Gone Phishing

According to the website New Jersey Info Secure, phishing is defined as “… a scam in which an email message directs the email recipient to click on a link that takes them to a web site where they are prompted for personal information such as a pin number, social security number, bank account number or credit card number.” (State of New Jersey, 2008).

Once obtained, this information can be sold to various marketing agencies for profit, or used by cyber criminals to commit identity theft in order to empty bank accounts  or to facilitate fraudulent purchases.

In January of 2010, TechAdvisory.org presented the following figures related to phishing scams and their effects on the Banking industry:

  • Each phishing attack involves a very small percentage of customers (0.000564%), but due to the large number of phishing attacks, the aggregated number is significant
  • 45% of bank customers redirected to a phishing site divulge their personal credentials
  • 0.47% of bank customers fall victim to phishing attacks each year, translating to $2.4M-$9.4M in annual fraud losses per one million clients
  • Each financial institution was targeted, on average, by 16 phishing websites per week, translating to 832 phishing attacks per year per bank brand (Tailwind Interactive,Ltd., 2010)

Don’t Take the Bait

Knowing that devistating financial losses can occur to victims of phishing scams, it’s important to be able to spot these emails before responding to to them.

PhishTank provides the following clues for identifying fraudulant phishing emails (examples are my own):

  • Generic greeting. Phishing emails are usually sent in large batches. To save time, Internet criminals use generic names like “First Generic Bank Customer” so they don’t have to type all recipients’ names out  and send emails one-by-one. If you don’t see your name, be suspicious.

“Hello Dear,

My name is Miss Aminata Bangali, resident in Ghana, Africa: The main reason I have decided to contact you today is i seek your assistance to helping me transfer my INHERITED MONEY DEPOSITED IN A SECURITY AND FINANCE COMPANY in MADRID SPAIN to your country for investment.

  • Forged link. Even if a link has a name you recognize somewhere in it, it doesn’t mean it links to the real organization. Roll your mouse over the link and see if it matches what appears in the email. If there is a discrepency, don’t click on the link. Also, websites where it is safe to enter personal information begin with “https” — the “s” stands for secure. If you don’t see “https” do not proceed.

“In order to verify your correct account information and ensure that your account remains open, please visit: http://www.ebayusergroup/accounts-updatemyinfo.com”

  • Requests personal information. The point of sending phishing email is to trick you into providing your personal information. If you receive an email requesting your personal information, it is probably a phishing attempt.

“And also 10% had been mapped out for you for the expense you will make in this transaciton and 50% is for me. I need your informations so that Iwill send you the application form.

YOUR FULL INFORMATIONS
Your Name………
Your Home Addresses.. ….
City.. ……
Country.. ……
Home Telephone.. …..
Private Telephone.. ……”

  • Sense of urgency. Internet criminals want you to provide your personal information now. They do this by making you think something has happened that requires you to act fast. The faster they get your information, the faster they can move on to another victim. (PhishTank)

“I am asking for your partnership in re-profiling funds ($18.350.000 Million) i am contacting you because you live outside Hong Kong. Finally, note that this must be concluded within two weeks. Kindly write back and i look forward to hear from you so i can give you more information about myself and the nature of the funds.”

As seen in the above examples, misspelled words and incorrect punctuation are also indicators of fraudulant emails.  Phishing scams are bulk e-mails, so their perpetraitors don’t have a lot of time to focus on the details.

Don’t Get Caught

The Federal Trade Commission offers the following tips to avoid becoming the victim of a phishing scam:

  • If you get an email or pop-up message that asks for personal or financial information, do not reply.  And don’t click on the link in the message, either. Legitimate companies don’t ask for this information via email.
  • Area codes can mislead. Some scammers send an email that appears to be from a legitimate business and ask you to call a phone number to update your account or access a “refund.” Because they use Voice Over Internet Protocol technology, the area code you call does not reflect where the scammers really are. If you need to reach an organization you do business      with, call the number on your financial statements or on the back of your credit card. In any case, delete random emails that ask you to confirm or divulge your financial information.
  • Use anti-virus and anti-spyware software, as well as a firewall, and update them all regularly. Some phishing emails contain software that can harm your computer or track your activities on the Internet without your      knowledge.
  •  Don’t email personal or financial information. Email is not a secure method of transmitting personal      information. If you initiate a transaction and want to provide your personal or financial information through an organization’s website, look for indicators that the site is secure, like a lock icon on the browser’s status bar or a URL for a website that begins “https:” (the “s” stands for “secure”). Unfortunately, no indicator is foolproof; some phishers have      forged security icons.
  • Review credit card and bank account  statements as soon as you receive them to check for unauthorized charges. If your statement is late by more than a couple of  days, call your credit card company or bank to confirm your billing address and account balances.
  • Be cautious about opening any attachment or downloading any files from emails you receive, regardless of  who sent them. These files can contain viruses or other software that can weaken your computer’s security.
  • Forward spam that is phishing for information to spam@uce.gov and to the company, bank, or organization impersonated in the phishing email. Most organizations have information on their websites about where to report problems.
  • If you believe you’ve been scammed, file your complaint at ftc.gov, and then visit the FTC’s Identity Theft website at www.consumer.gov/idtheft. (Federal Trade Commission, 2006)

If you feel that you may have responded to a phishing attempt, If you’re unsure, please contact the SJU Technology Service Center (TSC) at x2920  or by email at techhelp@sju.edu. Remember: The TSC will NEVER ask you for your password or Social Security number.

Sources:

Federal Trade Commission. 2006. FTC Consumer Alert. Federal Trade Commission. [Online] October 2006.

PhishTank. What is phishing? PhishTank. [Online] http://www.phishtank.com/what_is_phishing.php.

State of New Jersey. 2008. State of New Jersey. New Jersey Info Secure. [Online] October 2008. http://www.state.nj.us/njinfosecure/newsletters/approved/200810.html .

Tailwind Interactive,Ltd. 2010. New Study Reveals Extent of Losses Due to Phishing Attacks. TechAdvisory.org. [Online] January 1st, 2010. http://www.techadvisory.org/2010/01/new-study-reveals-extent-of-losses-due-to-phishing-attacks/.