|
|
|
|
|
|
How to Avoid Phishing Scams
Watch out for these sneaky scams that try to trick you into giving your personal information to crooks
The latest internet scam out there today is referred to as Phishing. These are very sophisticated
and highly technical scams that come in the form of all kinds of phony "companies" that pose as Pay Pal,
AOL, eBay, Amazon and other familiar names. They usually inform you to respond to the e-mail to
verify your information. The e-mail looks so real that that you will follow their instructions and
when you do you will be giving them everything they need to know to use your credit card numbers
and empty your bank accounts or to steal your identity.
The high tech con artists have now kicked it up a notch. The latest phishing scam loads a program
on your computer that steals information just by opening the e-mail. It's called a "Trojan Horse"
virus, and it causes a mirror site to show up and replace the legitimate site when you call it up.
People enter their information, thinking it is the legitimate site, and the crooks steal the
information and more. So, anytime you go to the Web site of your bank or other site and you
see the address suddenly switch to another site, do not enter any information. You have a Trojan
Horse virus.
The best thing to remember here is that legitimate commerce companies will never ask you for information
they already have with the exception of your ID and password when signing on. Do not open emails that
are unsolicited.
Email Phishing Scam Methods
- Subject Lines
Phishing emails always have subject lines that appear to be genuine. I will seem to be really legitimate
as it will relate to who the email is from and the content of the email will tend to corroborate it.
The more interesting they can make the subject line the better. Their goal is to get you to open the
email and read it. For example, subject lines like this: !Important notice to all PayPal users!. It
is also common for subject lines to carry numerals or other letters to replace characters, in an attempt
to bypass SPAM filters, such as capital ? I ? replacing ? l ?. Some phishing emails will deliberately
misspell key words to bypass SPAM filters, which most people would not recognize when quickly glancing
at the subject line.
- Disguised return email address
It is very easy for the professional criminal to forge the senders email address. There is no guarantee
that the address listed as the senders address is genuine. Phishing scam emails will normally have a
false return address it will look like it is from the company it is claiming to be.
- Website Content and Layout is copied
Many consumers are fooled into thinking an email is genuine because it has the banks logo in it. Some
phishing emails also have genuine links to the company's privacy policy and other pages on the legitimate
web site. Phishing emails always seem to use copied images and text styles used on the legitimate web
site fool the consumer into believing that their email is genuine.
- Hyperlink Manipulation
Links within an email are deliberately disguised in another attempt to deceive the recipient. HTML emails
may display a genuine URL but when clicked on the hyperlink will take the user to a different web site.
For example: http://www.win-big-bucks.com? may actually take the user to the web site the scam artists
wants you to go.
The consumer needs to be very careful with these hyperlinks. Even if the legitimate companies URL seems
to be in the web address it may not go to that site. These new hi-tech outlaws are very manipulative and
are experts at deception.
- Forms (Surveys, etc.)
The email may contain a form for asking you to enter some personal information and and send it to them.
It can take on may different forms to try to entice the consumer into giving them sign on ID's and pass
words or worse yet a persons date of birth, social security number, mother maiden name or account numbers.
These methods are used by the more complex phishing emails. Some amateur phishing emails may contain poor
spelling & grammar, no images and may not even attempt to disguise the URL.
Web Site Phishing Scam Methods
The phishing scam will most often than not have a fake web site to add to the smoke and mirror magic they
need to fool the consumer into believing they have been directed to a legitimate web site. The purpose of
the web site is to trick consumers into thinking they are at the company's genuine web site, and giving
their personal information to the trusted company they think they are dealing with. This is very easy to
do and if they accomplish what the goal is they will be able to garnish lots of information. The deceptive
methods used to disguise a web site are numerous and here are some of them:
- Genuine Looking web site
The fake web site will have copied text and images from the genuine site and the scam artist has no trouble
doing this as it is an easily accomplished procedure. It is very easy to manipulate the web site to their
advantage. Who wouldn't sign into their normal legitimate third party payment web site, or on-line banking
web site? This is a scary situation if a consumer falls for this trick and furnishes personal information.
- Similar looking URL
Some fraudulent web sites can have similar but different domain names that are similar to the genuine site
they want the consumer to believe they are at. Scam artists can manipulate the web browser to not reveal
the URL line so you will not even be able to see what site you have signed onto. This is smoke and mirror
deception in the hi-tech world and is easily accomplished.
- Web Forms
The easiest way to collect information in web site phishing scams is to use forms on the fraudulent site.
In many cases it will be the same form that is normally displayed on the genuine web site. This may be an
at a third party payment site, or a detailed form for verification of personal details such as date of birth,
social security number, mothers maiden name or an account number.
- More on URL manipulation
Some phishing scams web will display only an I.P addresses in the URL field of the internet browser, the
consumer will only see numbers in the URL address bar. The hi-tech world today is so complex that most
consumers do not realize that there are a lot of methods that can be used to deceive them and these can
include JavaScript, HTA and some HTML which can easily disguise address bars and even construct one that
looks real but it only showing the consumer what they want to see. Those are just some of the techniques
that can mislead the unsuspecting and trustful individual. The consumer can disable active X and java script
in the internet browser setting but this will lead to a less enhanced experience on the world wide web
and many web site are using JavaScript and other active X functions.
- Pop up Windows
The web site that the consumer was routed to could also just be a bare pop up window with no address bar,
tool bars, status bar or scrollbars. It will be opened in the foreground to display the fake webpage. This,
of course, is designed as an attempt to mislead the consumer into think it is directly associated to the
genuine page.
- Address bar manipulation
this involves the placement of a text object with a white background over the URL in the address bar. The
text object contains the fake URL, and this covers the real URL the consumer was directed to. Again, you
can stop this by disabling Active X and JavaScript in browser settings. Most web pages utilize these tools
and it could be impractical to disable them.
- Pop up Window
This form of deception involves the use of script to open a genuine webpage in the background while a bare
pop up window (without address bar, tool bars, status bar and scrollbars) is opened in the foreground to
display the fake webpage, in an attempt to mislead the user to think it is directly associated to the genuine
page. This method also utilizes scripts, and can be stopped by disabling Active X and JavaScript in your
browser settings.
- Spy Ware and Trojan Horses
Trojan Horses and worm viruses are sent as an email attachment, and if opened will install an attached
software program. The attachment is a program that exploits vulnerabilities in Internet Browsing software
that can force a download from the Internet. This file will download other files and codes, which when
installed will run a fully functional Trojan virus.
The Trojan Horse is designed to search for personal information, ID's and passwords, which many people
keep on their computer. This information is then sent to a database to be use at any time by the scam artists.
Spy ware, such as keyboard loggers, capture information entered at legitimate web sites, such as third party payment sites and then it sends this information to the scam artists.
How to Avoid Phishing Scams
- Be suspicious of any email with urgent requests for personal financial information unless the email is digitally signed, you can't be sure it wasn't forged or 'spoofed.'
Phishers typically include highly reactive statements in their emails to get people to respond immediately. They typically ask for information such as usernames, passwords, credit card numbers, social security numbers, etc.
- Don't use the links in an email to get to any web page, if you suspect the message might not be authentic. Instead, log onto the website directly by typing in the Web address in your browser.
- Avoid filling out forms in email messages that ask for personal financial information. You should only communicate information such as credit card numbers or account information via a secure website.
To ensure you're on a secure Web server, check the beginning of the Web address in your browsers address bar - it should be "https://" rather than just "http://"
- Check your online accounts frequently by logging into them. In this case, frequently is a minimum of monthly.
- Make it a routine to always check your bank, credit and debit card statements to ensure that all transactions are legitimate. If you see any suspicious charges or transactions,
contact your bank and all card issuers for more information and guidance to correct the situation.
- Make sure that your browser is up to date and that all security patches have been installed.
- Always report "phishing" or "spoofed" e-mails to the following groups:
- Forward the email to the Federal Trade Commission at spam@uce.gov
- Forward the email to the "abuse" email address at the company that is being spoofed (e.g. "spoof@ebay.com")
When forwarding spoofed messages, always include the entire original e-mail with its original header information intact. Notify the Internet Fraud Complaint Center of the FBI by filing a complaint on their
website: www.ifccfbi.gov/.
More Fraud Guides Phishing Information
Is that US Government site real or phony?
Phishing schemes getting sneakier
Better Business Bureau Warns of Fake Email Phishing Attack
Spear Phishing
|
|
|
|
|
|
|
This site is protected under both U.S. Federal copyright law and international treaties. No part of this site, including text, layout or images, may be reproduced or copied in any form or by any method.
|