PDQ Library:  "Phishing" Scams

Email Fraud

The newest form of online fraud - a phishing attack, a fraud artist spams the Internet with email pretending to be from a reputable financial institution or e-commerce site. The message urges the recipient to click on an included link to update their personal profile or carry out some transaction. The link takes the victim to a fake website designed to look authentic, but when personal or financial information is typed, it is sent directly to a scam artist.

57 million U.S. Internet users have received fraudulent email linked to phishing scams, and some estimates say 3% of them, or 1.7 million people, may have been swindled into divulging personal information. Fraud is criminal behavior - if you have been taken in, you should report it to the police.

"Due to a recent security breach in the [bank name here] computer systems, we are asking all customers to immediately login with the link below and immediatley report any unnoticed password changes, unexplained funds depletion or the likewise ... "

The link in this type of email does NOT go to the bank's secure site but to a scam site instead, where the unsuspecting bank customer willingly provides their account name and password. If this happened to you, contact your bank immediately and close or change your online account. Never click on email links like this. Legitimate warnings always tell you to use the company's official web site to check your account - you keep that information handy right?!

According to antiphishing.org (June 2006), the average phishing site stays up only 4.8 days. A few thousand people log into their bank accounts and the site disappears. Back in my mother's day, there was a sucker born every minute. Moves faster now!

Example of a Phishing Email:

Dear {bank name} Valued Customer,
We recently reviewed your account, and suspect that your {bank name} Internet Banking account may have been accessed by an unauthorized third party. Protecting the security of your account and of the {bank name} network is our primary concern. We are asking you to immediately login and ...
Go to the link below:
    {link to criminal web site} ...

If you are foolish enough to click on this link and type in your id and password you have provided a criminal with access to all your money!

"Personal Information"

The following information is useful for credit card fraud and identity theft - a person can pretent to be you, and do any financial transactions that you can:

  • your name
  • your address
  • credit card number and expiration date
  • CCV number (three-digit credit card verification)
  • ATM code / bank (debit) card password
  • SIN (social security number)
  • account usernames and passwords

Prevention:

  • Be suspicious of unsolicited email requests for financial information or other personal data. Banks, Paypal and credit companies never do this.
  • Do not click on links in any unsolicited messages - ever!
  • Learn how to create and use bookmarks (favorites) in your web browser to go to any site where you have accounts that deal with money.
  • Look for the padlock symbol on Web pages when you enter sensitive information (you should always do this anyway) - it indicates that encryption is being used to protect the information you type. Most phishing sites don't use encryption.
  • Use a separate credit card for online and phone payment. Do not use it for anything else - you may want to cancel the card on short notice if there is a problem.

Can you recognize Phishing?

MailFrontier estimates that 28% of us are still being fooled by that fake mails claiming to be from eBay, Citibank, PayPal, etc. Go to www.mailfrontier.com and try " Test your Phishing IQ" to see if you can detect which are phish attempts and which are legitimate. Read each email before making your guess.

Future Solutions:

"Email Authentication Technology" has been proposed as a possible solution to block faked sender addresses - the major component of spam as well as phishing. The U.S. government is beginning to prosecute phishers. Microsoft has proposed Caller ID. EBay's browser tool bar now has a feature that flashes red when the user visits a possible fraud site. Earthlink added a "scam blocker" feature to its Web browser tool bar.

Yahoo proposed an email standard, DomainKeys (Dec. 2003) , to fight spam - unwanted bulk messages that now account for up to two-thirds of all email traffic (phishing depends on fake addresses). This email standard would embed outgoing messages with an encrypted digital signature matched to a signature on the server computer that sends the message. The technique, if widely adopted, would prevent spammers from hiding unwanted messages behind legitimate email addresses.

These external sites provide help and information:

TOP back