Working with our design partners to deliver advanced web-based solutions

Home page

 
 
2 June 2004:Gone phishing

In this issue


Gone phishing

A couple of years ago I received an email from PayPal the payment processing company.  They were beefing up their security and could I please go to such and such page and verify my details.  The mail looked as if it came from them and when I clicked on the link it sure looked like I was on the PayPal site.  Both the mail and site were full of the usual exhortations to not give my password to any employee and so on.  It all looked very genuine.

The only problem was that the mail wasn't from PayPal and neither was I on the PayPal web site.  Had I entered my login and password I would have given some crooks access to my PayPal account.  Fortunately I spotted the hoax, but many people would not. 

Now I get these emails daily from every bank under the sun verging from the clever to the ludicrously amateur.  The old name for this type of security attach was a 'Trojan Horse attack', the new and trendier name is Phishing.  It is a major industry and everyone who has an email address will probably get one from time to time, in fact you would be quite lucky if you have escaped.  Earlier this month, email filtering company Brightmail said more than three billion of this sort of email have been sent out.

How do you protect yourself form this type of scam? Rule number one is never click on a link in an email from your bank.  The link may say 'Click on this link http://www.lloydstsb.com' and the page you go to may have http://www.lloydstsb.com in the address bar, but both of these can be forged.  The latest Internet Explorer (IE6sp1) does protect you against forged addresses in the address bar.  However there are even web sites that remove your address bar and substitute a forged one.

Always load up your browser and type in the web address of your bank.  Don't assume that the address in the email is correct, the bad guys may have registered a domain name close to your bank (www.lloydstsb.uk.com is available for purchase right now!). 

If you want to know more about phishing check out www.antiphishing.org.

Lets take a holiday to somewhere tropical.

Phishing scam emails have now taken over from the older Nigerian Scam emails as the scam du jour. 

The Nigerian scam (otherwise known as the 4-1-9 scam) was based around the premise that the fraudster had some millions and needed someone outside the country to help him launder it.  For a percentage (of a very large amount) you would just need to transfer the money to your personal account then back out again.  The underlying fraud was anything from some upfront fees through to getting kidnapped/mugged if you were crazy enough to actually go to Nigeria. 

The scam was not of course restricted to Nigeria, any third world country will do, but for a while the scam was a major contributor to Nigeria's balance of payments!  This has pretty much run its course now, but expect it to come back when memories blur.

Both the Nigerian scam and Phishing are relatively sophisticated forms of fraud.  You have to admire the creativity of some of the fraudsters.  In particular the Nigerian scam became at its height a true art form.

False sales

However there are much easier ways of parting a fool and his/her money.  The principle form of consumer fraud by far is simply to post an item on ebay, take the money and run.  The way ebay works, most products covered by their protection plans are pretty safe.  But read the fraud protection tips here (http://www.paypal.com/uk/ebay/cgi-bin/webscr?cmd=p/gen/fraud-tips-buyers-outside) before you buy.

If you visit a web site that is offering products that are unbelievable value, maybe you shouldn't believe them.  Anyone can open up a web site and take your credit card details.  Who is to say the goods will be delivered and your personal information is safe?   There is (and has been) a number of merchant approval programs with fancy logos, but I don't think someone who creates a bogus web site is going to have a problem spoofing that. 

Won the lottery?

Have you just won a lottery somewhere?   At some  point of course you will need to positively prove your identity. 

And of course - your garbage

The generic term for all the above is identity theft.  The primary form of identity theft is and probably always will be rather lo-tech. 

Someone goes through your garbage - they call it 'dumpster diving'.  How refreshing.