Don’t Get Caught By These Phishing Attempts
Phishing attacks are getting more and more sophisticated. In the beginning you could spot the phishing emails a mile away by the spelling and grammatical errors; the emails just didn’t look like something your bank would send out.
But bad guys are fanatical tester too, and over time they have improved significantly. Here’s a recent one I received from “Chase”.
Here’s another one from “PayPal”.
Both emails have authentic images in them, and in the case of the PayPal logo it is served by PayPal’s own servers. If you click on some of the images you will be sent to the authentic Chase/PayPal site. But if you click on the “money link” you will of course end up on a phishing site. I haven’t examined these particular sites, but on this front they are also getting more sophisticated. For example the “Resolution Center” link goes to a domain called paypal-secure-login.com, which almost sounds like it could be an official PayPal site.
Neither email was caught by spam filters.
These emails are both in English. Recently there have been ads on underground message boards looking for people with specific language skills. Soon you will see phishing emails targeting specific countries in their native language.
Does anyone fall for these phishing scams? If it costs $100 to send out one million of these emails, and we assume that 1 in a 100 is sent to a recipient who actually has an account with the target bank. If the proverbial one-in-a-million falls for the scam, then the scammers would have to clean out $10,000 from that bank account to break even. After many years of testing and tweaking I’m sure the bad guys have achieved much better conversion rates than my conservative estimates, making it a very profitable business.
Here are some tips to spot phishing attempts and to avoid getting robbed:
- Banks never send out emails asking you to confirm your account information.
- Never click on a link to login to your bank account. Always type in the URL into your browser every time.
- Don’t trust the phone. Using cheap VoIP technology phishers are now asking you to call a phone number to verify your account information. There are also reports of outbound calls.
Should you report these phishing emails to your bank? I don’t think that’s a worthwhile effort. According to a recent security report, shutting down individual phishing sites is as futile as the whack-a-mole games at amusement parks.
No related posts