National Puzzlers' League Security Notes
Phishing Attempts and Malware
If you get a mail purporting to be from an "administrator at puzzlers.org", no matter what it says,
it is probably fraudulent and an attempt to get you to download malware.
These emails are known as "phishing" and are a social engineering way of attempting to take over machines,
scam you out of money, etc.
If you get an email addressed to somebody else which looks suspicious, it probably is.
- An email telling you that a server upgrade is taking place and that to properly deal
with the server upgrade, you had to download some new "SSL certificates". To computer experts, this makes
no sense, but mail filled with buzzwords can cause even the sharp eyes of puzzlers to glaze over.
- An email telling you that you need to download a file or visit a web site in order
to keep your mailbox on puzzlers.org.
- An email thanking you for signing up for a new account (sometimes with somebody else's name)
on a site you've never heard of.
- An email with a long list of people in the To: line, none of whom you know. Frequently,
all the addresses start with the same letter.
- An unexpected confirmation of a password reset (possibly not addressed to you).
Here are the important things to bear in mind:
If somebody associated with the NPL web site sends you mail, we will always include our nom.
But that alone is not a guarantee that the email is valid. Phishers copy legitimate emails and send
modified copies of them to other people.
- There is no "puzzlers.org Technical Support team" or anything sounding remotely like that.
The people who are webmasters for the league are members, real people, and we sign our emails with our noms.
- Nobody will ever ask for your password. Never.
- Nobody will ever ask for your credit card number, bank account information, or any other personal information.
We will never ask for your mother's maiden name or the last 4 digits of your SSN.
- Nobody will ever tell you that you need to download anything in order to use the web site,
mailing list, or anything else associated with the NPL. Yes, the web site has things you can download
(the enigma, word lists, solving tools) and there is plenty of downloadable software that might be
useful to puzzlers, but we will never tell you that *have* to download anything. Note: we may
provide solving tools in the future that use Java, Flash or Silverlight.
- Nobody will ever tell you that you have to visit a specific web page to ensure that you can continue
to use the web site, receive email, or do any other thing associated with the NPL or puzzlers.org.
This doesn't mean you don't have to pay your dues!
- Nobody will tell you that you need to or should pay for anything online. The site does have a link to
pay dues via PayPal, but you do not have to use it. Whenever you use a PayPal link, you should check that the URL
is paypal.com/etc, not paypal.somethingelse.com/etc.
- Just because an email seems to come from an administrator does not mean that it does. If it looks
suspicious, it probably is.
- Personalized email is not rocket science. Having your nom or email embedded in the middle of an
email means nothing.
- The use of your name or nom is no guarantee of the authenticity of any email. Most of us have a
email@example.com alias, so the nom is not a secret.
All of these statements are pretty much true of any reputable organization or web site. Scammers
and phishers use fear as a tactic to get people to act immediately and not question:
"you must do this right now or you will lose something." You will never get a message like that from the NPL.
Don't click on links in unexpected or suspicious email. Instead, visit the site directly and do whatever you
think you might need to do.
Never click on a link that looks like this: http://legitimate-site.com.other-site.com/etc That's
not a link to legitimate-site, it's a link to other-site (which is really evil-site).
Many web sites do not begin with www. That's fine. For example, this web site is https://krewe.puzzlers.org. What you have to look
closely at is the end of the domain name portion of the URL, not the beginning.
For example, a recent scam attempt used this domain: updates.puzzlers.org.secure.redacted.org --
the actual (redacted) domain was a well known malware site with a name that made it sound innocuous.
If the domain is wrong, it doesn't matter how good the site looks. Scammers have put up very authentic looking
copies of bank and credit card sites. You might think they wouldn't bother cloning the NPL site, but their
clone tools are pretty automatic. And they think they might steal your password here and then use it at your
bank. This is one of the reasons you should use different passwords on each site you use.
If you receive a link that you are suspicious of in any email, do not click on the link. Instead,
manually go to the known site that you want to visit, e.g., by typing "www.puzzlers.org" into your browser.