I haven’t seen any examples yet, but it wouldn’t surprise me to see phishing attacks based on the Heartbleed flaw.
As you’ve likely heard, researchers have discovered a flaw in the most popular encryption scheme called OpenSSL, that could put passwords and other private information at risk.
Almost all experts are advising people to change their passwords, though some suggest you wait until the site has been patched to avoid the vulnerability (click here to find that information).
My concern — and this is based on previous highly publicized situations — is that people are going to be getting email that appears to be from banks and other sites, “disclosing” that the site was vulnerable and asking users to reset their passwords. These could be phishing attacks designed to trick you into revealing your log-on credentials to thieves. And some of these attacks are very sophisticated, taking you to sites that look identical to a company’s real site.
If you get such an email DO NOT CLICK on any links. If you feel that it’s time to change your password (and you should once you know the site is no longer vulnerable), type in the site’s URL in your browser and navigate to the password reset page. It’s less convenient than clicking on a link but a lot safer. Here are tips for safe, secure and unique passwords.
Besides phishing, watch out for other scams including services that promise to help you check to see if you’re vulnerable or promise to clean up any problems. There are legitimate services but before giving any information or money to one, do a bit of homework to make sure they’re legitimate. It is OK to use the two sites linked from this post to check to see if the site is vulnerable.
This post first appeared on Forbes.com.