. In the message that I should click the secure link if I intended to dispute the charge.

Checked with my bank and no such charge had been made.

So I didn't do anything with the email.

Is there something to do with such emails. Can I forward it to the authorities or something?

Quote

Guest wrote:
I just got an alleged email from paypal stating that I had just been charged for an ebay purchase. In the message that I should click the secure link if I intended to dispute the charge.

Checked with my bank and no such charge had been made.

So I didn't do anything with the email.

Is there something to do with such emails. Can I forward it to the authorities or something?

I almost always report a phishing attempt. Usually you can go to the business/bank's web site and find an address where you can forward the email. A few of my regular addresses:

Capital One abuse@chase.com
Bank of America abuse@bankofamerica.com
Amazon stop-spoofing@amazon.com
Ohio Savings BankbyNet@ohiosavings.com
Branch Bank and Trust InternetFraud@bbandt.com
National Credit Union otismail@ncua.gov
Citi Bank emailspoof@citigroup.com
Fifth Third Bank 53investigation@security.53.com
US Bank fraud_help@usbank.com
Sierra Central fraud@sierracentral.com

In addition to the bank I also send it here:

phishing@irs.gov

While I am on my anti spam rant:

"Nigerian fraud", the various money laundering spam 419.fcd@usss.treas.gov

Stock market spam enforcement@sec.gov

Software piracy spam piracy@adobe.com & piracy@microsoft.com
Half the time I get an email back from MicroSoft thanking me for the report and the other half I get one telling me that my message could not be delivered because it looks like spam

and always for any spam report CC the government at spam@uce.gov

I don't know how effective is my reporting, but every once in a while I see where they busted some spammer. I also often get a personal email from a bank security officer thanking me for email. I was asked by the New York State Attorney General for an affidavit in the monsterhut spam case and I gave him one http://directmag.com/news/marketing_monsterhut_ordered_not/

I have some AppleScripts set up to help automate the reporting process.

Quote

paikinho wrote:
Is there something to do with such emails. Can I forward it to the authorities or something?

Yes. Forward it to spoof@victim, where “victim” is the domain of the phishing victim company. For example, spoof@paypal.com

Most companies have this eMail address open for this specific purpose. Be sure to include full headers, if you can.

Quote

Anonymous wrote:
I just got an alleged email from paypal stating that I had just been charged for an ebay purchase. In the message that I should click the secure link if I intended to dispute the charge.

Checked with my bank and no such charge had been made.

So I didn't do anything with the email.

Is there something to do with such emails. Can I forward it to the authorities or something?

1. Do NOT click on that link. Certainly don't give them any information.

N.B.: If anyone ever does click on such a link, look at the address bar. Unless it has "https://www.paypal.com./," and the "locked" icon is present showing that it is a secure page, do NOT do anything. PayPal shows this. Also check PayPal's Security Center for more information.

2. Notify PayPal, assuming that you have an account with them--or even if you don't. Go to their Security Center (link above) or their page on phishing. There's a link there to report suspect emails. Be sure to include the entire email, including the header.

3. You can report it to the National Fraud Information Center.

4. You can report attempted fraud, including phishing, to the Internet Crime Complaint Center, if you're in the US. (That information goes to the FBI, among others.) Don't be put off by the form--it is set up for people who have been victimized, but you can use the same form to report attempted fraud, which is a Federal felony in the US. (I do wish that they had a simpler form for reporting attempted fraud.)

If the domain is outside the US, there may not be much that they can do directly, but they can (and do) pass the information on to law enforcement agencies in other countries. Often, however, while the domain is registered in another country, the owners are in the US.

It's actually probably several felonies, including mail fraud, if they use the US Postal Service at any point, and could lead to credit card fraud, which, if I recall correctly, belongs to the US Secret Service. Local and state law enforcement may be interested, as well. That's not to mention that they probably haven't paid income taxes on their ill-gotten gains, which sets them up for a confrontation with the IRS. At least one of those agencies is likely to find the crooks.

Some are so stupid that they don't use foreign domains or numerical IPs for their fake web sites but domains registered under their own names or their businesses. Next time, instead of clicking on the link, look at the raw source or control-click and choose "Copy link location." Paste that in a text file and check it out. You can find most domains at allwhois.com and other sources.

Don't bother including that information in the email to the ICCC--they'll find it on their own. You could use the address to report the attempt to the Attorney General of their state. If you can find out who is hosting the page--e.g., GoDaddy, you can notify them and hope that they take the page down to protect other people who aren't as savvy as you are.

Yes, that's a lot to do. You can just ignore the email or you can report it--it's up to you.

Forward the email to spoof@paypal.com without delay. You don't need to add comments.

Ditto for eBay: spoof@ebay.com.

Label the original "Junk," or whatever your email client calls it.

Is that it often blocks people who have been spoofed. I have had a persistent problem with Realtime Blackhole Lists adding me to their list because someone has spoofed me and made my address appear to be a spammer's address.

I don't send spam. So it is really infuriating.

I ran across this company a while back. It seemed pretty neat.

They seem to have a token/browser combo with certs that can deter new phishing attacks.

www.em-technology.net

Quote

Anonymous wrote:
I ran across this company a while back. It seemed pretty neat.

They seem to have a token/browser combo with certs that can deter new phishing attacks.

www.em-technology.net

Perhaps you can fill us in as to what the system requirements are, how much it costs, and the like, as the company's web site somehow missed all that information--unless, of course, you're spamming for the company.

I can't help but think a series of PSA's from the industry (Microsoft take the lead, since they're so "holey"?) telling people what to do and not to do in 15/20 funny, educational commercials would go a long way to educate the masses.

If they know NOT to click in an email, and know to type in the url, and this is repeated enough, people will follow. Worked for the conservatives in making "liberal" a dirty word.