Phishing or Scam emails come in many forms, but most are cleverly disguised to get you to part with a username and password. These scams are becoming so clever now that it is almost impossible for all but a highly trained professional to distinguish between a scam and the real thing. So if think you may have been sucked in by one of these scams, here is what you should do.

• Change the password of the system that the scammer was posing as immediately (See choosing random passwords below)
• If you use the same or similar password for any of your internet banking accounts:
  • Change the password immediately
  • Monitor your statements for unusual or unauthorised transactions
  • Notify your Bank of any breach or unauthorised activity
• If you use the same or similar password for any other website or system, change the password immediately and report any unauthorised activity
• Make sure your email hosting account server has a good anti-spam system installed. Klixo's email accounts have an excellent Anti-spam system.
• Update your browser to the latest version and ensure that it includes an anti-phishing system. The latest versions of Microsoft Internet Explorer, Chrome and Mozilla Firefox all have this functionality built in.
• Finally, review your personal password policy (more on this below)

How to avoid Phishing Scams in the first place

• Read these tips from Hubris.net
• Make sure your email hosting account server has a good anti-spam system installed. Klixo's email accounts have an excellent Anti-spam system.
• Update your browser to the latest version and ensure that it includes an anti-phishing system. The latest versions of Microsoft Internet Explorer, Chrome and Mozilla Firefox all have this functionality built in.

Creating a Personal Password policy

Everyone should have a personal password policy that determines how you choose passwords and which passwords you use for which systems/websites. Here are some practical (but not fool-proof) tips:

• When you are setting or choosing a password, consider the risk involved in using the system. Ask yourself, if someone was able to break in using my username and password, what would the possible ramifications be? Risk can be measured by how much money you could potentially lose, or it can be measured in other ways, such as how embarrassing it could be for example. Some examples of risk evaluations could be:
  • Internet Banking - High Risk
  • Flickr Account - Low Risk
  • My Space Account - Low Risk
  • Laptop Login - High Risk
  • Company Intranet - Medium or High Risk
• Some security experts recommend that you choose a different password for every website/system that you log in to, but this is not always practical. Another (riskier) alternative is to choose a password for each risk profile. For example a low risk password, a medium risk password, and a high risk password.
• Choose a random password, a mixture of letters, numbers and symbols that will never be found in a dictionary of any kind. Use a random password generator to get a more secure password.

More reading

• Phishing / Identity Theft - Hubris Communications
• Secure Passwords Keep You Safer - Schneier on Security
• Real World Passwords - Schneier on Security (warning, contains profanity)