Protecting Yourself Online: Ever been phishing?

Title Changed From: “Dumb things that banks do, but I don’t know why?” Edited title for spelling, and changed date: should have been 11/27

Many experienced users of email have found it relatively simple to avoid becoming an unwitting victim of phishing attempts. But it is still a risk that you will fall victim to the threat at some point…

What is phishing?

The word denotes an attempt to gain access to confidential information about individuals, groups or companies. For individuals, the information that can be gained is largely for two kinds of theft:

1. identity theft – where the person or persons are trying to gain enough information about your identity to use your identity to steal other assets in YOUR name. For example, online thieves may try to steal your name, address, telephone number, date of birth, and your social security or identity card number or driving license number. With this information, they can then apply to banks and other lending organizations for loans, credit cards, etc.. Once the have the money, they simply default on the payments, leaving the victim to pick up the pieces. Usually victims only find out when they have a credit application denied them for no apparent reason. The victims usually have to pull a credit report from one of the credit agencies… that’s when they usually find out the truth.

2. asset theft – the information provided is more like passwords, passkey or phrases, account numbers, email addresses, etc.. This information is usually linked with a financial organization: a bank, broker, insurance company, post office account, ATM machines, Telephone Banking, Online banking… anywhere you must use some kind of public/private key combination to access an account with money in it. Once access is gained, the account may be emptied by transfers, or (in some cases) traded away.

Phishing occurs when an attempt is made, usually via email, to trick you into visiting a website that is disguised as one of the financial websites that you may do business with. Then you are prompted to enter all of your information in the guise of (re)confirming your account with whatever organization it is. Sometimes, though, the scammers try to urge you to visit the website by claiming that your account is about to be deleted/frozen/… whatever. Invariably this is false information.

What does a phish look like?

If you receive an email in your account asking you to confirm a loan application, confirm your identity, or stop an account closure (it may look like the following picture), do not under any circumstances click on the links in the email.

I cannot say this enough: do not under any circumstances click on the links in the email.

It may look like this:

From: U.S. Bank Association [***@***.com]
To: ***@***.com

Dear U.S. Bank valued member,

Due to concerns, for the safety and integrity of the online
banking community we have issued this warning message.

It has come to our attention that your account information needs
to be updated due to inactive members, frauds and spoof reports.
If you could please take 5-10 minutes out of your online experience and renew
your records you will not run into any future problems with the online service.
However, failure to update your records will result in account suspension.
This notification expires on May 20, 2004.

Once you have updated your account records your internet banking
service will not be interrupted and will continue as normal.

Please follow the link below
and renew your account information.

U.S. Bank Internet Banking

Recent Paypal phishing attempts have borrowed graphics, links and text all from the Paypal websites, making it hard to spot that an email is a phishing attempt. Recently, though, the scammers have been getting even more sophisticated.

What should you do if you think you have one?

I cannot say this enough: do not under any circumstances click on the links in the email.

How do you identify if it’s real or not?

If you are unsure of the veracity of the email, check the following items first:

1. Is the email actually emailed to your email address rather than a catch-all address? If it’s a spam, it will be emailed as broadly as possible to maximize the results.
2. Is the email addressed to you personally, or is it entitled Dear member/customer, etc.? In most phishing attempts, the email is unlikely to address you personally. The scammers also won’t know account numbers, or addresses either, so it is likely the emails will be as general as possible.
3. Is the text similar in any way to the text in the email above? Does it request you to verify items the bank SHOULD already know?
4. Is the grammar or spelling incorrect? Often the author’s English is well below standard, and in some cases looks like it is written by someone who can’t even copy and paste.
5. Have you ever done business with the organization mentioned? You have no idea how many phishing attempts I get purportedly from people who work for banks I never even heard of or used.
6. In Firefox, and some other browsers, simply placing your mouse over the link will display the Real URL in the status bar.

mouseoverlink

You can spot a phishing attempt in several ways:
a. the URL displayed is different from the actual text;
b. the URL takes you to a website with numbers in it (e.g. http://123.45.67.89/etc); and
c. the URL looks different from a real website by adding the words http://wells-fargo-LOGIN
7. Does the email ask you to verify information that banks DON’T usually collect?…

And the shortcut…

While this list can get longer, … it’s a good policy to simply refuse to click on any link in an email from any financial organization. You can simply go to the website, by entering the URL you already know in the address bar, and logging into your account in the usual manner. I recently dealt with a financial organization about a problem via email, and of course, they didn’t need to check my identity via email. Banks simply don’t do this. If you are in any doubt, and you are still worried, call your bank yourself, or even visit the bank in person to find out what is going on.

And if you already clicked and filled it out…

If you have already clicked on a link in an email that turns out to be a phishing attempt, you will need to contact your financial organization as quickly as possible to prevent any further problems. The thieves will move quickly to utilize the information at hand as they know that it will be canceled soon. If they move fast, you also need to take it seriously and FAST!

Dumb and DUMBER…

Be WARNED: some financial organizations still use email and EXPECT customers to click on the links. This is a policy I find quite ridiculous. In fact, before I wrote this posting, I just received this email from a bank I used to use.

hsbc bank

This email is one from HSBC that nearly failed all of the test I outlined. And it turns out it was a legitimate email. I am quite astonished that banks are still failing to identify that it is their BEHAVIOR that spawned the problem in the first place, and it is their behavior that seems to perpetuate the problem.

This email actually expected HSBC customers to click on a link to visit the website. I of course refused to do so. And I visited the website where I determined that the contents of the email were genuine.

But, please, HSBC, how dumb can you be? You send out emails that look like phishing attempts, expect clients to click on the links, visit the site and LOGIN! Then in the next breath, you are instructing clients exactly not to do what you just encouraged them to do… Am I missing something here? And here is their statement on their website:

We will not send personal information to you by ordinary email. As the security of ordinary email cannot be guaranteed, you should only send email to us using the secure email facility on our website.

Any thoughts? This kind of annoys me… I guess it is not the first time I received an email like this… How do you deal with phishing? Ever been scammed successfully? … Let’s hear it here.