RSS Feeds
Facebook
Twitter
Gone Phishing: How To Avoid Being Caught By Scammers Print
Wednesday, 9th September 2009 (by Baker)This article is about Hints and Tips, Insurance, Odds and Ends, Real-Life
This article is by Adam Baker, a new GRS Staff Writer. In addition to writing for Get Rich Slowly, Baker blogs over at Man Vs. Debt, where you can find his personal background story and read more of his writing.
Last
week, I adjusted several preferences on my PayPal account. I added
and verified a new e-mail address and swapped my linked bank account.
Shortly after finalizing the changes, I received a brief e-mail from
PayPal stating that I needed to log in order to verify my account.
Nothing seemed suspicious at first. But after closer examination, I noticed that the message was requesting that I log into a client provided within the e-mail itself. ”That’s weird,” I thought. Then it hit me: A well-timed phishing attack had just penetrated my e-mail account’s spam filter. I couldn’t believe how similar it was to the legitimate e-mails I’d received earlier that day confirming my account changes — or how perfect the timing of the attack was.
Fortunately, I had previously been exposed to the basics of this type of scam. I reported the attack by forwarding the message to PayPal and then immediately deleting it. Nevertheless, I realized how easy it would have been for me to fall for this phishing scam, especially given the luck of the timing. Hopefully by increasing awareness of these scams, we can decrease the chance that others will fall victim.
What exactly is a phishing scam?
“Phishing” is the process by which a criminal disguises himself as a
trusted entity in order to fraudulently obtain sensitive information.
Although phishing can occur in many forms, the most common of these
attacks involves the creation of an e-mail, one which prompts the
recipient to enter specific personal information. This allows the
criminal to “catch” the resulting data.
Phishing is relatively young. The first major cluster of phishing activity focused on obtaining information through America Online accounts only 15 years ago. As online banking becomes more popular, many of the new attacks have been targeting this segment of the industry. Over the last five years, the frequency and intensity of these scams have exploded. Sadly, as a recent article in Business Week pointed out, the current recession has only spurred this upward trend.
What information are thieves looking to catch?
Most attacks target very specific information. This is often a
simple username/password for the particular online site being
impersonated. (In my case, the scam was only targeting my PayPal
username and password.) Because far too many people use only one standard password across many accounts, thieves are frequently able to compromise many other accounts for a single victim.
Although it’s more rare, some attacks attempt to steal broad personal information. This may include your:
- social security number
- date of birth
- driver’s license number
- banking PIN numbers
This information is often compiled into a database, which can later be used to open fraudulent accounts or apply for new lines of credit. The nickname for this highly-targeted process of creating a profile on a specific individual is often referred to as spear phishing.
How to spot a phishing scam
In the past, discerning between these scams and legitimate e-mails was
much easier. They often contained obvious typos, short or broken
sentences, and disjointed formatting. Unfortunately, it didn’t take
long for the scammers to refine their skills. Most of today’s
attacks utilize meticulously detailed corporate replicas.
Of the attacks that target a specific online account, there are two primary methods used to capture your data. The majority of these will urgently prompt you to follow a hyperlink to log in to your account. These embedded links will either forward you to a basic login client, or go as far as to create elaborate rip-offs of the genuine brand’s homepage.
Rather than redirecting you to another site, a portion of phishing attacks will provide the login client embedded within the e-mail itself. This was the tactic that tipped me off to the fraudulent PayPal e-mail I received last week. The e-mail stated, “For your convenience, you can log into your account using the secure fields below.” How nice of them!
Another less common — but effective — tactic involves requesting that the recipient call a fraudulent customer service number for urgent account information. Once dialed, the automated system will ask the victim to enter information such as account numbers, security PINs, expiration dates, and even passwords. Many people are more susceptible to this form of phishing because they’re accustomed to automated phone systems when calling customer service.
Phishing scams can also be identified through common trends in phrasing. The following examples should send up red flags:
- Extreme Urgency: Phishing attacks often use some sort of urgent time-frame in order to increase the chance you respond. They might, for example, state that you need to login “within 24 hours” or “by Thursday at 12:00 a.m.”
- Account Restrictions: Many attacks will claim that access to your account has been (or soon will be) closed. They use phrasing such as “to restore access to your account” or “to prevent your account from being closed.”
- Security Issues: Ironically, attacks often refer to a security threat or breach. Some will explain that you need to log in to update your security settings. Others may urge you to download and install a “security update” that is really a keylogger or other form of malicious software.
- Bonuses or Promotions: Some attacks will claim that you’ve won a bonus or special promotion. This may take the form of a cash bonus or a free upgrade to a premium account of some sort. Of course, you have to log in to claim your prize.
Phishing attacks can target a wide variety online accounts. Research has shown that brands like PayPal and eBay are consistently targeted by these attacks, as are large banking institutions. Around tax-time, you should be especially wary of fraudulent e-mails impersonating the IRS and various tax preparation companies. These days, even social media and internet gaming accounts are used as bait for phishers!
Additional resources
While I’ve attempted to outline the basics of the phishing scam, it’s
impossible to cover every detail. For more information, here are some
additional resources:
- The official U.S. Federal Trade Commission’s site on identity theft
- Whitepapers: The Phishing Guide
- Phishing Scams in Plain English [video]
- 33 Ways to Thwart Identity Theft
- How and where to report phishing attacks
How often do you encounter phishing scams? Do you know anyone who has been a victim? Any additional tips for staying out of harm’s way? Join the discussion by adding your experience below!
Hook, line, and sinker photo by ToastyKen. Click through on the photo to read his own story of falling for a phishing scam.
September 9th, 2009 at 6:44 am
This is an important topic for personal finance blogs. Around the time Bush approved the economic stimulus plan, several phishing scams sent out invited you to enter your Social Security number to “claim your stimulus check immediately.” I’m sure thousands of people fell for it.
One thing I do is mouse over the links in my email client. If they go to a domain name that doesn’t match the domain name I’m familiar with, I don’t click on them. If you’re not sure, best to delete the email and just log in at the site you always log in at.
-Erica
September 9th, 2009 at 6:44 am
I just sent an email to paypal after reading this entry and got a very nice note from them thanking me for my efforts to prevent phishing. It was a bit hard to find the address (which is [email protected]) but I feel that I’ve done my bit to keep the internet clean today.
September 9th, 2009 at 6:45 am
It was actually refreshing to read this post this morning. It had the personal finance edge to it, but wasn’t heavily weighted toward it. A change of pace was nice!
September 9th, 2009 at 6:59 am
I like the way Vanguard adds an extra layer of security to your account. When you sign up for an account, the site gives you a picture and asks you to caption it. Later, when you put in your username, it shows you your picture and caption before you put in your password.
September 9th, 2009 at 7:15 am
I get phishing emails from “my bank” every few weeks. At first, I forwarded them to my bank, but my bank sent an email back saying that it was a phishing scam and my security info was in grave danger, but it’s not like I fell for it, so I’m at no risk(except someone may know where I bank). Now I just delete them.
September 9th, 2009 at 7:21 am
I use a simple rule: *Never* use a link in an e-mail if it’s a site that requires you to log in. *Always* type the URL in manually.
September 9th, 2009 at 7:23 am
A long read and not exactly a phishing scam, but this is one of my favorite stories from the net (some language NSFW):
http://www.zug.com/pranks/powerbook/
A couple of forum members gang up to scam an eBay scammer.
September 9th, 2009 at 7:43 am
I’d be suspicious of the “luck of the timing.” Given the sophistication of targeted advertising I’d not be surprised if the phishers had access to or knowledge of your activity. Not the specifics, but at least that you’d been visiting the site.
September 9th, 2009 at 8:08 am
I’d like to expand on #6 cph’s comment.
Rule 1: Never click on a link in an email from “your bank” always type the URL manually.
Rule 2: Never click on a link in an email from “your bank” always type the URL manually.
Rule 3: If you receive an email that urgently asks for your information go back and read rules #1 and 2.
September 9th, 2009 at 8:19 am
Phishing scams have hit my university the past couple of years. They pose as though they are the help desk saying they need their username and password to complete some account settings or maintanence. They looked legitimate and got at least a handful of accounts.
Watch out for these phishing scams!
September 9th, 2009 at 8:20 am
Just as an addition to the “what is phishing?” section…
Phishing is a type of hacking that falls into the ’social engineering’ category. The idea is that the scammer sends out many mails in the hope that one unlucky mark will bite - just like fishing. The ‘ph’ prefix comes from a term in the early days of hacking - phreaking - where hackers used various techniques, both social and technical to access the telephone network for, amongst other things, free calls.
September 9th, 2009 at 8:27 am
Interesting term and phenomenon. Seems to pray on people’s impulses and stupidity.
Why can’t the “phisher” just use spell-checker and write with proper grammar is a mystery.
Just stop buying things on impulse and read everything. Join me this austerity September and buy nothing!
September 9th, 2009 at 8:28 am
#8 My brother and I have noticed this as well… it always seems to be impeccably timed… especially revolving around paypal!
September 9th, 2009 at 8:33 am
Great article here Baker.
The best advice I can give as an Information Technology Manager mirrors what you mention in your post, and what Erica (comment #1) mentioned…
September 9th, 2009 at 8:37 am
Thanks for the post! I try to be really careful, but I did not realize phishing got so sophisticated. I thought that typos, irregular spacing, etc. would tip me off if this ever happened to me, but it didn’t occur to me that scams were this advanced, for some reason. And the eerie timing is just frightening. I emailed your article to a few people I know. You can just never be too careful.
September 9th, 2009 at 8:51 am
I will repeat this because its the best way to defend against this. Always go to your banking website by your own bookmarks or typing in the address bar. Don’t use a link in the email no matter the convenience and NEVER enter confidential information in an email or outside site. Great Post.
September 9th, 2009 at 8:52 am
I’ve received similar PayPal emails, but since I don’t have a PayPal account, I’ve never fallen for it.
I usually hover over the link and check the URL - that is the quickest way to see the email is bogus.
Even legit emails I get - ex: telling me my monthly bank statement is available - I go to my bookmark (or type the URL) and log in there rather than clicking anything in the email.
September 9th, 2009 at 8:59 am
Oops.
Baker left a reply to several comments, but I accidentally deleted his post. Sorry folks. And now he’s probably asleep. It’s 3am in New Zealand!
September 9th, 2009 at 9:05 am
@ erica - That’s another great example of an event-based phishing scam. Got to be careful for these type of one time surges.
@ Cathy - Thanks for providing that e-mail, it’s something I definitely should have included above. You’ve done your part ;-).
@ cph - That’s a great rule of thumb
@ Tyler - Haha, thanks for linking to that story. Refreshing to read.
@ Linear Girl - I found it suspicious, too. I’ve not ruled out the possibility of what you suggest, but I can’t think of anyway to know or anything to do differently. For now, I’ll just closely monitor the account.
@ David - I didn’t think of Universities, but that’s great to point out. I’m sure it’s rampant there.
@ Tom - Great summary of phishing. I actually didn’t realize that the ‘ph’ originally came from phreaking. Thanks!
@ ebyt - Don’t sweat it. If I’m being totally honest, this was the first time I really have seen an authentic attempt face-to-face. I didn’t realize how people could fall for them until I got this one!
Also, lots of people backing up creating your own trusted bookmarks. This is a great way to still save time, but add a touch of security. Sweet tips.
September 9th, 2009 at 9:52 am
Very great article, I work at a university environment and we are constantly faced with spam and phishing email issues. you would think people would not fall for it anymore, you will be surprised how easily people share their email passwords over email because someone is asking them urgently.
- Roozbeh
September 9th, 2009 at 10:03 am
Adam–I must have gotten the same PayPal message you did, and it happened last week. The email said–ironically–”We have observed activity in this account that is unusual or potentially high risk.”
Then there was an attachment that looked exactly like the PayPal website asking for ALL of my personal information. But it got worse…
Later that same day, I got a similar email from my bank, again noting suspicious account activity, with an email attachment that was a deadringer for my banks website. At this point I called my bank, thinking there may be something going on since two of my accounts where showing issues. There could have been a legitimate security theft issue.
The bank promptly told me it was fraudulent and to report it to their fraud department, which I did.
Fortunately, I didn’t respond directly to either email due to the generic nature of the sources and the fact that they asked for extremely detailed information, of the kind that each company should have on file to begin with.
But the fact that it was done so convincingly with two accounts shows how sophisticated the phishers have become. If only they could take that obvious talent and apply it to something legitimate…the possibilities of what they could produce are mind boggling!
September 9th, 2009 at 10:16 am
Loved this post Baker - thank you!
September 9th, 2009 at 10:30 am
Oh man that’s nothing at all what I assumed a phisher looked like. He’s wearing a tie and everything. I assumed a phisher would be an amorphous inhuman blob. They definitely seem robotic in the language of some of their lamer attempts.
But your Paypal story certainly is alarming. I feel like that’s something I would’ve almost fallen for. I wonder how they even knew you were changing your email (or was it a coincidence?). I keep getting emails from my bank addressed to “Jacob E. Busk” which is CLOSE to my name (not really) but definitely no cigar. I hope phishing doesn’t become as prevalent as trashy forwards were in the late 90s…
September 9th, 2009 at 10:49 am
Paypal makes itself a prime target for Phishing. Since they send links through their own emails, it’s not odd to receive a fake Paypal email with links in it!
At least this is the case for the “confirm your e-mail address” you get when you sign up.
You can log in and enter the numeric code they send directly into your profile, but the fact that they send links just invites trouble.
September 9th, 2009 at 11:08 am
DON’T BE FOOLED if the link text looks like the real url!! HTML can be used to disguise the true destination of a link.
For example, here is a link to Google: http://www.google.com
But if you click it, you go to Yahoo! Phishers can very easily make a link to their site look like the true url of your bank.
September 9th, 2009 at 11:27 am
@ Jack - Even scammers have a dress code ;-).
@ Micheal - That’s a great observation. Actually many companies do that went confirming set-ups. Ironically, they use the same tactic as the scammers, because both know it helps increase the number of people who end up clicking/confirming.
@ Courtney - Also a good point. Several people have suggested hovering over the link to check where it *actually* links to, but there are even creative ways to mask this. Many websites due this to hide affiliate links, etc…
September 9th, 2009 at 12:04 pm
I got two email notices from the “IRS” about a tax underpayment / fraud application today. With a convenient link to click on the get the details, of course.
(sigh)
September 9th, 2009 at 12:13 pm
I was recently hooked by one of the phone scams, and it really sucked. I called my bank a few moments after I got the call because it felt weird, and nothing was stolen but my dignity.
I wrote about it on Momknewbest.blogspot.com
September 9th, 2009 at 12:31 pm
Several years ago when I would get phishing emails all the time, I would submit nasty messages to the phishers in the username/password fields they would provide in the email.
A bit childish, but it gave me more satisfaction than just forwarding to the fraud dept.
September 9th, 2009 at 1:36 pm
Phishing scams are only increasing due to the economic environment. And the scams are becoming more elusive. For example, some work environments have their own IT staff under a certain name and many are now calling claiming they are from the department and asking for a password or your e-mail will be shut off. I think most are now immune to the countless spam messages. Yet on the phone, surprisingly many people will give out their password. Once this is done, someone can access an account with usually sensitive information.
The IRS scam is prominent as well as some have indicated. I usually get these around tax filing time. They normally come under the guise of the local taxing authority. In California for example they will claim they are the Franchise Tax Board and explain how I have unclaimed funds and usually ask for your Social Security number and name on a dummy web site.
September 9th, 2009 at 3:14 pm
Great post. One thing that I didn’t see mentioned in the article or in the comments is that legitimate emails from both Paypal and Ebay will always address you by your first and last name when emailing you. The phishers always address you as “valued customer” or something along those lines.
September 9th, 2009 at 4:09 pm
A few people have recommended typing the URL yourself (or using a saved bookmark), which is good advice. However, I came across a situation a while back where someone’s PC was infected with a virus, and it updated the HOSTS file. Without getting too technical, that meant that it automatically redirected her to a different website when she typed in the bank’s URL herself; fortunately, she noticed that it looked different, and called me for help. Even if your computer is clean, the same thing could happen if you use a DNS server that’s been compromised, e.g. a wireless router. So, keep your eyes open!
SSL certificates can also help with this, although my bank (Lloyds TSB) doesn’t handle them very well, e.g. this website works:
http://www.lloydstsb.com/ (legitimate but insecure)
but this one doesn’t:
https://www.lloydstsb.com/ (would be secure if it worked)
September 9th, 2009 at 4:12 pm
“Phishing is relatively young. The first major cluster of phishing activity focused on obtaining information through America Online accounts only 15 years ago.”
Doesn’t that put the start of phishing around 1994, which is before the majority of people got online, and before online banking really took off? So to most people phishing’s been around as long as the internet. It’s more like, as long as there’s been a way to fool people into giving up their personal details, phishers have been doing it.
I’m amazed by how many people still get fooled by these things. Rule #1 of internet: never respond to spam to get removed off email lists; rule #2: never believe any email that provides you a link and asks you to log in.
September 9th, 2009 at 7:42 pm
I would add one bit of advice to avoid falling prey to “phishers”. That is, Use Your Head!!!
I am not saying that all of these types of attempts are obvious and blatant, but as long as we all realize that these types of thieves are out there, and we do our best to not make it easy for them, and again, use your head, for the most part, you should be just fine.
Be vigilant, keep your eyes wide open, and always keep in mind that the internet is a very very public place.