Phishing – the Oldest Trick in the Scammer Handbook
A small article on Internet “Phishing”A little history…
Phishing – in its most basic terms, is pretending to be somebody you are not in order to steal personal information/assets from a victim.
It’s one of the oldest tricks in the scammer’s handbook, around long before the Internet - and like many other aged scammer tricks like Ponzi schemes and Advanced Fee Fraud – it’s digital equivalent is being used to great effect on unsuspecting computer users.
That said, before the Internet, phishing wasn’t called phishing. It was a just a variant of a confidence trick, of which common examples included impersonating police officers, social workers and gas inspectors. Susceptible victims would invite these impostors into their houses with no questions asked, where the criminal could “case the joint” or steal right there or then.
Going digital…
When the Internet rose in popularity the ability to communicate with millions of people through your computer became possible, meaning that confidence tricksters no longer needed to come knocking on your door, rather they could come knocking on your email inbox. This quickly caused the scheme to be dubbed phishing, pronounced the same as fishing, as these falsified emails being sent out to lure naďve victims bore resemblance to a fisherman using bait to catch fish.
These emails (or often but less common Instant messages) masqueraded as being sent by a responsible and trustworthy entity, and would ask for personal information that a victim would never otherwise give to a stranger, and the details the victim would hand over would invariably lead to them losing money or assets.
An example…
The most obvious and common example spurred from this is emails purporting to be from your bank, asking for, unsurprisingly, your bank details. The primitive versions of this example would simply ask you to hit the Reply option and send the requested details back through email, but soon more advanced variants emerged equipped with their own fake websites which the emails fittingly directed you to. These websites would be setup to look like the real thing – for example a popular example are emails claiming to take you to the Natwest website, but in reality you were taken to a site resembling the Natwest site, with only subtle differences that even an intermediate computer user may overlook.
The fake site would ask you to enter your banking details which are then, of course, duly stolen. The tricksters make up a plethora reasons of why you have to enter your details, but common examples for bank scams are (ironically) security reasons, or for software upgrades.
Spotting the fakes….
Using the above example, there is one sure fire way of spotting a fake if you are taken to a website through a link on an email.
The site itself may look identical, so you can’t rely on the website content for giveaways – rather you turn your attention to the URL address. For those not in the know, the URL address in the address of the webpage in the address bar at the top of the browser window. For example, Natwest’s main URL is www.natwest.com or for their online banking it is www.nwolb.com
A fake site won’t be able to reproduce this URL, so they will make it look as similar as they can. A common way to do this is –
The scammer owns a site called www.fxxf9.com
The scammer wants to create a site similar to Natwest, so they create a subdomain called Natwest whereas the address of said subdomain would be www.natwest.fxxf9.com
Add some PHP/ASP conditions and variables which you invariably see on their pages and you have something that looks like this –
www.natwest.fxxf9.com/index.php?value=2&condition=true
Voila – you have something that at first glance looks like it could be owned by Natwest, when in fact it is owned by fxxf9.com. Who owns fxxf9.com? A scammer? In reality fxxf9.com is owned by no one, we made it up for the purpose of this example.
Also look at the start of the URL. Banks and other companies that deal with money use the https:// protocol, which means it is on a secure web server. Fake websites for banks have the standard http:// protocol which normal websites use.
If you do get taken to a website that you suspect may have been compromised, even if you do not enter personal details, your woes may not have ended there. These sites may also contain malware that can install themselves on your computer that can continue to put your financial details at risk, though for more information on this type of attack, read our article on online identity theft. Always make sure your antivirus and firewall software are up to date and running properly.
Some more examples….
Emails pretending to be from your bank are by no means the only type of email phishing out there. Far from it.
Any trustworthy institution, business or person can be and usually has been impersonated. Take for example Paypal. There has been a recent spate of emails warning users that somebody was trying to gain unauthorised access to their Paypal account, and that Paypal required the victim to go to the website and confirm their details for security reasons.
In reality the emails were not from Paypal. Nobody was trying to access the victims account, this is just the fabricated explanation the scammers used to motivate the victim into complying. The site the victim was taken to is fake, and when they enter their personal details they are stolen and the scammer now has access to the victims Paypal account where they can steal money or use the information to commit other Internet crimes, such as Advanced Fee Fraud.
Social networking sites haven’t escaped either. Facebook, Ebay, YouTube, Myspace and Twitter have all had their own respective variations asking for login details including passwords so scammers can then access their accounts to commit more crimes, including the Facebook Friend in Need Scam.
Other companies that have been employed in this fraud is both the Inland Revenue affecting US users, and the HM Customs & Revenue affecting UK users. These two examples both lead the victim to a fake website where their personal details were duly stolen.
There are many other examples, far too many to list.
Some other red flags….
Watch out for emails that are predominantly images. (You can’t highlight the text, as it is an image) This is tactic that scammers employ to fool anti-phishing software which looks for common words and patterns in offending emails.
Watch out for emails that report someone was trying to gain access to your account, this is a common reason scammers use to get the victim to obey. Other common red flags are “software upgrades” and “security upgrades”
There are other methods that scammers use, and to provide a full extensive list would be impossible since the technologies used for this scam are endless and diverse, and always getting better and more believeable everyday.
Rule of Thumb….
To stay safe, the rule of thumb to protect you against phishing scams is to never click links on emails or instant messages as you have no control over where they take you. If you think the message may be genuine, visit the relevant website directly instead of clicking on the link. Using the example we discussed earlier, Natwest, don’t click on the links on the email claiming to be from Natwest. Rather, open your Internet browser and type in www.natwest.com and go from there. Also make sure you have uptodate authentic antivirus software on your computer. For our recommendations on good security software, click here.
