BOOT CAMP 312 (13/02/04)




I don’t want to alarm you but… If you’ve followed the many Boot Camp features on computer security over the past few years then your PC should now be well protected against viruses and hackers with a regularly updated virus scanner and a Firewall. Hopefully you will also have installed software to purge your computer of spyware, adware, Trojans and hidden log files tracking your web surfing activities and don’t forget the Spam filter and pop-up stopper. If you are using Windows XP, you should have switched off the Messenger Service and you never, ever, open unexpected and unsolicited email attachments, so you should be fairly safe, right?


Needless to say you are not and here’s two new words to add to your growing vocabulary of computer security threats: ‘Phishing’ and ‘Spoofing’. Phishing – pronounced fishing (and no, I don’t know why it is spelt with a P …) is the practice of luring unsuspecting Internet users to phoney or ‘spoof’ web sites, to obtain PIN numbers, passwords, credit card details etc. Spoofing, or to give it its full name Internet Protocol or IP Spoofing exploits a loophole in Internet Explorer so a fake or spoofed site displays an authentic looking web address.


Spoofing is now reaching epidemic proportions and you may already have received emails purporting to come from PayPal, American Express, Visa, Barclays and other well known Banks, Building Societies and credit card companies. The email may have all the hallmarks of a genuine message, with a logo, official-sounding wording, contact details and web addresses. The message usually says that your account is about to expire or the company is introducing new security measures and need to renew your password or check a statement and you are invited to click on the link to take you to the company’s web site. 


Hopefully by now most Internet users know by now that legitimate organisations never ask their customers for PINs and passwords except in a secure and encrypted login windows but how do you tell? The trouble is anyone fooled by a phoney email to click onto the link to take them to the company web site may be further tricked by IP spoofing into believing they are on a genuine web site.


Normally when you visit a web site the address is clearly displayed, which until recently, has provided a quick and easy check for a site’s authenticity. However, if the address has been spoofed all you will see is the genuine looking part, e.g. but what you won’t see is the rest of the address that directed your browser to the fraudster’s web site. By inserting combinations of characters and symbols after ‘.com’ the rest of the address is hidden. The full address could look something like this:, but all you see is


Providing you keep your wits about you the chances of being caught by a spoof web site are small. The con is obvious if you have no dealings with the company since, like Spam, these messages are sent indiscriminately. Nevertheless, some of them can be very convincing and it’s easy to absent-mindedly click on a link. One simple way to avoid the more obvious spoofs is to display all emails in plain text. You won’t be fooled by logos and web address links will be displayed in full, showing the hidden portion. To do that in Outlook Express go to Tools > Options, select the Read tab and check the item ‘Read all messages in plain text’.


If you find yourself on a website asking for a PIN or password – even if you are visiting the site intentionally and typed in the address – always carry out a couple of basic security checks before you enter any information.


Look for the SSL Secure Login symbol, which appears on the Status bar at the bottom of an Internet Explorer browser window (and most other browsers). There you will see a small yellow padlock icon. If the padlock is open the site is non-secure and you should not divulge any sensitive information. If the lock is closed the site should be secure and any data you key in will be encrypted but before doing so double-click the padlock to display the site’s security certificate. The address or domain the certificate was issued to should match the name shown in the browser’s Address box.


The moment you visit a web site the address is entered into the browser History. If you open the History list and hover the mouse pointer over the entry the full web address will be displayed and this should match the one showing in the browser address window. If a web page you have linked to site fails any of these tests leave straight away. If for any reason you want to visit the site enter the address manually.  Finally, see Tip of the Week to check your browser’s vulnerability to spoofing.


Next week – Spring Clean & Upgrade





Program that monitors an Internet connection, preventing unauthorised access by hackers and stopping programs sending data from your PC



Secure Sockets Layer, a powerful encryption system used to send data and information, like credit card details, over the Internet



Program, usually put onto your PC after visiting a web site, that makes use of your internet connection – without your knowledge or permission -- to send data back to its parent site





There’s a quick and easy to use spoof ‘tester’ at:


You will probably find that Internet Explorer fails the test miserably and at the time of writing Microsoft had yet to release a patch. There several third-party fixes floating around the Internet but at least one of them contains adware components. My preferred solution is to change to a spoof-proof browser, like Avant Browser. It is freeware and has many useful extras, including a built-in pop-up stopper and tabbed windows; it can be downloaded from:

Search PCTopTips 



Boot Camp Index















Top Tips Index

Windows XP

Windows Vista

Internet & Email

Microsoft Word

Folders & Files

Desktop Mouse & Keyboard

Crash Bang Wallop!

Privacy & Security

Imaging Scanning & Printing

Power, Safety & Comfort

Tools & Utilities

Sound Advice

Display & screen

Fun & Games

Windows 95/98/SE/ME






 Copyright 2006-2009 PCTOPTIPS UK.

All information on this web site is provided as-is without warranty of any kind. Neither PCTOPTIPS nor its employees nor contributors are responsible for any loss, injury, or damage, direct or consequential, resulting from your choosing to use any of the information contained herein.