Phishing/Scamming: Why You Shouldn’t Take The Bait!

Phishing/Scamming

One of the primary reasons for the severe increase in phishing/scamming among and individuals and smaller organizations is that online criminals believe these institutions and people do not possess the resources, knowledge or employees to protect themselves or respond to a phishing/scamming attack. Many of the larger banks, retailers and ISPs have already been targeted and, therefore, have implemented countermeasures. Phishing/Scamming: Why You Shouldn’t Take The Bait!

According to the Anti-Phishing Working Group (APWG), a global, pan-industrial and law enforcement association chartered to eliminate phishing, pharming and e-mail spoofing, phishing attacks have reached an all-time high. Last November, 16,882 attacks were reported, up from 8,975 in November 2004. And these attacks do not come without substantial risks. Victims of identity theft have experienced everything from having their bank accounts depleted to having hundreds of credit card transactions falsely charged to them, to having luxury cars purchased in their name.

How Does Phishing Work?

Phishers do not need access to an organization’s network to implement a phishing scam. They can simply browse a company’s Web site, grab screenshots of the customer log-in page and mount a copy of that page onto another server.

From there, a phisher/scammer can target an organization’s customers, sending them e-mails (or by making phone calls) that appear to be from a legitimate source, leading the client to the spoofed log-in page where they are tricked into revealing confidential account information. Once entered, the customer is immediately directed back to the legitimate Web site. Therefore, there is little to alert the customer that they have been scammed. From the earliest examples, which were easily detectable (often containing obvious grammatical errors); phishing e-mails have grown in sophistication and design to the point of being nearly indistinguishable from the real thing. Phishing/scamming appeals to a customer’s sense of panic, maintaining that there is an emergency situation that demands the immediate verification of account information or the account will be closed.

Although there are tools available to detect when someone is scanning an organization’s site and retrieving its graphics, many times the activity is legitimate. Therefore, security analysts will end up with false positives. In other instances, phishers are able to dynamically retrieve the graphics from an organization’s customer log-in page almost instantly. By the time the company realizes it is being scammed, a bogus site has already been launched.

Network security companies also are beginning to see phishers use a combination of phishing and hacking to launch scams against their clients. Thus, if one phishing site is taken down, another automatically pops up. In one particular case, the phishers hacked into 11 computers in 11 different countries and used them as platforms to host the sites, using compromised desktops to send fraudulent e-mails.

Unfortunately, phishing scams have evolved to not only target an organization’s customers, but also their employees. Termed “spear phishing,” this type of scam is designed to wrangle information out of unsuspecting colleagues so that the phisher/scammer can then access secure areas of corporate networks.

One recent event targeted executives, including CEOs, of numerous credit unions across the country. The messages, appearing to be from a credit union affiliate, asked executives to confirm that their company was a federally recognized institution. Recipients who clicked on the link were taken to a Web page that attempted to download a Trojan horse onto their desktops.

In most cases, anti-virus software blocked the Trojan. If an attack had been successful, then the phisher/scammer could have potentially gained access to systems that control thousands of bank accounts, rather than just one or two.

The VoIP Threat: SPIT

Yet another emerging technology that has the potential to be rife with phishing/scamming threats is VoIP. As more and more companies and home users adopt VoIP systems, the potential for phishers to spam individuals and solicit personal information increases dramatically. Termed spam over Internet telephony (SPIT), a phisher can literally set up a computer to randomly dial hundreds of phone numbers leaving a voicemail message. Through VoIP, this voicemail is automatically transmitted into the user’s e-mail inbox. When played, the sound file can appear to be very authentic; making the call-to-action appears to be legitimate, thus leading the unsuspecting victim to provide their bank account or personal information.

How To Protect Yourself

1. If you’re selling products from a website always verify your customers identity the old-fashioned way, by talking to your customer and also by calling the actual credit card issuer to make sure you’re selling to the person that is calling you for the sell.

2. If you’re called by anyone and asked to provide personal information over the phone hang-up immediately.

3. Only ship to the actual “verified” billing address.

4. If you have to accept a “check” wait at least 7-10 days for it to clear prior to shipping.

5. Require wire transfers for all international orders unless you’re able to follow the guidelines in step 1.

6. Be aware that these scammers will often use the telephone company’s “relay service” in order to hide their true accent and/or identity.

7. Be aware of “instant messages” that they use to cause you to ship to another (unverified) address.

8. 80% of these scammers will try to get you to ship to Nigeria (W. Africa) while calling from the UK.

9. If skeptical, insist on getting a call back telephone number (and check it by calling) while also requiring that they call you also to verify their identity.

10. If they are outside of the USA and insist on using Money Orders, E-Checks, (Western Union) Bid Pay or Cashiers Checks you probably are being scammed!

It is apparent from the statistics that phishing/scamming attacks are not going away any time soon. However, as the old adage goes, “The best defense is a good offense.”