- Home
- Are You Safety Savvy?
- Phishing
- How to Spot a Fake E-mail (Phishing)
- Pharming
- How to spot a Fake Website (Pharming) :
- Case Studies
- Safety Tips
- Helpful Sources
What is Phishing?
Phishing is an e-mail fraud method in which the perpetrator sends out legitimate-looking email in an attempt to gather personal and financial information from recipients.
- emails will appear from well known and trustworthy websites.
- websites frequently used by Phishers: PayPal, eBay, MSN, Yahoo, BestBuy, and America Online.
- Phishers use a number of different social engineering and e-mail spoofing ploys to try to trick their victims.
- emails will appear from well known and trustworthy websites.
- websites frequently used by Phishers: PayPal, eBay, MSN, Yahoo, BestBuy, and America Online.
- Phishers use a number of different social engineering and e-mail spoofing ploys to try to trick their victims.
How does it work?
Target: Those receiving tax refunds or tax reliefs (under Obama's proposed stimulus plan) , the unemployed, popular banks or companies with large customer base.
The spam reports are out for May 2010 and here’s the latest list of the
Top 10 Phishing Targets:
10. NatWest - This bank is a newcomer to the list. Like many other financial institutions, it’s likely the target of the Zeus banking Trojan, which pumps out massive amounts of spam to distribute itself. The emails pretend to be notices from the bank asking recipients to log into their accounts to verify info or download a security update. Those that do find their login credentials captured by a keylogger and their bank accounts compromised.
9. Bank of America – A favorite phishing target, BOA briefly fell out of the top 10 but is back again. Zeus has hit them especially hard.
8. MSN - Users of MSN have begun receiving spam messages that look like they came from friends inviting them to try a service that claims to tell you who, if anyone, has blocked you recently. Those that fall for the phish have their MSN logins stolen and are brought to a page advertising a variety of free offers, all of which lead to adult chat rooms and try to push adware. Victims will also discover that their entire address book was sent the same spam.
7. Halifax – This bank, located in the UK, is yet another victim of Zeus.
6.Bradesco - Yet another bank that’s fallen victim, this time it’s one of Brazil’s biggest.
5. Google - This phishing attack targets Gmail users, who have being receiving spam messages warning them that their account will be deleted unless they “verify it” by providing their name, Gmail ID, password, and country. It’s one of the oldest phishes around.
4. Facebook - Like the Google attack, Facebook users are receiving fake emails that claim to be from Facebook announcing that Facebook has rolled out a new login system and they need to update their account.
3. HSBC - HSBC, a bank with customers around the world, is yet another victim of Zeus and other phishers. Interestingly enough, I’m an HSBC customer and have never received a phishing email pretending to be them!
2. eBay – One of the favorite targets of phishers. Their goal is to steal people’s eBay accounts and either use them to post scam auctions or attempt to hijack the Paypal account attached to it. Speaking of Paypal…
1. PayPal - It’s no surprise they are at number one. Phishers have been exploiting them for years and there’s no end in site. Hijacked Paypal accounts can be both very lucrative and very useful!
What Happens:
Normally when a person is being phished, they will receive an email or an instant message from the scammer requesting them to provide certain personal details which they need to enter onto a particular website. The link for the website address (URL) that the scammer is using will be contained within the email or instant message that has been sent to you. This email or message will look very much like it from the real company complete with company logo and (almost) the correct website link.
Once the link is clicked on, you will be directed to their site which although it may look like the real thing is actually a fake. However there are now some scammers that rather than getting you to enter your details onto a website that they are running are asking you to phone them directly. Often what you think is a call to a local number in your area is often being redirected to a number abroad. So not only are you providing them with your personal details you are also running up a hefty phone bill for yourself as well.
The spam reports are out for May 2010 and here’s the latest list of the
Top 10 Phishing Targets:
10. NatWest - This bank is a newcomer to the list. Like many other financial institutions, it’s likely the target of the Zeus banking Trojan, which pumps out massive amounts of spam to distribute itself. The emails pretend to be notices from the bank asking recipients to log into their accounts to verify info or download a security update. Those that do find their login credentials captured by a keylogger and their bank accounts compromised.
9. Bank of America – A favorite phishing target, BOA briefly fell out of the top 10 but is back again. Zeus has hit them especially hard.
8. MSN - Users of MSN have begun receiving spam messages that look like they came from friends inviting them to try a service that claims to tell you who, if anyone, has blocked you recently. Those that fall for the phish have their MSN logins stolen and are brought to a page advertising a variety of free offers, all of which lead to adult chat rooms and try to push adware. Victims will also discover that their entire address book was sent the same spam.
7. Halifax – This bank, located in the UK, is yet another victim of Zeus.
6.Bradesco - Yet another bank that’s fallen victim, this time it’s one of Brazil’s biggest.
5. Google - This phishing attack targets Gmail users, who have being receiving spam messages warning them that their account will be deleted unless they “verify it” by providing their name, Gmail ID, password, and country. It’s one of the oldest phishes around.
4. Facebook - Like the Google attack, Facebook users are receiving fake emails that claim to be from Facebook announcing that Facebook has rolled out a new login system and they need to update their account.
3. HSBC - HSBC, a bank with customers around the world, is yet another victim of Zeus and other phishers. Interestingly enough, I’m an HSBC customer and have never received a phishing email pretending to be them!
2. eBay – One of the favorite targets of phishers. Their goal is to steal people’s eBay accounts and either use them to post scam auctions or attempt to hijack the Paypal account attached to it. Speaking of Paypal…
1. PayPal - It’s no surprise they are at number one. Phishers have been exploiting them for years and there’s no end in site. Hijacked Paypal accounts can be both very lucrative and very useful!
What Happens:
Normally when a person is being phished, they will receive an email or an instant message from the scammer requesting them to provide certain personal details which they need to enter onto a particular website. The link for the website address (URL) that the scammer is using will be contained within the email or instant message that has been sent to you. This email or message will look very much like it from the real company complete with company logo and (almost) the correct website link.
Once the link is clicked on, you will be directed to their site which although it may look like the real thing is actually a fake. However there are now some scammers that rather than getting you to enter your details onto a website that they are running are asking you to phone them directly. Often what you think is a call to a local number in your area is often being redirected to a number abroad. So not only are you providing them with your personal details you are also running up a hefty phone bill for yourself as well.
Examples:
You open an email or text, and see a message like this:
"We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity."
"During our regular verification of accounts, we couldn't verify your information. Please click here to update and verify your information."
“Our records indicate that your account was overcharged. You must call us within 7 days to receive your refund.”
The senders are phishing for your information so they can use it to commit fraud.
"We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity."
"During our regular verification of accounts, we couldn't verify your information. Please click here to update and verify your information."
“Our records indicate that your account was overcharged. You must call us within 7 days to receive your refund.”
The senders are phishing for your information so they can use it to commit fraud.
Prevention:
When internet fraudsters impersonate a business to trick you into giving out your personal information, it’s called phishing.
- Don't reply to email, text, or pop-up messages that ask for your personal or financial information.
- Don’t click on links within them either – even if the message seems to be from an organization you trust. It isn’t. Legitimate businesses don’t ask you to send sensitive information through insecure channels.
- Delete email and text messages that ask you to confirm or provide personal information (credit card and bank account numbers, Social Security numbers, passwords, etc.). Legitimate companies don't ask for this information via email or text.
- The messages may appear to be from organizations you do business with – banks, for example. They might threaten to close your account or take other action if you don’t respond. Don’t reply, and don’t click on links or call phone numbers provided in the message, either. These messages direct you to spoof sites – sites that look real but whose purpose is to steal your information so a scammer can run up bills or commit crimes in your name.
- Area codes can mislead, too. Some scammers ask you to call a phone number to update your account or access a "refund." But a local area code doesn’t guarantee that the caller is local.
- If you’re concerned about your account or need to reach an organization you do business with, call the number on your financial statements or on the back of your credit card.
- Use trusted security software and set it to update automatically. In addition, use these computer security practices.
- Don't email personal or financial information. Email is not a secure method of transmitting personal information.
- Only provide personal or financial information through an organization's website if you typed in the web address yourself and you see signals that the site is secure, like a URL that begins https (the "s" stands for secure). Unfortunately, no indicator is foolproof; some phishers have forged security icons.
- Review credit card and bank account statements as soon as you receive them to check for unauthorized charges. If your statement is late by more than a couple of days, call to confirm your billing address and account balances.
- Be cautious about opening attachments and downloading files from emails, regardless of who sent them. These files can contain viruses or other malware that can weaken your computer's security.