What is this, a change of topic? I’ve gotten tired of network security and am turning to sports news? Or old-time rock ‘n’ roll?

No, not the watery animal, nor the band “Phish” - “Phish” as in “phishing,” the word coined by taking “fishing” and using hacker-style spelling (as in “phreaking”). Phishing, as you’re probably aware, is a form of social engineering in which criminals send out spam with forged headers to draw gullible people to fake Web sites where they enter sensitive information such as account numbers, user IDs and passwords. These data are then used for direct financial fraud or wider identity theft.

I recently received an odd e-mail message that warned me that “my” Wells Fargo account had been closed. Here are the most significant parts of the text with my comments in square brackets:

Dear Wells Fargo account holder,

[Warning sign #1: The salutation is completely general instead of addressing the client by name. The message does not give “my” account number. In any case, I don't have such an account at all (non-account-holders usually just discard the e-mail at no cost to the criminals).]

We regret to inform you, that we had to block your Wells Fargo account because we have been notified that your account may have been compromised by outside parties.

[Warning sign #2: Bad grammar in the warning (the comma between “you” and “that”). Watch for peculiar wording and bad spelling. Now authentic messages may also have such rubbish, but it’s rarer than in spam - especially spam written by non-native speakers of English. A good deal of the phishing spam is international.]

. . .

Please be aware that until we can verify your identity no further access to your account will be allowed and we will have no other liability for your account or any transactions that may have occurred as a result of your failure to reactivate your account as instructed below.

[Warning sign #3: Wait a minute: this makes no sense at all. If the account has been blocked, there should be no new transactions allowed, so what liability are they talking about?]

. . .

Please follow the link below and renew your account information

https://online.wellsfargo.com/cgi-bin/signon.cgi

[Warning sign #4: I immediately went to VIEW SOURCE in my e-mail client to check the URL. (NEVER click on a URL from a stranger without knowing exactly what it is - and its appearance is no guarantee of where it takes you.) Here is the HTML showing the _actual _ URL that the fake link went to:

M. E. Kabay, PhD, CISSP-ISSMP, is Program Director of the Master of Science in Information Assurance program at Norwich University.