From the Actrix Online Informer March 2008
by Rob Zorn
No honour among phishers
Some readers may have noticed a flurry of emails lately that appear to come from all sort of New Zealand banks. They usually have subject headings like "Security Alert" or "Account maintenance". Most people probably recognise these for what they are - fake emails designed to get you to log into a bogus website so that banking user names and passwords can be harvested - and most of us probably know this type of cyber-crime is called "phishing".
Nevertheless I thought it might be worth going over some of the basics around phishing because there have been so many lately, and the perpetrators behind these emails are pretty good at varying them enough so that a few evade the Actrix spam and virus filters (if you check your spam folder, you'll see there are probably heaps of these that have been caught, and many more would have been deleted even before they got to your spam folder).
A second reason I thought I'd go over some phishing basics is because I've noticed the emails themselves are getting more clever.
One of the first things you'll notice about these phishing emails is that they often come from banks or companies with whom you don't have an account. This is because they use a scattershot technique - send heaps of emails out, and a percentage will arrive at customers who do bank at the one being impersonated. Most of the ones I've received lately appear to have come from KiwiBank, so I know they're fake because I don't bank there. I might be more easily fooled if they appeared to come from my real bank (and next week they probably will appear to do just that).
The second thing they do is prey on people's fears and security concerns about their online banking. The first one I'm looking at arrived this morning telling me my account has been locked, possibly due to inactivity or to failed log-in attempts. That's a bit scary. I'm supposed to worry that either someone has been trying to log into my online banking account, or there's been a stuff-up somewhere at the bank and my account is about to be closed because they think I'm not using it.
The email comes with a link I can click to re-activate my account. I'm not going to click the link because I know there are two likelihoods at the site I'll end up at. The first likelihood is that it will be an exact or close replica of the real banking site, but that my user name and password will be stolen when I enter them. The second likelihood is that the site will attempt to install some nasty software on my machine - something that will hunt my hard drive for other personal information to send home to its makers, or possibly to turn my machine into a spam sending zombie.
The second phishing email I received this morning is a little more clever. It appears to come from the Bank of New Zealand and, again, I know it's a scam because I don't bank there. This one tells me there's either been an unsuccessful log in attempt at my banking site, or that someone's tried to log in from a computer in some other part of the world. Notice again that I've been given a variety of things to worry about. I'm then given a choice of buttons - one to click if that spurious log in was actually me, and one to click if it wasn't. However, if I rest my cursor over each button, my email program shows me what the link address is for each button, and blow me down if it isn't exactly the same! Each of these buttons is designed to bring me to the same site when the two likelihoods mentioned above will apply once more.
As I was writing this article, bank phishing email number three arrived. This one said it was from ANZ and announced a "newly introduced Comprehensive Quarterly Updates Program." This one is especially cheeky as this new programme is designed to help protect me from online fraud. Of course I'm given a link that's supposed to take me to a page where I can log in to sign up for the programme, but where I will actually encounter the two likelihoods yet again. The method is again to prey on my fears by offering protection from the very thing they're planning to do to me. There really is no honour among phishers.
Of course phishing attempts don't just appear to come from banks. The can also purport to come from eBay, TradeMe, PayPal or anywhere cyber-criminals can gain some sort of ability to rip you off.
Phishing emails are usually easy to recognise. They don't usually greet you by name, though they might insert your email address in the greeting. This is because of the scattershot technique mentioned above. Their emails have to be fairly generic as they work on the principle that if you send a million of these out and only a fraction of a percent are successful, you've still done well. It's pretty hard to personalise millions of emails.
They usually impersonate the banks pretty poorly. The emails typically have spelling or grammar errors, and often they're just accompanied by the bank's logo. My guess is they don't bother too much with making the email a good impersonation because they're mainly after people new to the Internet, or the particularly fearful, who won't notice or know to look for that sort of thing. That said, however, there's nothing to stop them from doing a good impersonation job, so even a well-crafted one could be a phishing attempt.
In fact, it almost certainly would be. Banks sure know about phishing and therefore make it their policy never to send their customers emails with links to log in pages. If they do want you to log in for whatever reason (such as to view new policy updates or something) they will instruct you to use your own bookmarks, or type in the URL to their site by hand so you know you are going to the real thing.
The last thing to note about phishing attempts is that they are very common. You don't need to worry that you might have been specifically targeted. Millions of these e-mails are sent out and the senders almost certainly don't know anything specific about you. The phishing e-mail itself is probably not all that dangerous either, as long as you don't follow their advice or instructions. Attaching a virus to it would only make it more likely to be caught by ISP filters, so they are most likely to save the dangerous stuff for when you arrive at their fake site.
If you do receive phishing emails, just delete them and get on with your day. If you're really concerned you can ring your bank, but chances are they're already well aware the phishing emails are out there.
Copyright © 2008 Actrix Networks Limited | Contact: firstname.lastname@example.org