Phishing Scams
The term
“Phishing” (pronounced “fishing”) is a slang IT word, made up by replacing the
letter “f” with “ph.” Phishing is exactly that, fishing for information -
usually personal information such as credit card, bank account or National
Insurance numbers.
Scammers
“Phish” for your personal information in a variety of ways, but most commonly
through fraudulent emails claiming to be from your bank or another institution
that already has your personal details, asking you to confirm these details.
Once scammers
have “phished” out your information, they could use it in a number of ways.
Your credit card could be used for unauthorised purchases, or your bank account
could be cleared out, or they may simply gather the information for an identity
theft scam, or sell your information to identity theft rings.
Phishing
emails are commonly used in association with a fake web site that looks very
similar to a real website from the relevant institution.
Initial E-mail - Methods of Deception
Used in Phishing Scams
The initial
phishing email is designed to entice the recipient to open the email and click
on the link provided. The fraudsters use multiple methods to do this, including
enticing subject lines, forging the address of the sender, using genuine looking
images and text and disguising the links within the email.
1. Deceptive
Subject Lines
Phishing
emails tend to have subject lines that appear to be genuinely related to who the
email is from, in an attempt to entice the user to open the email. For example,
subject lines such as “Important notice for all Internet Banking Users”. It is
also common for subject lines to carry numerals or other letters to replace
characters, in an attempt to bypass SPAM filters, such as capital “I” replacing
“1”.
Some phishing
emails will deliberately misspell key words to bypass SPAM filters, which most
people would not recognise when quickly glancing at the subject line.
2. Forged
Senders Address
The forging of
the senders address is an easy deception method. There is no guarantee that the
address listed as the senders address is genuine. Phishing scam emails will
normally have a forged senders address appearing as though the email has come
from the company it is claiming to be.
3. Genuine
Looking Content
Phishing
emails normally utilise copied images and text styles used on the legitimate web
site to portray their email as genuine. Many consumers are fooled into thinking
an email is genuine simply because it had the banks logo within the email.
Some phishing
emails also have genuine links to the company’s privacy policy and other pages
on the legitimate web site. Trusts and authentication marks are also duplicated
to build the user’s confidence in the authentication of the email.
4. Disguised
Hyperlinks
Links within
an email are deliberately disguised in another attempt to deceive the recipient.
HTML emails may display a genuine URL but when clicked on the hyperlink will
take the user to a different web site. For example: a link displayed as “http://www.genuine-site.com”
may actually take the user to “http://www.fraud-site.com”
In text only
emails, a long URL would be presented with an “@” before the actual web site.
For example, a
link may be displayed as
“http://www.genuine-site.com-Verify83kcmdj30dk>Secure32902ds;lkjasdfkljad@fraud-site.com”
This would
take the user to http://www.fraud-site.com, as this is after the @ symbol. The
link may look valid because it begins with the genuine site URL, and contains
genuine looking words within the link.
5. Email Form
The email
contains a form for the consumer to enter their personal information and click
"submit", "send" or "update". Forms within emails utilise script located on a
remote server to receive the information and either forward the information to
the fraudsters, or place the information in a database for the fraudster to pick
up later.
These methods
are used by the more complex phishing emails. Some amateur phishing emails may
contain poor spelling & grammar, no images and may not even attempt to disguise
the URL.
Web Site - Methods of Deception Used in
Phishing Scams
The fraudulent
web site that supports the phishing email is designed to mirror the legitimate
web site it is purporting to be. The fraudsters use multiple methods to do this,
including using genuine looking images and text, disguising the URL in the
address bar or removing the address bar altogether.
The purpose of
the web site is to trick consumers into thinking they are at the company’s
genuine web site, and giving their personal information to the trusted company
they think they are dealing with.
1. Genuine
Looking Content
Phishing web
sites utilise copied images, text and in some cases simply mirror the legitimate
web site. This will contain the normal links on the web site such as contact us,
privacy, products, services etc. The user recognises the website content from
the genuine site and are unaware they are not on the genuine web site.
2. Similar
looking URL to Genuine URL
Some phishing
web sites have registered a domain name similar to that of the organisation they
are appearing to be from. For example, one phishing scam targeting Barclays Bank
customers used the domain name “http://www.barclayze.co.uk”.
Other examples
include using a sub-domain such as “http://www.barclays.validation.co.uk”, where
the actual domain is “validation.co.uk” which is not related to Barclays Bank.
3. Form -
Collection of Information
The most
common method used to collect information in phishing scams is by the use of
forms on the fake web site. The form is normally displayed in the same format as
that used on the genuine web site. This may be an Internet Banking log-in, or a
more detailed form for verification of personal details, with many fields for
personally sensitive information.
4. Incorrect
URL, not disguised
Some phishing
scam web sites do not even attempt to deceive users with their URL, and hope
that the user does not notice. Some simply use IMP. addresses displayed as
numbers in the users address bar.
5. URL
Spoofing of Address Bar (Fake)
This form of
URL spoofing involves the removal of the address bar combined with the use of
scripts to build a fake address bar using images and text. The link in the
phishing email opens a new browser window, which closes and re-opens without the
address bar, and in some case the status bar. The new window uses HTML and
JavaScript commands to construct a false address bar in place of the original.
As this method
utilises scripts, it is only possible to stop this form of deception by
disabling Active X and JavaScript in browser settings. As most web pages utilise
these normal tools, this is impractical.
6. Hovering Text Box over Address Bar
This form of
URL spoofing involves the placement of a text object with a white background
over the URL in the address bar. The text object contains the fake URL, which
covers the genuine URL.
As this method
utilises scripts, as before, it is only possible to stop this form of deception
by disabling Active X and JavaScript in browser settings although this is
virtually impractical.
7. Pop Up
Windows
This form of
deception involves the use of script to open a genuine webpage in the background
while a bare pop up window (without address bar, tool bars, status bar and
scrollbars) is opened in the foreground to display the fake webpage, in an
attempt to mislead the user into thinking it is directly associated to the
genuine page.
As this method
utilises scripts, it is only possible to stop this form of deception by
disabling Active X and JavaScript in browser settings. As most web pages utilise
these normal tools, this is once again impractical.
8. Trojans and
Spyware
Trojan and
worm viruses are sent to the user as an email attachment, purporting to be for
some type of purpose, such as greetings, important files or other type of SPAM
email. The attachment is a programme that exploits vulnerabilities in Internet
Browsing software to force a download from another computer on the Internet.
This file downloads other files and codes, which eventually installs a fully
functional Trojan virus.
The Trojan is
designed to harvest, or search for personal banking information and passwords,
which many people keep on their computer. This information is then sent to a
remote computer on the Internet.
Other worms
have been known to hijack the user’s HOST file, which causes an automatic
redirection to a fake phishing web site when the user types in a specific URL
(normally for a specific financial institution) into the address bar of their
Internet browser.
Spyware, such
as keyboard loggers, capture information entered at legitimate web sites, such
as Internet banking sites. This type of spyware can be planted on a user’s
computer using a previous worm or Trojan infection. Any information the spyware
captures is sent to a predetermined computer on the Internet.
One known
phishing scam used the link in the email to direct the users browsers to a site
to first download keyboard logging spyware before redirecting the user to the
genuine Internet banking web site. This spyware captured the login information
entered, and sent this information to the fraudsters via a remote computer on
the Internet.
Prevention
There are a number of steps that you can take to minimise the
risk of becoming the victim of a phishing scam:
1) Never divulge your security information to anyone
requesting it by email or phone. If you do receive an email which you suspect to
be a phishing scam, do not reply to it or click on the link to view the website.
If you are concerned about the message, inform the company by calling a publicly
listed telephone number, or by forwarding the email (preferably as an attachment
including header information) to the dedicated address given on their website.
Remember, the safest way to access the company’s website
(where there may be a warming about this particular scam) is to type the address
yourself into your web-browser rather than clicking on the link.
2) Use Different passwords for different accounts. Be
very protective over all your passwords and use different passwords for
different banking or credit accounts and email services.
Once a fraudster has your password he or she may then try to
hack into your email account using that password to find out more information
about you. Your email account contains much information about you and the
fraudster could use this information to impersonate you. For example, the
fraudster may apply for credit online or use your identity to open new accounts
in your name.
If your “Inbox” or “Sent Items” contains emails to or from
banks then expect the fraudster to try to gain access to these accounts. This
“snowball” effect can be the result of divulging one password to the fraudster.
3) Use Imaginative passwords containing numbers and other
characters wherever possible. One survey conducted by the BBC has found that as
a result of having too many passwords to remember, many internet users tend to
use one easy to remember password such as the name of a spouse, children,
favourite football team and/or pet for all their accounts.
To make a password more difficult for a fraudster to crack
insert random numbers and characters. For example, the password “johnsmith” at
an account with ABC Bank could be made more difficult to crack by inserting
“abc” at the beginning of the password and using numbers and other characters
with a password of “abcj0hn$m1th”.
To make the password even harder to guess, additional
characters should be substituted and added e.g. substituting “!” for “j” and
adding an asterisk at the beginning and end giving a password of
“*abc!0hn$m1th*”. If a fraudster is unable to access your account within a
reasonable period of time it is possible that he or she will move on to a
different victim.
4) Use up-to-date Anti-Virus software and a personal
firewall. If you are using Windows XP, activate the Internet connection firewall
which is included in the operating system although for more comprehensive
protection you should consider purchasing appropriate dedicated software. Be cautious of any unsolicited emails
from unknown senders and do not download unexpected or suspicious attachments.
Victims of phishing scams may also have their computers
infected with a virus which downloads a program called a “Trojan” (as in Trojan
Horse) which can log their internet activity and monitor keystrokes. The Trojan
will then send an activity report to the fraudster and this information will be
used to access online accounts and defraud the victim.
5) Never follow a link to your Internet bank from an email or
unreliable 3rd party source. Links can often take victims to bogus websites. If
you want to access your bank’s website then type the bank’s website address
directly into your browser.
|
