Kurt mentioned in Daniel’s PayPal phishing article how he dealt with phishing and that got me thinking about the easiest way to defeat phishing for certain accounts. The answer is virtual mail accounts. I always thought about virtual mail accounts as a way to stop spam and find out which website or service sells your email but it can also be used to defeat phishing.
Virtual mail accounts can be created in many online mail accounts including Gmail and Yahoo Mail. If you wanted to create such a virtual mail account in Gmail you would simply change the email address at the site where you are registered at to youraddress+added@gmail.com. To give you an example, you could use the email ghacks+paypalcom@gmail.com as your main email in PayPal.
You would then set a filter in Gmail to filter all messages send to this email. Now, whenever an email from PayPal arrives that was not send to this virtual email address you can be sure that it is a phishing email. To be effective you need to hide this email from everyone, even the people who send or receive money. This is done by using a second email for this purpose that is not your default email in PayPal.
This system works fine if the service accepts email addresses with plus signs. Most websites need only one virtual email address, your bank for instance, eBay and every other website where the email is not visible to contacts.
Related posts:
Gmail And Yahoo Mail Users Now Protected Against eBay And PayPal Phishing MailsNew Phishing Mail Tactics
Phishing Explained
New Phishing Emails Emerge
Free Phishing Protection with Delphish
hmmm, i suppose that works too, but i don’t think it’s very future-proof… what i mean is that when everyone starts using that method the phishers will simply start guessing what your virtual addresses are… people are probably going to do as you did and use the website name in the address so it shouldn’t actually be that hard for the phishers to guess… sneakemail addresses, on the other hand, are random alphanumeric strings that are basically unguessable…
Kurt guessing mails is an almost impossible task if you do it right. You should not use ghacks+paypal@gmail.com of course. But what about ghacks+paypalcomXXX@gmail.com where XXX are three random chars.
I think it is only possible to defeat this if either your computer or the service network gets hacked.
You could use unique emails for every service as well but I think that using virtual mails is faster and does not require that much work.
yes, *if* you do it right you certainly can make guessing a lot harder… who’s going to know/remember to do that? who’s going to remember which random number they chose for paypal? will they use the same random number for everything or a different one for each virtual address? how will they pick their random characters (given that the human brain has an exploitable weakness when it comes to intentionally generating randomness – 17 is apparently the most random number between 1 and 20 for example)?
and using random characters wasn’t in your original article, by the way…
Kurt I personally don’t think that spammers will start sending mails out to guessed emails, e.g. if they found at ghacks@gmail.com they will not send out mails to ghacks+something@gmail.com because it is highly ineffective.
And you do not have to remember the virtual email address at all because you are not going to use it. You receive official mail from those sites to it and that’s it. No need to remember.