THE MILLERSMILES GUIDE
Part 1: The Beginner's Guide to Phishing
This article is the first in an occasional series on scams and frauds on the internet, and how to avoid them.
This week we'll take a look at the scamming technique most commonly known as "phishing", which is becoming a growing problem on the internet. In 2004 alone, there has been a 40% rise in the number of recorded attacks, and the situation is only likely to get worse. The term "phishing", comes, unsurprisingly, from the word fishing, and follows a very similar approach. Fraudsters and scammers , (the "fishermen"), send out large quantities of emails, (the "bait"), to mostly random address across the internet. These emails appear to be from a variety of banks, financial services and sites like eBay, AOL and PayPal, all asking the victim to enter their account and/or credit card details, for a variety of reasons, from supposed ‘problems' with computer systems loosing account details, through to the more genuinely helpful looking reasons such as checking that a recent ‘credit transaction' was not unauthorized. Although only a small proportion of people (about 5%) will actually respond to phishing emails, for the scammer this is still a very large return for a minimum of risk. It is not currently illegal to send a phishing email; a crime is only commited if the scammer actually obtains the details he is after.
There is no foolproof defense against phishing, other than to be aware of the dangers and alert in case you are ever targeted.
At millersmiles.co.uk, we look carefully at every spoof email that we receive, and then create reports on their content and method. These reports are listed in our archive, along with screenshots of every email and the spoof website it is linked to, allowing you to search for a suspect email to see if it has been reported and to confirm for yourself it is a fraud. The site is updated daily, so if you visit regularly you will get a good idea of what scams to expect. You can also use our XML feed, which lists the most recent scams and their subject lines, to help you spot them quickly. Our archive stretches back several years and includes all the major scams and their variations over this period. The site is free to use, our aim is to make the internet a safer place!
Phishing emails come in all shapes and sizes. Some look extremely professional and realistic, whilst others are crude and badly constructed. Sometimes this is a ploy to make the victim think they are dealing with someone too uneducated to be capable of deception, and other times it is more likely a reflection of the poor English skills of the creator(s). Of the hundreds of emails we capture or are forwarded daily at millersmiles, most are simply duplicates of scams already in circulation, and others are either incomplete or outdated. The most common technique is to tell the victim there has been some sort of problem with their account, and that it needs to be ‘verified' to keep it from being closed or suspended. The recipient is then prompted to either enter their details into a form in the email, or to click a link to the ‘official site' of the supposed sender. The actual site the link goes to is a spoof page created to look exactly like the real website it is mimicking, so at a glance you would never know the difference. Some of the more sophisticated spoofs even fake the URL in the address bar, so the site address even looks authentic. Here is an example of a recent typical spoof email from our archives:
It looks real enough, but it's not.
Whatever the approach used, once your details have been entered and submitted, they are forwarded straight to the scammer, who can exploit your account.
You can avoid being a victim though, if you follow these simple rules:
- NEVER TRUST AN EMAIL SENDER
Did you know that you can fake the return address in an email? For the less computer literate, that's the bit of the email that tells you who it's from. The sender can choose any name/supposed address they want, so never trust an email just because it appears to be from a legitimate address. It is a well known fact that over 95% of phishing attacks use spoofed email addresses to appear more authentic.
Whilst the most professional spoofs may be almost indistinguishable from the real thing, other scams are much easier to spot.
A common technique used by scammers is to include all of the email's text as an image, and have the whole image link to a spoof website when clicked. This is a tactic to avoid email scanners that can scan the text in an email but not images. If you can't click and select the text as normal with the mouse, simple, it's a scam. Authentic emails are never constructed like this.
Bad spelling and grammar is also a dead giveaway, as are places that seem unable to spell their own names, e.g. ‘Alert from Ciitibnk'. Banks and the like don't send out emails with mistakes as bad as these.
Sometimes a spoof email will come with an attachment. Don't open it! It may be harmless, but there is no need to take the risk. This is the most common way that viruses are spread, and as well as being a scam the email may try and infect your computer with programs that steal information from you without your knowledge. 90% of computer viruses are distributed via email, so don't take the risk.
An unprotected computer on the internet is like a house without locks - extremely vunerable. To make your computer safer and more secure, there are 3 basic steps you can take:
Get an antivirus program (and keep it updated). Antivirus programs sit on your computer and scan every file in case it's infected with a virus. They can then remove it from your system. It is essential to keep an antivirus up to date, as new viruses appear everyday. Most antivirus programs will do this for you automatically.
Get an spyware removal program (and keep it updated). Ad removal programs are an essential companion to an antivirus, as they can pick up programs that the antivirus can miss. Some programs, known as ‘spyware', are not classed as viruses, but are still potentially harmful, as they can sit on your computer gathering information without your knowledge or consent. Some can even record every keyboard press you make, thus capturing important information such as passwords and credit card details.
Update your operating system. Most people these days use Microsoft Windows, but unfortunately Windows is not flawless, and security holes and other issues are regularly discovered that an attacker could exploit to get inside your computer and steal information. Fortunately Microsoft fix every weakness they find, so make sure you've got all the latest updates at http://windowsupdate.micosoft.com.
This is the simplest rule of all. Banks, financial institutions and the like will never ever send you an email asking you to directly verify your account or update your details via an email. It simply doesn't happen. In such rare cases where problems occur they will contact you directly by phone, letter or other means. Even if an email looks authentic, it more than likely isn't. For example, did you know that a link can say one address but actually go somewhere completely different. You could click on a link that said www.paypal.com, but get taken instead to www.stealallyourmoney.com.
If you are going to visit any site where you intend to enter your account details or similar, you should only go there by typing the site's address directly into the browser address bar, not by clicking a link in an email. This is the only way to be sure you are visiting the real site and not some sort of spoof.
- VISIT MILLERSMILES.CO.UK!
If in doubt, don't do it! If you have even the slightest suspicion that a email you've received is anything less than 100% legitimate then don't give out any of your details. You should first of all contact the company or group the email claims to be from, and then forward them the email so they can confirm or deny its authenticity. You can also search for the email in the millersmiles archives. If we haven't got it listed you should forward it to us at firstname.lastname@example.org so we can check it out. Finally, if you're sure it's a scam, simply delete it. The sooner it's off your computer the better. You can also connect to our RSS feed with all the latest alerts:
click this button to add our Scam ALerts News Feed
to your Yahoo personal page
If you think you might have fallen victim to a phishing scam, don't panic, but you need to act quickly. The most important thing to do is to contact the real bank or company straight away and tell them what has happened, and they will sort you out and tell you what to do. You should also change your passwords and details so the details you gave out are no longer valid and cannot be used by a fraudster.
That concludes our introduction to phishing. I hope the information above is useful to you, and helps to keep you safe!
Next time we'll take a look at the so called ‘419' scams that are currently making headlines around the world, another variant on the standard phishing technique.
Thanks for visiting millersmiles!
4th August 2004
What to learn more? Click here to read Part 2: 419 Scams