Watch out for these sneaky scams that try to trick you into giving your personal information to crooks
One of the most dangerous internet scams is the one commonly referred to as Phishing. Phishing scams come in all shapes and sizes, ranging from crude to highly sophisticated schemes with phony websites resembling those of Pay Pal, AOL, eBay, Amazon and other familiar names.
They trick you into visiting these websites by sending out official looking emails indicating a problem with your account and provide a link for you to click in order to clear up the issue or verify your account.
Once the email link is clicked, you’re taken to a login page or you’re presented with a form in which you’re instructed to enter personal details like Social Security numbers, password, credit card numbers and even banking PIN or routing numbers. If you fall for this scam, it’s game over. The crooks have everything they need to steal your identity, rack up charges on your credit card or empty your bank account!
It’s easy to see why Phishing scams are so dangerous.
High Tech Phishing Schemes
The high tech con artists have now kicked it up a notch. The latest phishing scam loads a program on your computer that steals information just by opening the e-mail. It’s called a “Trojan Horse” virus, and it causes a mirror site to show up and replace the legitimate site when you call it up. People enter their information, thinking it is the legitimate site, and the crooks steal the information and more. So, anytime you go to the Web site of your bank or other site and you see the address suddenly switch to another site, do not enter any information. You have a Trojan horse virus.
The best thing to remember here is that legitimate commerce companies will never ask you for information they already have with the exception of your ID and password when signing on. Do not open emails that are unsolicited.
Email Phishing Scam Methods
- Subject Lines
Phishing email messages always have genuine looking subject lines. It will seem to be really legitimate as it will relate to who the sender is and the content of the email will tend to corroborate it. The more interesting they can make the subject line the better. Their goal is to get you to open the message and read it. Examples include subject lines like this: !Important notice to all PayPal users!. Numerals and other letters used to replace characters are often put in email message subject lines as a way to outsmart SPAM filters. While at the same time, they try to keep the subject lines close enough to the real thing so that most people would overlook the character changes when quickly looking at the subject line.
- Disguised return email address
It’s extremely simple for experienced internet scammers to fake an email message sender’s address. It’s best to assume that no sending addresses listed on the email messages you receive are real. Emails used in phishing scams always have fake addresses for the sender field. They try to make it look like the message is coming from the company they claim to represent, like eBay or PayPal.
- Website Content and Layout is copied
Don’t feel bad if you’ve been tricked into thinking an email is real because it had a company’s logo in it. Just keep that in mind the next time. Phishing scammers go to great lengths to make their emails look genuine. Some even include real links to the company’s legitimate website and/or privacy policies. Phishing emails always seem to use copied images and text styles used on the legitimate web site fool the consumer into believing that their email is genuine.
- Hyperlink Manipulation
In attempts to trick email message recipients, con artists will intentionally cloak links in their email messages. URLs in HTML emails may look real; however, when clicked on by an unsuspecting reader, they actually take the reader to a completely different location. For example: http://www.win-big-bucks.com may actually take the user to the web site the scam artist wants you to go.
The consumer needs to be very careful with these hyperlinks. Even if the legitimate companies URL seems to be in the web address it may not go to that site. These new hi-tech outlaws are very manipulative and are experts at deception.
- Forms (Surveys, etc.)
The email may contain a questionnaire asking you to enter some personal data and send it to them. It can take on many different forms to try to entice the consumer into giving them sign on ID’s and pass words or worse yet a person’s date of birth, social security number, mother maiden name or account numbers. Be alert to poor spelling and grammar, as well as an absence of images and undisguised URLs.
Web Site Phishing Scam Methods
The phishing scam will most often than not have a fake web site to add to the smoke and mirror magic they need to fool the consumer into believing they have been directed to a legitimate web site. The purpose of the web site is to trick consumers into thinking they are at the company’s genuine web site, and giving their personal information to the trusted company they think they are dealing with. This is very easy to do and if they accomplish what the goal is they will be able to garnish lots of information. The deceptive methods used to disguise a web site are numerous and here are some of them:
- Genuine Looking web site
The fake web site will have copied text and images from the genuine site and the scam artist has no trouble doing this as it is an easily accomplished procedure. It is very easy to manipulate the web site to their advantage. Who wouldn’t sign into their normal legitimate third party payment web site, or on-line banking web site? This is a scary situation if a consumer falls for this trick and furnishes personal information.
- Similar looking URL
Some fraudulent web sites can have similar but different domain names that are similar to the genuine site they want the consumer to believe they are at. Scam artists can manipulate the web browser to not reveal the URL line so you will not even be able to see what site you have signed onto. This is smoke and mirror deception in the hi-tech world and is easily accomplished.
- Web Forms
The easiest way to collect information in web site phishing scams is to use forms on the fraudulent site. In many cases it will be the same form that is normally displayed on the genuine web site. This may be an at a third party payment site, or a detailed form for verification of personal details such as date of birth, social security number, mother’s maiden name or an account number.
- More on URL manipulation
- Pop up Windows
The web site that the consumer was routed to could also just be a bare pop up window with no address bar, tool bars, status bar or scrollbars. It will be opened in the foreground to display the fake webpage. This, of course, is designed as an attempt to mislead the consumer into think it is directly associated to the genuine page.
- Address bar manipulation
- Pop up Window
- Spy Ware and Trojan Horses
Trojan Horses and worm viruses are sent as an email attachment, and if opened will install an attached software program. The attachment is a program that exploits vulnerabilities in Internet Browsing software that can force a download from the Internet. This file will download other files and codes, which when installed will run a fully functional Trojan virus.
The Trojan horse is designed to search for personal information, ID’s and passwords, which many people keep on their computer. This information is then sent to a database to be use at any time by the scam artists.
Spy ware, such as keyboard loggers, capture information entered at legitimate web sites, such as third party payment sites and then it sends this information to the scam artists.
This effective phishing method uses familiar names to trick you into divulging sensitive and confidential account information.
Spear Phishing is much like your usual phishing scheme in that it involves the usual email from your bank or some other place you log into for financial transactions.
The phishing emails begin the same way they always do. For example, one of these phishing attempts might say something like, “Your account is in danger of being terminated. This is your final termination notice. Please log into your account to verify your personal information…” or some similar variation on this theme. No doubt you are quite familiar with them by now.
But what if this email wasn’t as anonymous as the usual one and it was sent by someone within the company you work for or even your boss? Isn’t there a greater chance that you might click the link to check it out? If you do and then log in to make sure that everything is kosher, you have just been phished. This extremely targeted form of phishing is particularly dangerous because it works very well.
Spear Phishing uses a method called “Social Engineering”
In the context of computer security, social engineering is the practice of obtaining confidential information by manipulation of legitimate users. Users are often considered the weak link in computer security and social engineering exploits an individual’s natural tendancy to trust a message that they would usually discard if it appears to be from a trusted source. Phishing schemes are evolving and becoming harder to detect as time goes on. The use of marketing techniques to target a certain group with a message carefully designed to entice them to click a link and then enter their credentials often succeeds where ordinary phishing emails would be ignored.
Spear Phishing attempts are on the rise
Spear Phishing attempts are on the rise. If you haven’t received one of these phishing emails yet you probably will soon. Luckily, they are in the end just phishing attempts and your regular safe internet practices are all you need to protect against them. So just remember not to click links in emails that lead to financial or other online accounts and then enter your personal information. If in doubt make a phone call or ask a friend or send an email directly(don’t hit reply!) to the person that supposedly sent you the email. You should always be wary when you get an email asking you to logon from a link in the message even if it’s from someone who might actually send you such an email.
If you make “Never click a link in an email” your golden email rule your chances of getting “phished” are almost nill.
US Government site or phony phishing scam?
Several phishing scams depend on you thinking you’re on an official US Government website. How can you tell if it’s the real deal?
Phishing scams are devious plans designed to trick you into handing crooks your personal and financial information. Once they have what they need you can become a victim of identity theft or find that your bank account has been emptied. No one wants that!
So how do these people continue to fool people despite constant reports about it in the media? One problem is that people often can’t tell a real website from a forgery despite obvious clues that are right there in front of them. Think of how much trouble one could cause by impersonating a US Government website.
Do you realize how easy it is to duplicate a website? There are tools out there that allow someone grab themselves a copy and upload it to their own server. It will look EXACTLY like the original site. Why shouldn’t it? It’s a perfect copy. Phishing scams do this all the time and find that it works very well at tricking people into giving them what they need. Being able to tell the difference between the real website and the duplicate is your biggest weapon. Failure to spot any one of several subtle clues could result in big problems down the road.
How to tell if you’re on the right website:
- Look at the URL – Is the domain in your web browser’s address bar what expected? Does it at least end in .gov? If it’s an IP address like http://188.8.131.52 you should be wary. On second though just leave. IP addresses are one of the biggest giveways that you’re on a phony website. Sometimes the domain is close, but not quite what it should be. Look carefully. If in doubt, leave and search for what you need from a site you know is real.
- Check for SSL Certificates – Most government sites have SSL certificates and use them to encrypt information sent to them via web forms. You should see a lock icon somewhere on your screen. It’s usually near the top or at the very bottom of the browser window. Clicking on it will give you information such as the website’s address, if the connection is encrypted and whether the certificate is current or has expired. Forms on the web don’t always use encryption but sensitive information such as your Social Security number or driver’s license and banking or financial data should always be encrypted.
How to Avoid Phishing Scams
- Any email messages urgently requesting personal financial information should be met with a healthy dose of skepticism. The goal of these types of messages is to get you to respond immediately. So this type of email will often contain immediate, knee-jerk reaction seeking type statements. Data requested is usually items like credit card numbers, passwords, social security numbers, usernames, etc.
- Never click on the links in an email to get to any web page, if you think the email message isn’t real. Instead, go directly to the website by opening your browser and typing in the Web address.
- Stay away from completing any documents in email messages that request for personal financial information. Account information and/or credit card data should only be sent using secure websites. To ensure you’re using a secure Web server, check the beginning of the Web address in your browsers address bar – it should be “https://” rather than just “http://”
- Check your online accounts frequently by logging into them. In this case, frequently is a minimum of monthly.
- Make it a habit to always review your bank, credit and debit card statements to make certain all of the transactions listed are accurate. If you see any suspicious charges or transactions, get in touch with your bank and all card issuers immediately for more information and guidance to correct the situation.
- Make sure you’re using the most up to date internet browser and that all security patches have been installed.
- Every time you receive a “phishing” or “spoofed” e-mail, please report it to the following groups:
- Send the email to the Federal Trade Commission at firstname.lastname@example.org
- Send the email to the “abuse” reporting email address at the company that is being spoofed (e.g. “email@example.com”)
It’s critical to include the original e-mail in its entirety, with its original header information in one piece, when forwarding to the above entities.