What is Phishing ?
"We suspect an unauthorized transaction on your account.
To ensure that your account is not compromised,
please click the link below and confirm your identity. "
"During our regular verification of accounts, we couldn't verify your information.
Please click here to update and verify your information. "
Have you received email with a similar message? It's a scam called "phishing " — and it involves Internet fraudsters who send spam or pop-up messages to lure personal information (credit card numbers, bank account information, account usernames, passwords, or other sensitive information) from unsuspecting victims.
Very simply, the scammer is 'fishing' for your personal information and passwords so that they can then use this information in various nefarious ways. Con artists might send millions of fraudulent e-mail messages that appear to come from Web sites you trust, like your bank or credit card company, and request that you provide personal information.
Phishers send an email or pop-up message that claims to be from a business or organisation that you may deal with — for example, an Internet service provider (ISP), bank, online payment service, online auction site or even a government agency (such as the Inland Revenue!). The message may ask you to "update, " "validate, " or "confirm " your account information. Most messages state that failure to do so will result in a cessation of the service or facility which will obviously cause embarrassment or inconvenience. Some phishing emails threaten even worse consequences if you don't respond.
The messages direct you, or offer a click-through link, to a website that looks just like a legitimate organisation's site
. But it isn't. It is a bogus site whose sole purpose is to trick you into divulging your personal information so the operators can steal your identity and run up bills or commit crimes in your name.
Identity theft is the ultimate purpose of the exercise. If someone can get vital authentication information, that person will be able to access another's bank accounts, charge accounts or credit information. As early as 1998, the US Congress passed the Identity Theft and Assumption Deterrence Act, which made identity theft a federal crime in the USA subject to as much as 15 years in prison.
Despite this, identity theft flourishes, and one easy and increasingly common way of capturing personal data is by phishing.
Phishing isn't really new – The name is modern 'geek-speak' but the practice is as old as the hills, predating computers and even now is not restricted to the Internet. The Internet simply gives a new route to the information. You are just as likely to get a telephone call for the same purpose. Malicious 'crackers' did this over the phone for years and called it 'social engineering' as a euphemism for their crimes.
What is new is its contemporary delivery vehicle -- spam and faked Web pages. What the Internet does give is ANONYMITY the fraudster's vital shield from discovery.
Phishing is sometimes called 'carding' or 'brand spoofing' because it uses e-mail messages that purport to come from legitimate businesses which victims might have dealings with. The names and Company Logos of banks such as HSBC, Barclays, HBOS, Lloyds, Citibank; online organizations such as eBay and PayPal; Credit Card suppliers such as VISA, Mastercard and Capital One; Internet service providers such as AOL, MSN, Yahoo and EarthLink; online retailers such as Best Buy; and insurance agencies have all been used. In fact it is true to say that no financial or internet trading company is immune to use in this way.
The messages may look quite authentic, featuring corporate logos and formats similar to the ones used for legitimate messages. Sometimes complete pages are 'cloned'. Typically, they ask for verification of certain information, such as account numbers and passwords, allegedly for auditing purposes. And because these e-mails look so official, up to 20% of unsuspecting recipients may respond to them, resulting in financial losses, identity theft and other fraudulent activity against them. Sometimes they pop-up in such a logical place that the response is automatic. For instance the victim may just have entered a password when a pop-up box from the site's 'security centre' requests confirmation of this password because it has "not been changed for over one month ". The automatic response is to simply retype the password in the box. That's it! The phisher now has the account password.
The attacks are becoming even more subtle and devious. Recent variants
have even been warnings about the rise in phishing emails and telling customers to click on a link to be told about new security procedures(!)
A Typical Phishing Attack
On Nov. 17, 2003, many eBay Inc. customers received e-mail notifications that their accounts had been compromised and were being restricted. In the message was a hyperlink to what appeared to be an eBay Web page where they could re-register. The top of the page looked just like eBay's home page and incorporated all the eBay internal links. To re-register, the customers were told, they had to provide credit card data, ATM personal identification numbers, Social Security number, date of birth and their mother's maiden name.
What does a phishing scam look like?
As scam artists become more sophisticated, so do their phishing e-mail messages and pop-up windows.
They often include official-looking logos from real organizations and other identifying information taken directly from legitimate Web sites.
Examples of what phishing scam e-mail messages loook like are shown on the Metropolitan Police
Other Examples of phishing
are held on a number of websites who collect these in an attempt to reduce the practice.
To make these phishing e-mail messages look even more legitimate, the scam artists may place a link in them that appears to go to the legitimate Web site but it actually takes you to a phony scam site or possibly a pop-up window that looks exactly like the official site. It might even state that "you are sending information over an encrypted secure link " which is far from the truth.
These copycat sites are also called "spoofed " Web sites. Once you're at one of these spoofed sites, you are unwittingly sending personal information to the fraudster.
What to look out for
Low-level scammers just send their emails out at random. If your bank account is with HSBC and an email comes to you allegedly from 'Barclays' asking for details then it is self-evidently a scam and should be reported to the bank or organization concerned. If you receive an e-mail from Microsoft asking you to update your credit card information, do not respond. Since when did Microsoft issue credit cards?
If the email is from an organisation that you do
use then you should look for tell-tale phrases or unusual requests for information. In particular you should look out for:
"Verify your account. "
Businesses should not ask you to send passwords, login names or other personal information through e-mail.
"If you don't respond within 48 hours, your account will be closed. "
These messages convey a sense of urgency so that you'll respond immediately without thinking. Phishing e-mail might even claim that your response is required because your account might have been compromised.
"Dear Valued Customer. "
Phishing e-mail messages are usually sent out in bulk and often do not contain your first or last name. Organisations communicating genuinely with you will frequently customise the email with a personal greeting. For instance Ebay always precedes its emails with your personal Ebay name to show it is genuine.
"Click the link below to gain access to your account. "
HTML-formatted messages can contain links or forms that you can fill out just as you'd fill out a form on a Web site.
The links that you are urged to click may contain all or part of a real company's name and are usually "masked, " meaning that the link you see does not take you to that address but somewhere different, usually a phony Web site.
Resting the mouse pointer on the link reveals the real Web address, as shown in the box with the yellow background. A string of cryptic numbers looking nothing like the company's Web address is a suspicious sign.
Masked URL address
Scammers may use Uniform Resource Locators (URLs) that resemble the name of a well-known company but are slightly altered by adding, omitting, or transposing letters. For example, the URL "www.microsoft.com " could appear instead as:
Other Clues and Tips
- Checkout the address bar
- If you are being asked to give personal details it should be in a secure area. This means that the address should start with a secure header: https://…… and there will be a padlock symbol.
- Note the 's' for secure. If it does not have this header and padlock symbol, then you are NOT in a secure area and should NOT enter personal information.
- Do note though that this is not foolproof. Recent very clever cloned sites have replaced the actual address box with a graphic designed to look like a secure area with an https:// address and a padlock symbol. The tip is to be cautious at all times.
- Does the Address correspond to the company?
- The name in the URL should relate to the expected company name - check for misspellings as above. Look out for subdomains such as
- This has your bank name but only as PART of a different domain address! This link would direct you to the iamafraud.com website! This is a very common scammers trick.
- Does it correspond to what you would expect from the site/company?
- Genuine websites nearly always use an item of information in their email to show that the email is genuine. For instance PayPal always addresses their customer with the username in emails. An email starting "Dear PayPal Customer " is therefore FAKE.
- Don't use links!
- Very good general advice is NEVER to use links if you may be giving personal details. Always type the address in. This ENSURES that you are logged into the website that you want
- Protect your computer with anti-virus software and a firewall, and keep them up to date.
- Some phishing emails contain software that can harm your computer or track your activities on the Internet without your knowledge.
Anti-virus software and a firewall can protect you from inadvertently accepting such unwanted files. Anti-virus software scans incoming communications for troublesome files. Look for anti-virus software that recognizes current viruses as well as older ones; that can effectively reverse the damage; and that updates automatically.
A firewall helps make you invisible on the Internet and blocks all communications from unauthorized sources. It's especially important to run a firewall if you have a broadband connection. Operating systems (like Windows or Linux) or browsers (like Internet Explorer or Netscape) also may offer free software "patches " to close holes in the system that hackers or phishers could exploit.
- Don't email personal or financial information.
- Email is not a secure method of transmitting personal information. If you initiate a transaction and want to provide your personal or financial information through an organization's website, look for indicators that the site is secure, like a lock icon on the browser's status bar or a URL for a website that begins "https: " (the "s " stands for "secure "). Unfortunately, no indicator is foolproof; some phishers have forged security icons.
- Checkout the email/contact against a list of known phishing attacks
- There are websites which specialise in collecting information on recent and ongoing phishing attacks. You should check these out if suspcious or just to see what to expect.
- Review credit card and bank account statements as soon as you receive them
- Check for unauthorized charges or unrecognized transactions. If your statement is late by more than a couple of days, call your credit card company or bank to confirm your billing address and account balances.
- Be cautious about opening any attachment or downloading any files from emails
- If you do not recognize the sender DO NOT OPEN files you receive, regardless of who sent them. These files can contain viruses or other software that can weaken your computer's security. Check with the sender if you are worried.
- [span]Some phishing attacks use viruses and/or Trojans to install programs called "key loggers " on your computer. These programs capture and send out any information that you type to the phisher, including credit card numbers, usernames and passwords etc. In this case, you should:
- Install and/or update anti-virus and personal firewall software
- Update all virus definitions and run a full scan
- Confirm every connection your firewall allows
- If your system appears to have been compromised, fix it and then change your password again, since you may well have transmitted the new one to the hacker
- Check your other accounts! The hackers may have helped themselves to many different accounts:
- Check your eBay account, PayPal, your email ISP, online bank accounts, online trading accounts, Amazon.com and other e-commerce accounts, and everything else for which you use online password
- Forward spam that is phishing for information.
- Forward the phishing email to the company, bank, or organisation impersonated in the phishing email. Most organisations have special departments or information on their websites about where to report phishing attempts. Similarly they will frequently warn customers if a particularly widespread phishing campaign is targeting their customers.
- If possible, try to warn also the email company or ISP via whom you received the email. For instance if your email is at Yahoo! mark the mail as spam using the normal mailbox facilities and contact them to warn that a phishing attempt is underway. They may request a copy of the email you received.
If you believe you've been caught.
Get in contact with the police. The Metropolitan Police
website gives a contact point for reporting fraud cases.
If you believe that you have given out personal information which could be used for fraudulent purposes you may need to do some or all of the following depending on the extent of the fraud
If you have inadvertently given away Credit Card or ATM card (Debit Card) details:
- Report the theft of this information to the card issuer as quickly as possible
- Many companies have 0800 free numbers and 24-hour service to deal with such emergencies.
- If necessary cancel your account and open a new one
- Review your statements carefully after the loss
If they show any unauthorised charges, it's best to send a letter to the card issuer describing each questionable charge.
If You have given out your bank account details:
- Report the theft of this information to the bank as quickly as possible. In extreme cases your Bank Manager may advise you to close the account and to open a new one
Identity theft occurs when someone uses your personal information such as your name, credit card number or other identifying information, without your permission to commit fraud or other crimes. If you have given out this kind of information to a phisher, you should do the following:
Report the theft to the three major credit reporting agencies, Experian
, and do the following:
- Request that they place a fraud alert and a victim's statement in your file.
- Request a copy of your credit report to check whether any accounts were opened without your consent.
- Request that the agencies remove inquiries and/or fraudulent accounts stemming from the theft.
Major UK Credit Bureaus
- Equifax - www.equifax.co.uk
- Experian - www.experian.co.uk
- CallCredit – www.callcredit .co.uk
- Notify your bank(s) and ask them to flag your account and contact you regarding any unusual activity:
- If bank accounts were set up without your consent, close them.
cases it may be necessary to:
- Notify the DVLA of your identity theft.
- Check to see whether any unauthorised documents have been issued in your name.
- Notify the passport office to be watch out for anyone ordering a passport in your name.
- Document the names and phone numbers of everyone you speak to regarding the incident. Follow-up your phone calls with letters. Keep copies of all correspondence.