Tips, Tricks, Tools & Techniques

for Internet Business, Life, the Universe and Everything

RSS Feed



Don’t Get Caught By These Phishing Attempts

3 March, 2008 (10:50) | Security | By: Nick Dalton

Phishing attacks are getting more and more sophisticated. In the beginning you could spot the phishing emails a mile away by the spelling and grammatical errors; the emails just didn’t look like something your bank would send out.

But bad guys are fanatical tester too, and over time they have improved significantly. Here’s a recent one I received from “Chase”.

Phishing email targeting Chase

Here’s another one from “PayPal”.

Phishing email targeting PayPal

Both emails have authentic images in them, and in the case of the PayPal logo it is served by PayPal’s own servers. If you click on some of the images you will be sent to the authentic Chase/PayPal site. But if you click on the “money link” you will of course end up on a phishing site. I haven’t examined these particular sites, but on this front they are also getting more sophisticated. For example the “Resolution Center” link goes to a domain called paypal-secure-login.com, which almost sounds like it could be an official PayPal site.

Neither email was caught by spam filters.

These emails are both in English. Recently there have been ads on underground message boards looking for people with specific language skills. Soon you will see phishing emails targeting specific countries in their native language.

Does anyone fall for these phishing scams? If it costs $100 to send out one million of these emails, and we assume that 1 in a 100 is sent to a recipient who actually has an account with the target bank. If the proverbial one-in-a-million falls for the scam, then the scammers would have to clean out $10,000 from that bank account to break even. After many years of testing and tweaking I’m sure the bad guys have achieved much better conversion rates than my conservative estimates, making it a very profitable business.

Here are some tips to spot phishing attempts and to avoid getting robbed:

  • Banks never send out emails asking you to confirm your account information.
  • Never click on a link to login to your bank account. Always type in the URL into your browser every time.
  • Don’t trust the phone. Using cheap VoIP technology phishers are now asking you to call a phone number to verify your account information. There are also reports of outbound calls.

Should you report these phishing emails to your bank? I don’t think that’s a worthwhile effort. According to a recent security report, shutting down individual phishing sites is as futile as the whack-a-mole games at amusement parks.

Update: For more details on this particular PayPal phishing email see: F-Secure and thoughts.com.

Related posts:
No related posts

Comments

Comment from Mark Riffey
Time: March 3, 2008, 12:47

Nick,

A friend of mine is the police chief in our little town of 4500 people. He told me just last week that the department still gets several reports each month from people who have fallen for these emails and had money stolen from them. This happens despite the obviousness of most of these emails, the warnings at banks, the repeated warnings from Paypal that they will never ask for this info, much less all the coverage in the news.

Mark

Comment from Nick Dalton
Time: March 3, 2008, 16:02

Mark,

Wow, those are some amazing real-world statistics. Extrapolating that to the U.S. population would mean about 200,000 people per month fall for these scams.

I’ve been looking for research on the number of phishing victims and the most recent information I’ve found is from 2005 which stated that about 5% of the recipients of phishing emails actually clicked through and provided their personal information. (So much for my guess of 0.0001%). And 2% of the recipients reported a financial loss as a result. The average loss was $115. This put the U.S. phishing industry at $480M in 2005.

Applying this data to the statistics from your little town would put the U.S. losses to phishing at about $280M per year. Even though one of the numbers these calculations is based on anecdotal reports and the other one is survey based, it’s very interesting to note that the end result is in the same order of magnitude.

This is a very big problem, and a very lucrative criminal industry.

Write a comment