Warnings go out about Japanese earthquake and phishing
For the past seven years or so we've seen a common criminal practice of creating just-in-time phishing scams around breaking news or other current events. These scams consistently appear for predictable events such as tax time or even March Madness, but they also arrive very quickly when high profile natural disasters occur. Dating back at least as far as the Katrina/Rita disaster (and occurring as recently as February's earthquake in Christchurch, New Zealand), these attacks seek to prey on concerned well wishers trying to donate money to aid disaster relief. The good news is that public awareness of this attack vector continues to rise. Already today we've seen public outreach from multiple sources including the United States Computer Readiness Team (US-CERT) and the SANS Institute, cautioning the public to be on the lookout for these phishing scams. I agree with these warnings. On the down side, I've observed that these warnings tend to contain advice that is difficult to apply in practice (e.g. be wary of suspicious sites) rather than specific, concrete, actionable tips. That's an unfortunate omission when you consider that a powerful anti-phishing tool is widely deployed on sites today and available to more than 80% of the browsers in use. That tool is Extended Validation SSL, of course. So to anyone who chooses to step into the role of educating the public on how to protect itself online, I challenge you to include this critical tool in the messages you seek to put in front of the public.