From the Actrix Online Informer August 2008

Scams of the Month #2 Phishing, spear-phishing and money mules

The Internet can be a scary place if you're not careful, and it's not just viruses and spyware you have to worry about.  Just like the real world, the Internet has its share of baddies out to steal your cash (and your pride) by combining new technology with age-old confidence tricks.

This month we're carrying on with our series of articles on scams. Last month we covered the famous Nigerian 419 scam. This week we'll have a look at phishing, spear-phishing and money mules. I wrote an article on Phishing back in March this year that looked closely at a series of phishing emails I had received. Rather than repeat all that information, I'll just provide a summary. If you want to, you can go read No honour among phishers yourself.


The most common type of phishing is where fake emails arrive that appear to have come from your bank. They often have subject headings like "Security Alert" or "Account maintenance". They prey on people's fears and security concerns about such things as their online banking. They might say your account has been locked, possibly due to inactivity or to failed log-in attempts. You're supposed to worry that either someone has been trying to log into your online banking account, or there's been a stuff-up somewhere and the bank thinks you're not using the account. 

Of course, this is all just a ruse to get you to use a log in at a fake site that looks like your bank's website. Then they can capture your banking user name and password so they can go in later and help themselves.

Another possibility is that, rather than a fake log in, they just want you to come to their site where some malicious program lives that will infest your machine if you don't have good security or up-to-date software. This 'malware' could be designed to hunt your hard drive for personal information to send home to its makers, capture your key strokes, or turn your computer into a spam sending zombie.

Phishers use a scattershot technique. That is, they send heaps of emails out and a fair percentage will arrive at customers of the bank being impersonated. This is also why so many phishing emails appear to have come from banks or companies with whom you don't have an account. It's a "hit or miss" game. And of course phishing attempts don't just appear to come from banks. The can also purport to come from eBay, TradeMe, PayPal or anywhere cyber-criminals can gain an opportunity to rip you off.

Phishing emails are usually easy to recognise. They tend not to greet you by name, though they might insert your email address in the greeting. This is because of the scattershot technique mentioned above. Their emails have to be fairly generic as they work on the principle that if you send a million of these out and only a fraction of a percent are successful, you've still done well. It's pretty hard to personalise millions of emails to any great extent.

They usually impersonate the banks pretty poorly too. The emails typically have spelling or grammar errors, and often they're just accompanied by the bank's logo.  However, there's nothing to stop them from doing a good impersonation job, so don't take a good-looking email as a sign of authenticity.

Banks know all about phishing and therefore make it their policy never to send their customers emails with links to log in pages. If they do want you to log in for whatever reason (such as to view new policy updates or something) they will instruct you to use your own bookmarks, or type in the URL to their site by hand so you know you are going to the real thing.

The last thing to note about phishing attempts is that they are very common. You don't need to worry that you might have been specifically targeted. Millions of these e-mails are sent out and the senders almost certainly don't know anything specific about you. The phishing e-mail itself is probably not all that dangerous either, as long as you don't follow their advice or instructions. Attaching a virus to it would only make it more likely to be caught by ISP filters, so they are most likely to save the dangerous stuff for when you arrive at their fake site.

If you do receive phishing emails, just delete them and get on with your day. If you're really concerned you can ring your bank, but chances are they're already well aware the phishing emails are out there.


Spear-phishing is when the phishing attack does become personal. It's much less common, because it's much harder to do and it involves a little research on the part of the scammer, but it also has a higher success rate.

Spear-phishing emails may contain your name or your employer's name to make them appear legitimate. They may contain legitimate phone numbers and contact details. Sometimes the email messages  are designed to look like they come from within the recipient's company or organisation, often from the technical or human-resources departments. In big companies where staff may not know each other, the victim might easily be fooled into assuming an email asking them to log into some website or install some attachment is legitimate.

It has also been known to happen that scammers will make phone calls to their victims to further 'legitimise' their scam. Wikipedia claims at least one case where messages appeared to come from a bank and told users to dial a phone number regarding problems with their bank accounts. Once the phone number (owned by the scammer) was dialled, prompts told users to enter their account numbers and PIN.

In April this year a targeted emailing was sent to corporate executives in America, informing them they had been sued. This attack worked well by preying on the victims' fear of litigation. It took them off guard and many clicked the links to malicious sites or opened the nasty attachments because they were worried and the email mentioned them by name. Incidentally, when a large scale attack is made on senior executives of big, important companies, the practice is known as 'whaling'.

Spear phishing certainly happens in New Zealand. Otago University's ITS Update April 2008 has a short article on spear phishing attacks they have recently detected and advises that university staff will never ask for passwords or personal details.

If you have any doubt about an email you've received asking about your personal information or log in details at work, you should check with a trusted staff member before you follow the instructions in the email. Phone calls from scammers in support of their spear phishing attempts aren't all that common here, but again, if you have any doubt call the company back by using its legitimate phone number (not necessarily the one provided in the email) and ask what's going on.

Lastly, if you do receive a phishing email that mentions you by name, don't panic right away. It may not be spear phishing. It's not hard to design an email sending program that personalises a greeting according to your email address. If your email address is, that program could simply be grabbing the 'rob' from your email address and using it as the greeting – exactly as it is doing for millions of others.

Money Mules

You know that saying – if something seems to good to be true, it probably is? Well, the saying is good and true. So when you receive emails with offers of jobs where you can "make thousands from home in only 2-8 hours a week", alarm bells will ring for the sensible. Click here for some examples.

These sorts of 'job opportunities' are usually what's known as the money mule scam. You can work from home and make gazillions of dollars by doing very little. But what you'll actually be doing is helping steal from other people.

Foreign phishers and scammers need a Kiwi bank account to transfer stolen money into because there are blocks or limits on transferring money overseas over the internet. Many businesses will refuse to transfer money or ship goods to certain countries where there is a high likelihood that the transaction is fraudulent, for example. So you essentially end up running a forwarding service for money through your bank account, earning a percentage for each payment you forward.

You are also acting as a human proxy helping to obfuscate the path the stolen funds take, and sometimes they'll want your postal address so you can receive and send on mysterious packages.

This may all seem like easy work, but being a mule is illegal, and one day you will find Foreign Affairs or the police on your doorstep asking you to pop on down to the courthouse to explain yourself. Claiming ignorance or that you're just really stupid will not be much of an excuse. You are part of a crime ring and you are likely to do jail time.

For those interested in reading more, here's a Washington Post article from January this year telling the story of how one poor lady was duped into becoming a money mule. It provides a good overview of how the whole scam works – and she was lucky!

Next month: love and dating scams and fake websites.


Copyright 2008 Actrix Networks Limited | Contact: