How to defeat Phishing
Kurt mentioned in a comment to Daniel's PayPal phishing article how he dealt with phishing and that got me thinking about the easiest way to defeat phishing for certain accounts.
The answer that I came up with is by using virtual mail accounts. I always thought about virtual mail accounts as a way to stop spam, as you can find out which website or service sell your email address but it can also be used to defeat phishing as the same time.
Virtual mail accounts can be created using many online mail services including Gmail and Yahoo Mail. If you wanted to create such a virtual mail account on Gmail you would simply change the email address on a site you are registering an account for to youraddress+added@gmail.com. This also works in every other situation were you provide a third-party with your email address.
To give you an example, you could use the email ghacks+paypalcom@gmail.com as your main email when you are signing up for PayPal.
You would then set a filter in Gmail to filter all messages send to this email. Now, whenever an email from PayPal arrives that was not send to this virtual email address you can be sure that it is a phishing email. To be effective you need to hide this email from everyone, even the people who send or receive money. This is done by using a second email for this purpose that is not your default email in PayPal.
This system works fine if the service accepts email addresses with plus signs. Most websites need only one virtual email address, your bank for instance, eBay and every other website where the email is not visible to contacts.
Instead of using virtual email addresses or email aliases, you can also use different accounts for those purpose. One account for communicating with each important service, and maybe a second to communicate with members of said service if that is an requirement.
Advertisement
Kurt I personally don’t think that spammers will start sending mails out to guessed emails, e.g. if they found at ghacks@gmail.com they will not send out mails to ghacks+something@gmail.com because it is highly ineffective.
And you do not have to remember the virtual email address at all because you are not going to use it. You receive official mail from those sites to it and that’s it. No need to remember.
yes, *if* you do it right you certainly can make guessing a lot harder… who’s going to know/remember to do that? who’s going to remember which random number they chose for paypal? will they use the same random number for everything or a different one for each virtual address? how will they pick their random characters (given that the human brain has an exploitable weakness when it comes to intentionally generating randomness – 17 is apparently the most random number between 1 and 20 for example)?
and using random characters wasn’t in your original article, by the way…
Kurt guessing mails is an almost impossible task if you do it right. You should not use ghacks+paypal@gmail.com of course. But what about ghacks+paypalcomXXX@gmail.com where XXX are three random chars.
I think it is only possible to defeat this if either your computer or the service network gets hacked.
You could use unique emails for every service as well but I think that using virtual mails is faster and does not require that much work.
hmmm, i suppose that works too, but i don’t think it’s very future-proof… what i mean is that when everyone starts using that method the phishers will simply start guessing what your virtual addresses are… people are probably going to do as you did and use the website name in the address so it shouldn’t actually be that hard for the phishers to guess… sneakemail addresses, on the other hand, are random alphanumeric strings that are basically unguessable…