| |
Usually, people do not know they have been suckered into a phishing scam until they discover their bank or credit card account has been drained of funds.
Even then, they often don't know how or when they were phished.
The average amount being lost in the UK, back in 2004/5, was over £2,500 per victim. And, with more than 2,000 people
then having then fallen for the to the phishers [many more since, of course], that meant the scammers had made off with at least £5m from the UK alone by mid 2005. When you then consider that
the same scams are being operated throughout the world, in many different languages, it becomes apparent that this is a fantastically lucrative racket, as well as, it would seem, a
99.99% risk-free
one for the criminal geniuses perpetrating the scams.
Some scam victims in the UK have been lucky enough to be reimbursed by their banks. But that
should definitely stop. We see no reason at all why any of the money the banks extract from the majority of us in the form of
extortionate bank charges and interest charges
should be wasted bailing out the irresponsible, gullible or greedy minority who fall for the scams. After all, there have been enough warnings going around for enough years about these e-mail
and telephone phishing scams.
There really is no excuse for anybody allowing themselves to be sucked in in the way they continue to be.
Having said that, there can be no question that the international gangs operating the modern
scams with spoofed e-mails, supported by cloned websites, have become incredibly
sophisticated when compared with the crude, illiterate, out-of-Africa e-mail scams
which first started off this nasty business back in 1998 (and which are actually still around,
still successfully preying on the ultra-naive).
Notwithstanding the above, if you are one of those who has heard the warnings about phishing scams but, as yet, you have no firsthand knowledge of how these seductive scams actually work, you will find this
article, and especially the specimen e-mail right, very illuminating. And, of course, being suitably forewarned could obviously save you from losing your savings when you do eventually,
inevitably, receive e-mails of this type.
These scams begin with an unsolicited e-mail (spam) arriving in your Inbox, which
will be a variation on the theme typified in Fig 1. Although totally bogus, there is always
something about this type of e-mail which will make it immediately stand out from
the usual, easily identifiable junk mail. Firstly, provided their blind mail-shot has
struck lucky, it will appear to be from a real and reputable bank or internet company which
you already deal with and trust - a clever twist which never happens with general spam.
Secondly, the Subject heading will be very different from the more obvious e-mail
scams which offer the likes of Viagra, breast implants, penis enlargement, loans etc.
The Subject heading will look relevant, alarming and attention-grabbing - some actual examples
being "Termination of eBay Account", "HSBC Security Warning", "PayPal
Account Closure" and "Bank Account Verification". That kind of subject
heading will undoubtedly command the reader's attention - even if the email has
been filtered into their Junk Mail folder.
It is the ingenious way in which the phishers somehow manage to spoof a company's genuine e-mail address which is the real
stroke of 'brilliance' that leads to these particular e-mails being opened instead of deleted like most other spam.
And, once a person starts reading that e-mail, they are going to be sucked in even further by the clever wording which
will soon have them thinking they are doing absolutely the right thing by clicking the link which promises to solve the
problem the e-mail has described.
The link then fetches a web page which will look every bit like the genuine web page of PayPal,
eBay or your bank, right down to a spoofed proper name in the Address bar, a spoofed security
padlock in the Status bar, and callous pirating of the real company's trademarks and logos.
Now fully hoodwinked into believing they are doing the safe thing, people then proceed to type
in the requested information. After all, it's just another website, and a genuine one
for all intents and purposes, asking them to type in their credit card details or bank account
details and passwords. They're only doing something they've already done dozens of times
before on plenty of other websites. It's no big deal. It's nothing unusual. It's not
like they're handing over the keys of their car to a complete stranger, or going out and leaving
the front door open, is it?
And therein lies the crux of the problem for those who get lured in. For some unknown
reason, they lack the cognitive power to make the connection that it is exactly like
handing over your car keys to a stranger or leaving your front door wide open. Exactly
the same. No different. Yet still they do it.
These mail-shots are mostly sent out blind. Millions of them at a time. The senders
may have no idea, initially, if the email address targeted belongs to a person who actually
has an account with the company referred to in the e-mail. They don't even
care. They are simply fishing at random. Incidentally, the word 'phishing' is merely
a geeky respelling of the word 'fishing' - deriving from the days, before email, when similar
scams were perpetrated by cold phone calls (that's where the 'ph' twist came from). Ironically,
phone call phishing still goes on, big
time, as in, for example, the so-called 'boiler room' sales of worthless company share
certificates.
If you were to receive a letter like the one in Fig 1, but you do not have an account with
PayPal, that would, of course, be a dead give-away, to you at least, that it is from scammers.
But, on the other hand, if you did have an account with PayPal, or whichever other company the
e-mail purported to be from, it is almost guaranteed you would open it because
it would look relevant to you and there is nothing to raise your suspicions. For a start,
the senders would have got your internet name and address correct, they are displaying a genuine
sender's address, and they have used a Subject line that simply cannot be ignored.
It is worth mentioning that merely opening the scam e-mail, or almost any
spam mail for that matter, even if only out of curiosity, automatically lets the senders know
the mail shot was opened. This tells them the e-mail address they sent it
to is, at the very least, genuine and currently active, and that you are, therefore, probably
a susceptible person. That will ensure your e-mail address will stay on what
they call, in the trade, their 'mug lists' or 'sucker lists' for continued targeting in the
future, and for circulation and sale to others in the same game.
We hope this article (first posted 15.2.2005, and still highly relevant in subsequent years) will have raised
your awareness of the dangers, thus saving you personally from becoming yet another one of their
victims.
Update Nov 2005 - Some horrendous official statistics were released. They
showed that (i) 58% of people, i.e. a majority, were surfing without the protection
of a firewall (can you believe that?!) (ii) 92% of PCs were infected with undesirable
spyware (that we can believe) and (iii) over 5,000 websites were furnishing phishing
scams and most of those sites were being hosted on unsuspecting people's PCs which had unknowingly
been hijacked by the scammers (dubbed by the media as 'zombie PC networks' as of Jan 2006).
Update Mar 2006 - There has recently been a number of successful, welcome prosecutions
of phishing scammers. However, these have generally been of people living in the US or Europe who are merely copiers of the main, apparently untouchable
operators based
in east-European countries and the far-east. Phishing scams, and the number of unwary people
who fall for them, remains as big a problem as ever.
Update May 2006 - The latest phishing scams are targeting not just bank customers and
eBay users, but also prospective donors to prominent charities. As usual, a link in an
unsolicited email (i.e. spam) lures anybody naive enough to click it to a real-looking website
where they can hand-over their card or bank account details to donate a one-off or regular payment
to a 'deserving' cause. You have to hand it to these crooks because, if you stop to think about it, religious believers are
obviously one of the most gullible and susceptible sections
of society, no disrespect intended. Furthermore, the charities the scammers are impersonating
are much less likely than big banks to have the bottomless resources needed to chase down and
close the bogus websites. But, the real beauty of this particular phish is that the victims
are actually 'willing' participants in having monies deducted from their bank or credit card
accounts, so may never suspect anything is amiss provided the fraudsters do not get greedy and
take too much in one go. This update should serve as a warning to everybody that the scammers
are regularly changing their lines of attack and levels of sophistication. You really
do need to be constantly on your guard with respect to every single unsolicited email (or
phone call) you receive. All they will be trying to do is to trick you out of your
money - nothing else.
Update Sep 2006 - There are even spoof websites for downloading the well known Spybot
and Ad-aware spyware removers. These will ask for money in return for removing what they
call 'severe' problems on your computer. If you see any such ads, they have already infected
your machine themselves, and anybody who is then stupid enough to send them money as well, for
programs which are actually free, deserves everything they will get in return.
Update Aug 2007 - The internet has become the "playground of criminals" (UK House of Lords' Science and Technology
Committee's report on e-crime). |
|
|
|
Fig 1 (below) This shows an actual scam e-mail purporting
to be from PayPal. Similar ones could appear to be from eBay, your bank, or any financial
institution with which you might have an account. We have concealed the recipient's real name, and disabled the three baited hyperlinks.
Otherwise, it is largely as it was received. The frightening thing is, there was nothing about this e-mail to suggest it
was anything other than 100% authentic. |
|
|
 |
| | Inbox | Contacts | Options | Drafts | |
|
| Your mail |
| john@mailserv.com |
|
|
| | Reply | Reply all | Forward | Delete | |
|
|
| From : |
service@paypal.com |
| Reply to : |
updates@paypal.com |
| Sent on : |
7 February 2005 00:53:08 |
| Sent to : |
john@maileserv.com |
| Subject : |
Account Verification. |
|
|
|
| |
A genuine
PayPal Logo
appeared here |
|
|
|
| |
A check of your PayPal Billing Information records has shown they are out of date. This requires
you to update the Billing Information.
Failure to update your records will result in account termination. Please update your records
in a maximum 24 hours. Once you have updated your account records, your PayPal service will
not be interrupted and will continue as normal. Failure to update will result in cancellation
of the service, Terms of Service (TOS) violations or future billing problems.
Please
click here to update your billing records.
Your PayPal account is currently set up to receive
the PayPal Periodical newsletter and product updates. To modify your notification preferences
or to unsubscribe, go to https://www.paypal.com/prefs-noti
and log in to your account. Changes to your preferences will be reflected in our future mailings.
Your account is also set up to receive product offerings from our advertisers via Providian
Services. If you prefer to be excluded from future mail shots, please confirm your requirement by going to http://removeme.providian.com/.
Copyright © 2004 PayPal Inc. All rights reserved. Designated trademarks and brands
are the property of their respective owners. |
|
|
|
|
|
|
|
|
|
|
| |
Tips |
|
|
|
|
|
| |
1 |
Baited hyperlinks
In the introductory note to Fig 1, we said the three hyperlinks, in the e-mail
above, had been disabled. If you hover your mouse over them, you should see a tool tip
to that effect. We disabled them so as not to expose viewers to whatever it was the scammers
were really using those links for. Mind you, the links probably expired within a few days
of them sending out the e-mail. That would be their normal practice, so as
to make it more difficult for anybody in authority to track them down.
If you were to click on any of the disabled links, you should get a default error message telling
you the page could not be found. If, however, the link were to fetch a real page of some
kind, that would not be anything to do with the scammers, nor us. It is more likely to
be a sign that your computer is infected with an unrelated spyware program. Spyware is,
arguably, an even bigger internet scourge than the scams, because it affects almost every PC
nowadays - without the user being fully aware of the extent of the spying. But that
is another story. |
|
|
|
|
|
| |
2 |
Escrow services
The wisest way for two parties to trade on auction sites is, in theory, through an escrow service.
This is an intermediary company, of which there are several, that will, for a small percentage,
hold your payment in bond and release it only after you confirm you have actually received the
goods and they are as described. A problem that arose in 2005, though, was that the escrow
services themselves had become targets of criminals who create spoof websites. People
who fall for this particular scam will not receive the goods, but their payment will go through -
and disappear without trace. This then means the victim will have to pay again, in order to get the
real goods from the true source - or risk being sanctioned on the auction site for not honouring
their winning bid. So, always take the time to satisfy yourself that you are looking at
a genuine escrow company's website, not an identical, spoofed one, before accrediting your account
details to them. |
|
|
|
|
|
| |
3 |
Phishing by Phone
We would like to warn people that phishing scams are still being operated by telephone, not
only by e-mail or texting. So you must be on constant guard against phone
scams too, especially as they can, believe it or not, be even easier to fall for than the e-mail
scams. It is simplicity itself these days for rogues to collect enough information, about
almost any individual, in order to initiate this scam. You answer the phone one day and
it might be somebody pretending to be from, by way of example, your ISP company asking if you
would like to change to broadband or upgrade to a faster broadband. They know
your real name, your address, your e-mail address, who your ISP is, so it all seems entirely genuine.
You are soon drawn into an interesting conversation by their cunning scripts and, before you
even know it, you have given them your credit card number to make the purchase, confirmed your
pin number, told them your bank account number and anything else they need to weasel out of
you, so they can start rifling your accounts. It is unbelievably easy to fall for these
phone scams, which come out of the blue, and catch you completely off guard. All we can
say is don't be caught out. Not now you have been warned about them. |
|
|
|
|
|
| |
4 |
Warning Notices
If you find you have been drawn to a web page that seems safe because it carries a notice stating it
is not a bogus website or warning
you there are bogus websites, do not be fooled into thinking a fraudulent website would never
carry such a message. It's the oldest trick in the book. These people will go to any lengths to look authentic - and
phoney warning notices is simply one of their most audacious
and successful ways of tricking people into trusting them (added 1.5.06). |
|
|
|
|
|
|
|
|