| |
Usually, people do not know they have been suckered into a phishing scam until they discover their bank or credit card account has been drained of funds. The average amount being lost in the UK in 2004/5 was over £2,500 per victim. And, with more than 2,000 people having then fallen for the trick, and rising, that meant the scammers had made off with at least £5m from the UK alone by mid 2005. When you then consider that
the same scams are being operated throughout the world, in many different languages, it becomes apparent that this is a fantastically lucrative racket, as well as, it would seem, a virtually risk-free
one for the main, elusive players.
Some scam victims in the UK have been lucky enough to be reimbursed by their banks. But that was reportedly about to stop. And rightly so. We see no reason at all why any of the money the banks extract from the majority of us in the form of
extortionate bank charges and interest charges
should be wasted bailing out the irresponsible and gullible minority. After all, there have been enough warnings going around for enough years about these e-mail scams.
There really is no excuse for anybody allowing themselves to be sucked in in the way they continue to be.
Having said that, there can be no question that the international gangs operating the modern scams with spoofed e-mails, supported by spoofed websites, have become incredibly sophisticated when compared with the crude,
illiterate, out-of-Africa e-mail scams which first started off this nasty business back
in 1998 (and which are actually still around, still preying on the ultra-gullible!).
Notwithstanding the above, if you are one of those who has heard the warnings about phishing scams but, as yet, you have no firsthand knowledge of how these seductive scams actually work, you will find this
article, and especially the specimen e-mail right, very illuminating. And, of course, being suitably forewarned could obviously save you from losing your savings when you do eventually,
inevitably, receive e-mails of this type.
These scams begin with an unsolicited e-mail ('spam') arriving in your Inbox, which will be a variation on the theme typified in Fig 1. Although totally bogus, there is something
about this type of e-mail which will make it immediately stand out from the usual, easily identifiable junk mail. Firstly, provided their blind mail-shot has struck lucky,
it will appear to be from a real and reputable bank or internet company which you already deal with and trust - a clever twist which never happens with normal spam. Secondly, the
Subject heading will be very different from the more obvious e-mail scams which offer the likes of Viagra, breast implants, penis enlargement, loans etc. The Subject heading will look relevant, alarming and
attention-grabbing - some actual examples being "Termination of Account", "Security Warning", "Account Closure" and "Account Verification". That kind of e-mail will undoubtedly command the reader's attention - even if it has been filtered into their Junk Mail folder!
It is the ingenious way in which the phishers somehow manage to spoof a company's genuine e-mail address which is the real
stroke of 'brilliance' that leads to these particular e-mails being opened instead of deleted like most other spam.
And, once a person starts reading that e-mail, they are going to be sucked in even further by the clever wording which
will soon have them thinking they are doing absolutely the right thing by clicking the link which promises to solve the
problem the e-mail has described.
The link then fetches a web page which will look every bit like the genuine web page of PayPal,
eBay or your bank, right down to a spoofed proper name in the Address bar, a spoofed security
padlock in the Status bar, and callous pirating of the real company's trademarks and logos.
Now fully hoodwinked into believing they are doing the safe thing, people then proceed to type in the
requested information. After all, it's just another website, and a genuine one for all intents and purposes, asking them to type in their credit card details or bank account details and passwords. They're only
doing something they've already done before on other websites. It's no big deal. It's
nothing unusual. It's not like they're handing over the keys of their car to a complete stranger, or going out and leaving the front door open, is it?
And therein lies the crux of the problem for those who get lured in. For some unknown reason,
they lack the cognitive power to make the connection that it is exactly like handing over your car keys to a stranger or
leaving your front door wide open. Exactly the same. No different. Yet still they do it!
These mail-shots are mostly sent out blind. Millions of them at a time. The senders
may have no idea, initially, if the email address targeted belongs to a person who actually
has an account with the company referred to in the e-mail. They are simply
fishing at random. Incidentally, the word 'phishing' is merely a geeky respelling of the
word 'fishing' - deriving from the days, before email, when similar scams were being perpetrated
by 'phone (and, ironically, still are).
If you were to receive a letter like the one in Fig 1, but you do not have an account with PayPal,
that would, of course, be a dead give-away, to you, that it is from scammers. But, on
the other hand, if you did have an account with PayPal, or whichever other company the e-mail
purported to be from, it is almost guaranteed you would open it because it would look relevant
to you and there is nothing to raise your suspicions. For a start, the senders would have
got your internet name and address correct, they are displaying a genuine sender's address,
and they have used a Subject line that simply cannot be ignored.
It is worth mentioning that merely opening the scam e-mail, or almost any
spam mail for that matter, even if only out of curiosity, automatically lets the senders know
the mail shot was opened. This tells them the e-mail address they sent it
to is, at the very least, genuine and currently active, and that you are, therefore, probably a susceptible person.
That will ensure your e-mail address will stay on what they call, in the trade,
their "Suckers Lists" for continued targeting in the future, and for circulation and sale to
others in the same game.
We hope this article (first posted 15.2.05) will have raised your awareness of the dangers, thus saving you from becoming
yet another one of their victims.
Update Nov 2005 - Some horrendous official statistics were released. They
showed that (i) 58% of people, i.e. a majority, were surfing without the protection
of a firewall (can you believe that?!) (ii) 92% of PCs were infected with undesirable
spyware (that we do believe) and (iii) over 5,000 websites were furnishing phishing
scams and most of those sites were being hosted on unsuspecting people's PCs which had unknowingly
been hijacked by the scammers (media-dubbed as 'zombie PC networks' as of Jan 2006).
Update Mar 2006 - There has recently been a number of successful, welcome prosecutions
of phishing scammers. However, these have generally been of people living in the States
or Europe who are merely copiers of the main, apparently untouchable perpetrators based
in far-east and east-European countries. Phishing scams, and the number of unwary people
who fall for them, remains as big a problem as ever.
Update May 2006 - The latest phishing scams are targeting not just bank customers and
eBay users, but also prospective donors to prominent charities. As usual, a link in an
unsolicited email (i.e. spam) lures anybody naive enough to click it to a real-looking website
where they can hand-over their card or bank account details to donate a one-off or regular payment
to a 'deserving' cause. You have to hand it to these criminal geniuses because, if you
think about it, religious believers are one of the most gullible and susceptible sections
of society, no disrespect intended. Furthermore, the charities the scammers are impersonating
are much less likely than big banks to have the bottomless resources needed to chase down and
close the bogus websites. But, the real beauty of this particular phish is that the victims
are actually 'willing' participants in having monies deducted from their bank or credit card
accounts, so may never suspect anything is amiss provided the fraudsters do not get greedy and
take too much in one go. This update should serve as a warning to everybody that the scammers
are regularly changing their lines of attack and levels of sophistication. You really
do need to be constantly on your guard with respect to every single unsolicited email (or
phone call) you receive. All they will be trying to do is to trick you out of your
money - nothing else.
Update Sep 2006 - There are even spoof websites for downloading the well known Spybot
and Ad-aware spyware removers. These will ask for money in return for removing what they
call 'severe' problems on your computer. If you see any such ads, they have already infected
your machine themselves, and anybody who is then stupid enough to send them money as well, for
programs that are free, deserves everything they will get in return!
Update Aug 2007 - The internet has become the "playground of criminals" (UK House of Lords' Science and Technology
Committee's report on e-crime). |
|
|
|
Fig. 1 (below) This shows an actual scam e-mail purporting
to be from PayPal. Similar ones could appear to be from eBay, your bank, or any financial
institution with which you might have an account. We have concealed the recipient's real name, and disabled the three baited hyperlinks.
Otherwise, it is largely as it was received. The frightening thing is, there is nothing about this e-mail to suggest it is anything other than 100% authentic. |
|
|
 |
| | Inbox | Contacts | Options | Drafts | |
|
| Your mail |
| john@mailserv.com |
|
|
| | Reply | Reply all | Forward | Delete | |
|
|
| From : |
service@paypal.com |
| Reply to : |
updates@paypal.com |
| Sent on : |
7 February 2005 00:53:08 |
| Sent to : |
john@mailserv.com |
| Subject : |
Account Verification. |
|
|
|
| |
A genuine
PayPal Logo
appeared here |
|
|
|
| |
A check of your PayPal Billing Information records has shown they are out of date. This requires
you to update the Billing Information.
Failure to update your records will result in account termination. Please update your records
in a maximum 24 hours. Once you have updated your account records, your PayPal service will
not be interrupted and will continue as normal. Failure to update will result in cancellation
of the service, Terms of Service (TOS) violations or future billing problems.
Please
click here to update your billing records.
Your PayPal account is currently set up to receive
the PayPal Periodical newsletter and product updates. To modify your notification preferences
or to unsubscribe, go to https://www.paypal.com/prefs-noti
and log in to your account. Changes to your preferences will be reflected in our future mailings.
Your account is also set up to receive product offerings from our advertisers via Providian
Services. If you prefer to be excluded from future mail shots, please confirm your requirement by going to http://removeme.providian.com/.
Copyright © 2004 PayPal Inc. All rights reserved. Designated trademarks and brands
are the property of their respective owners. |
|
|
|
|
|
|
|
|
|
| |
Tips |
|
|
|
|
|
| |
1. |
Baited hyperlinks
In the introductory note to Fig 1, we said the three hyperlinks, in the e-mail above, had been
disabled. If you hover your mouse over them, you should see a tool tip to that effect.
We disabled them so as not to expose viewers to whatever it was the scammers were really using
those links for. Mind you, the links probably expired within a few days of them sending out the e-mail. That would be their normal practice, so as to make it
more difficult for anybody in authority to track them down.
If you were to click on any of the disabled links, you should get a default error message telling
you the page could not be found. If, however, the link were to fetch a real page of some kind,
that would not be anything to do with the scammers, nor us. It is more likely to be a sign that your
computer is infected with an unrelated spyware program. Spyware is, arguably, an even bigger internet scourge than the scams, because it affects almost every
PC nowadays - without the user being fully aware of the extent of the spying. But that is
another story! |
|
|
|
|
|
| |
2. |
Escrow services
The wisest way for two parties to trade on auction sites is, in theory, through an escrow service.
This is an intermediary company, of which there are several, that will, for a small percentage,
hold your payment in bond and release it only after you confirm you have actually received the
goods and they are as described. A problem that arose in 2005, though, was that the escrow
services themselves had become targets of criminals who create spoof websites. People
who fall for this particular scam will not receive the goods, but their payment will go through -
and disappear without trace. This then means they have to pay again, in order to get the
goods from the true source - or face being sanctioned on the auction site for not honouring
their winning bid. So, always take the time to satisfy yourself that you are looking at
a genuine escrow company's website, not an identical, spoofed one, before accrediting your account
details to them. |
|
|
|
|
|
| |
3. |
Phishing by Phone
We would like to warn people that phishing scams are still being operated by telephone, not
only by e-mail or texting. So you must be on constant guard against phone
scams too, especially as they can, believe it or not, be even easier to fall for than the e-mail
scams. It is simplicity itself these days for rogues to collect enough information, about
almost any individual, in order to initiate this scam. You answer the phone one day and
it might be somebody pretending to be from, by way of example, your ISP company asking if you
would like to upgrade to broadband. They know your name, your address, your e-mail address,
who your ISP is, so it all seems entirely genuine. You are soon drawn into an interesting
conversation by their crafty scripts and, before you even know it, you have given them your
credit card number to make the purchase, confirmed your pin number, told them your bank account
number and anything else they need to weasel out of you so they can start rifling your accounts.
It is unbelievably easy to fall for these phone scams, which come out of the blue, and catch
you completely off guard. All we can say is don't. Not now you have been warned
about them! |
|
|
|
|
|
| |
4. |
Warning Notices
If you find you have been drawn to a web page that seems safe because it carries a notice warning
you about other bogus websites, do not be fooled into thinking a fraudulent website would never
carry such a message. It's the oldest trick in the book. These people will go to any lengths to look authentic - and dummy warning notices is simply one of their most audacious
and successful ways of tricking people into trusting them (added 1.5.06). |
|
|
|
|
|
|
|
|