- Never, ever give your password to anyone, including siblings.
- Create a unique, difficult to guess password. Never use the name of your child or dog. Adding numbers and changing letter case increases the entropy of your password and makes it much more difficult to guess. For example, "FiDo!!1x" is more secure and difficult to guess (or brute force) than simply "fido".
- Neither of those two are passwords I have ever used. If you seriously try them, I will laugh at you.
- Never visit sites advertised via whispers, yells, or in game mail messages no matter how official they might look. Online scams work precisely by making you think you're visiting an official site. Remember this.
- The ONLY valid sites you should visit related to the game (in the US) are http://www.worldofwarcraft.com and http://www.battle.net. Any site other than these two is likely a fraud.
- When in doubt it is better to MANUALLY TYPE THE SITE ADDRESS into your address bar than it is to click a link. Why? Here's an example: http://www.microsoft.com/ (forum address suffixes aside, clicking this URL will take you to Google instead of Microsoft).
- If you create an account on sites like wowhead.com, DO NOT use the same username/password combination you use to log in to World of Warcraft.
- Consider purchasing an authenticator but be aware of other issues*.
With these things in mind for protecting your account, here are some tips to spot scams:
The Congratulations Scam
Also known as the "you've been selected for account theft" scam. This scam invariably provides a site from which you can "collect" your "reward." Never mind that the true reward is in the data you provide them. Typical implementations of this scam involve rewards for achievement progress or free in game mounts. Worse, the sites linked in the in game mail oftentimes actually look genuine.
What you can do to protect yourself:
Do not by any means go to sites linked via in game mails. If Blizzard gives you a reward such as a vanity pet, the pet is always attached as part of the mail message. Furthermore, e-mail message from Blizzard are always accompanied by the Blizzard logo and the background image in the mail message will have some sort of Blizzard Entertainment logo. Game mails that appear to be identical to those sent from other players always are.
If you get suckered into visiting a site of unknown authenticity, watch for common misspellings or unusual turns of phrase. Scammers are often Chinese and while their skill at duplicating existing content is impressive, their ability to communicate in perfect English often isn't. For a similar but not quite identical example, consider reading the documentation for many of Gigabyte's motherboard offerings.
Account Warning Scam
Scammers are something like spammers: If they obtain your e-mail address, they'll start sending valid-looking e-mails in the hopes you'll click on links provided therein. One of the more recent types of this variety involves e-mail notices of account suspension that look official. However, since most people view their e-mail messages in HTML format, the links contained within this messages do not point to actual Blizzard sites. Other similar messages may include password reset notifications, special offers, and so forth.
What you can do to protect yourself:
Never click on links presented to you via e-mail messages. Instead, type the address carefully yourself into your browser's address bar. For instance, if you receive a notice that your account has been suspended, go to http://www.worldofwarcraft.com and click on "Account Management." From there, you may log in with your username/password (but ONLY from there) and verify that the account is active.
Never buy gold. I realize that gold purchases are often the path of least resistance and make game progress somewhat easier, but it's important to remember that the gold you've purchased was likely obtained by someone else having their account cracked. In fact, purchased gold never comes from a legitimate source no matter how reputable the company because it's against the ToS. Furthermore, many gold sellers require you to provide your e-mail address to confirm payment and delivery. Thus, by giving them your e-mail address, you have inadvertently exposed at least one part of your account data to a scammer. Gold sellers can then sell your e-mail address to spammers (you don't want an inbox full of Viagra ads, do you?) or to other scammers in an attempt to crack your WoW account.
Protect Yourself
As always, typical methods of protecting yourself apply: Always keep your antivirus up to date, enable Windows firewall if you're using Windows (it isn't perfect, but it's better than nothing), if you're using Vista/7 do not make a habit of automatically clicking "YES" when UAC pops up asking for administrative privileges (always verify that the application requesting privilege escalation is what you would expect it to be), and don't visit questionable sites. Further steps you can take to prevent hostile applications and sites from taking over your system are:
- Never visit anything except for well known sites with Microsoft Internet Explorer. Always use an alternative browser like Firefox, Chrome, or Opera.
- If you have Adobe Flash enabled, you must update it regularly (at least every month). Increasingly, more and more attack vectors are using exploits in Flash to gain access to your system.
- If you use Firefox, go to https://addons.mozilla.org/en-US/firefox/ (it'll show a green "Mozilla Corporation (US)" in the address bar under Firefox and display a secure connection icon somewhere on your browser) and download the addons: NoScript and Flashblock. These two addons are capable of halting most attack vectors by default including many that have not yet been discovered.
- If you use Opera, disable scripting and plugins by default. To do this, go to: Tools -> Quick Preferences and uncheck "Enable JavaScript" and "Enable Plugins". For safe sites that you visit regularly to go Tools -> Quick Preferences -> Edit Site Preferences and check "Enable Plugins" under the "Content" tab and "Enable JavaScript" under the "Scripting" tab.
- If you use Microsoft Internet Explorer and are not visiting your bank or other site that absolutely requires MSIE, click on the "X" button in the upper right hand corner and launch Mozilla Firefox. If you don't have Firefox, go to http://www.mozilla.org/
- Again, never give your password to anyone, including siblings. Siblings are one of the worst attack vectors that cannot be engineered around and have no remedy that is otherwise legal in most countries (unless you live in jurisdictions like Uganda where human sacrifice is still allowed).
- When in doubt, ask a knowledgeable guild mate. It's better to ask a question if you're unsure of a message's authenticity than to have your account compromised.
- If you absolutely, positively must view questionable sites, consider doing so with a separate (unprivileged) user account under a browser with scripting and plugins disabled. Better yet, do so under a virtual machine. (Windows 7 Professional and up have fully licensed copies of Windows XP--however, "XP mode" has full, administrative access to the file system--don't use it. Oddly, you can run the XP mode virtual machine under separate virtualization software like VirtualBox, which is a safer approach.)
- * The Blizzard authenticator is great and will protect you even from a keylogger. However, keyloggers are exceedingly dangerous: While the authenticator will protect your World of Warcraft account from theft it will not protect your online bank account from being compromised. Keep this in mind.
Edit: Fixed font sizes due to breakage from phpBB2 -> phpBB3 update.
