Discussions about brokerage firms for futures, stocks and other tradeable instruments.
Post Reply
Roundtable Knight
Roundtable Knight
Posts: 126
Joined: Wed Apr 30, 2003 6:39 am


Post by Bernd »

Last edited by Bernd on Sat Apr 19, 2008 1:56 am, edited 1 time in total.
AFJ Garner
Roundtable Knight
Roundtable Knight
Posts: 2071
Joined: Fri Apr 25, 2003 3:33 pm
Location: London

Post by AFJ Garner »

Hmm, internet "security" and the lack thereof is very, very scary. I keep getting spoof e-mails from Pay Pal leading me to a spoof site where I am asked to record my account details for checking! Yup, sure, thanks, I'll do the jokes.

Its one of those subjects I keep meaning to research - how to best protect yourself. But there never seems enough time in the day.
Paul King
Roundtable Knight
Roundtable Knight
Posts: 207
Joined: Mon Feb 23, 2004 9:13 am
Location: Vermont, USA

A couple of precautions

Post by Paul King »

There are a couple of things one can look out for in instances like this (I get the phishing PayPal emails every day and they are getting more sophisticated/legitimate looking).

1 Legitimate emails usually contain some identifying information that only the real sender would know - e.g. Dear Paul King, or regarding your account number XXXXXXX. Anything that says simply 'customer', or 'hi', is suspicious.

2 Always check the source-code before you click on a HTML link in an email to make sure it is the actual site it should be. Most of the phishing emails contain an encoded IP address(that no legitimate source would use), rather than a domain name . (This is not infallible - I have heard of some instances where the actual domain was hacked and a trojan program that records your user name and password and sends it to the phishers was installed - but this pretty is rare).

3 Report the spoof emails to the relevant company - PayPal has a spoof@paypal.com email for example specifically for this kind of thing - this will will get the spoof site closed down. Most sites have a security section that tells you how to report suspicious emails.

4 Generally don't click on links in emails - type the real domain in to a new window in a browser instead (or copy and paste the url) - annoying but safe.

5 Never believe any email asking you to 'confirm you account details' is from a legitimate sender - no legitimate company will ever ask you to do this in an email.

6 All legitimate logins should have the secure https url prefix and the lock icon in your browser (this is currently difficult or impossible to simulate with a regular http login so is a 'dead giveaway' that you are on a spoof site).

7 If you do end up on a spoof site (which you realize after the event) then change your password immediately, and report it to the relevant company then run a complete virus and malicious software check on your computer since these sites can and do install all kinds of 'nasty' stuff on your PC or in your browser without you knowing. (I know this because I clicked on a spoof email link once just to see where it went and it took me a couple of days to clean my (non-trading) PC up afterwards).

Hope this helps

Roundtable Knight
Roundtable Knight
Posts: 154
Joined: Fri Apr 22, 2005 9:14 pm
Location: Vancouver, Canada

Post by TrendMonkey »

I received an Email too (from IB Canada) asking about W8 forms. Now that you mention it, none of the other three (Canadian) brokers I deal with ever send me emails about anything, nor did any of them ask for W8 information. Hmmmmm.
Full Member
Full Member
Posts: 14
Joined: Sun Jul 31, 2005 7:39 pm
Location: Washington, DC

Post by JackR »

I get an email ever morning from IB telling me that my previous day's statement is available. It always includes a link to the login. When I go there I always check the URL before logging in. As you guys may or may not be aware IB forces logins that do not match your account number.

When I am trading and am awaiting a setup (I do systems and discretionary trading) I'll often do the following:

If I've gotten a "suspect" email for a login and cannot determine whether it is real or not I go to the site. I then enter the logon info with a false first name such as "RealDummy@Yahoo.com" and then a relatively innocuous password such as "password". I make the email domain match the one at which I received the email, but I always use a bad name.

There is no way the bad guys can guess your login name and password combo (odds are ridiculous). Some legitimate sites force you to use your email address as your username so a bad guy could send you a phish message and deny you a login if the username you attempt to use in not in their prospective "phished" login list. The cannot ever know your password (or why phish). If you respond to a phish using this method you'll normally get into the site. If it's a real site you'll be denied access. I haven't encountered this yet, but if you get rejected the first time don't change to your real login, use the bad name again. If I were phishing I'd reject your phoney attempt to fool you into trying to login with your real name, etc. Once into the phish If I feel creative I provide lots of bad info. When they go to sell the info someone will probably be upset. There are some who will say don't try this at home.
Post Reply