Charles Arthur: 'Here's a way to protect yourself against all those e-mail scams'

There are now more online scams around than ever. The frequency with which people ask me to tell them if a particular e-mail is real or fake shows that we need simple ways to protect ourselves against all the e-mails and fake websites that want our usernames and passwords.

There are now more online scams around than ever. The frequency with which people ask me to tell them if a particular e-mail is real or fake shows that we need simple ways to protect ourselves against all the e-mails and fake websites that want our usernames and passwords.

There are various add-ons for browsers such as Firefox ( www.mozilla.org/firefox) as well as those included in e-mail programs such as Eudora ( www.eudora.com), that will indicate whether the URL a link will send you to matches what the URL says it is. But phishing e-mails come so thick and fast that they're likely to snare you eventually. (It's easy for crooks to set up web pages on compromised machines and to create web pages using images served up by eBay, PayPal, Barclays Bank or the Halifax.)

But that's not perfectly reliable. I got a phishing e-mail the other day that didn't have a link; it had a button to press, which opened the site (a fake eBay log-in page, set up on a hacked Korean computer) in your browser. Without looking at the source code of the e-mail, you wouldn't know if it was real or fake.

And here's where my guaranteed system to protect against phishing comes in. It works in the real world, too, when you're at a cash machine and worried that you're being "shoulder-surfed", or that the ATM has some sort of monitor. So it's pretty powerful. It's this: the first time you use the site or machine, enter a made-up username and password, or the wrong PIN. Why does this protect you? Because the phishers don't know your username and password; they're relying on you to tell them. The real site does know. So the fake site will accept your fake username and password, while the real site will reject it. In the same way, a real ATM will query your wrong PIN, but quite some way into your transaction - after the person shoulder-surfing you from behind has stopped watching.

But the problem of scams online doesn't go away, even once you've avoided phishing. Many people have been ripped off in eBay auctions by the so-called "second winner" method. They see something they want for sale from someone who has a good seller reputation, and they bid on it. They don't win, but then the seller gets in contact and says the winner didn't pay up, and would they like to buy it instead? So they wire the money, and never get anything. The mistake is in trusting the seller's reputation. And you shouldn't wire money for an eBay item; use PayPal's protected payment scheme instead.

The essential flaw that these scams are built on is the problem of online identity. How do we know that what we're seeing really comes from the sender it appears to come from, or that a website really is operated by eBay? One way banks and building societies, for a start, could help is by communicating with us using e-mail with encryption-verified signatures. The receiver can verify, with a click of the mouse, whether an e-mail has come from where it says by looking up the sender's public "key" and running the signature past it. This is automatic on many e-mail programs.

Regrettably, I don't see this happening any time soon. We're left with rather more low-tech approaches. So remember, the first time on the site, enter the wrong user ID and password. You never know when it might save your bacon.

www.charlesarthur.com/blog