Lifehacker.com posted a quiz created by MailFrontier designed to challenge your ability to pick out phisher e-mails from legitimate ones.
They must be getting a boatload of traffic from the link. The direct link to the quiz is currently not working (as of Thursday morning, around 11 am est).
But the comment thread on Lifehacker is interesting in and of itself. Several commenters raise the great point that two of the best ways to spot a phisher are not possible in the quiz:
Look at the raw source of the message to see if the code behind the links are really pointing to the server they claim to in the text of the message.
Look at the full mail header to see where the message was sent from.
According to a Gartner report quoted in this article in CIO Asia magazine, Phisher schemes are reducing the number of purchases made online. However, reading the quoted data from the report, it doesn't sound like that's necessarily a bad thing.
Author Lorraine Cosgrove Ware writes:
"Nevertheless, 75 percent of the 5,000 online consumers who Gartner surveyed in May said they have become more cautious about where they shop online, and one-third reported buying fewer items than they would typically purchase due to security concerns. Eighty percent of those surveyed said they now trust commercial e-mail less, while 85 percent claimed to delete unexpected e-mails without ever opening them."
I think Ware's analysis is off. This sounds like great progress to me. People looking to shop online are getting smarter about which sites and emails they trust. I don't see anything in the data she quoted showing a correlation between the savvier shoppers and a decline in legitimate e-commerce revenue. Am I missing something?
The latest report published by the Anti-Phishing Work Group (APWG) shows the number of Phishing sites is still growing; however, the number of reports of phishing declined slightly.
Are people just getting used to this new form of Social Engineering? I doubt it...
Interesting statistic within the report:
- Number of unique phishing reports received in August: 13,776
- Number of unique phishing sites received in August: 5259
- Number of brands hijacked by phishing campaigns in August: 84
- Country hosting the most phishing websites in August: United States
- Average time online for site: 5.5 days
The Missouri Attorney General has filed suit against a White Supremacist organization that registered a number of domain names like KatrinaFamilies.com, Katrina-Donations.com, and NewOrleansCharities.com, all of which have PayPal links and purport to be collecting donations for the American Red Cross and other organizations to help survivors of the hurricane.
Florida's Attorney General has also filed suit against fraudulent charitable sites taking advantage of the millions of Americans who want to help hurricane survivors.
The New York Times (reg required) offers more details on these and other Katrina-inspired scams, including comments from law enforcement that there are far more scam sites now than were inspired by the Tsunami in January.
According to the Washington Post, there are ALREADY people out there exploiting our desire to help the people whose lives have been devastated by Hurricane Katrina.
So in your desire to help, remember -- don't click on a link in an e-mail message. If you want to donate, pick a reputable charity and check it out before donating online. Here's a link to the Federal Emergency Management Association (FEMA) page on Katrina, with dozens of links to real non-profit organizations trying to help the storm victims.
Do you find yourself wondering if a message you've just received is a phisher e-mail? The information below should help you differentiate between a real e-mail and a phisher (a.k.a. fraudulent e-mail).
EarthLink will NEVER request that you submit your credit card number, password, secret word, PIN, or last four digits of your Social Security number in an email. Most EarthLink requests will direct you to update your personal information on your "My Account" Web page: http://myaccount.earthlink.net
When my mortgage statement comes to me via email, I see my name following "Dear" in the first line. I feel pretty confident that mortgage company sent that to me and that it is not a phisher of any sort. If I saw "Dear (my email address)" or even "Dear (username)" I would be a little suspicious.
Some security experts are reporting seeing the email address appearing in the salutation. I don't think it will be too long before the united efforts of the worm writers and the phishers will produce phishers that contain my name in the body of an email. If someone I know becomes infected with a virus/worm/trojan that gains access to the infected's address book and my email address and name are in there, it is possible that I could receive very personally, targeted phishers. It's even possible that attackers could call my home and tell me to read the email they just sent. After all, they have all my info my friend so carefully entered into their address book.
Please my friends, use up to date virus protection, keep your OS and software updates current, use a firewall, and don't open that .zip attachment that just hit your inbox.
Recently, we have heard more chatter about the granddaddy of the Phisher scam, the phone scam, as making a comeback. As more and more people become aware and are guarded against online phishing fraud, the bad guys keep working to outwit the average person out of their precious financial information. Institutions are starting to report customers calling in claiming they have been contacted by the institution or an affiliate of the institution needing banking information to verify whether the person has been a victim of fraud. One such group went by the name "National Fraud Verification Services" and was pressuring those answering their calls to read out their account numbers. Another such recent scheme went like this: A call comes into a phone, the caller ID is blocked, an automated message says it is your mortgage company calling and that they have a special important announcement to tell you. In order to give you the message you have to input your SS to verify your account.
One might say that it is easy to trace back that call and so it must be legit because the bad guys would not be so stupid. Over the last few years the bad guys have been working hard to make the phone systems a tool of the trade by finding ways to spoof, or "fake", the caller ID, even the unspoofable ANI (Automatic Number Identification), according to some sources. And with VOIP (Voice Over IP), it gets even more complicated. So what can the average person do to protect their information? Well, there are so many things to recommend we can save that for another post. For fighting this long forgotten but effective fraud technique it is fairly simple:
1. Log the date, time and reported caller ID when you receive the call.
2. Ask the person, if a live human is calling you, to give you back a call back number, explain that you are in the middle of something, but will call them back, and that you want to resolve this as soon as possible.
3. Call the real institution and inform them of the attempted collection of your information, and provide the information from step 1 and 2.
4. Ask them for further instruction, do they want you to call law enforcement, report the event to the FTC, ask the operator for a trace request for the next attempt, etc...
Good Luck and keep fighting the good fight!
Mary Youngblood
EarthLink Customer Security Strategist
EarthLink is swapping out its security tools, a move it hopes will better protect its customers against spyware and phishing.
The Internet service provider is adding intelligence on phishing from security vendor Cyota to its ScamBlocker toolbar. Additionally, EarthLink customers later this year will be offered anti-spyware protection from Aluria Software, which EarthLink believes is superior to its current spyware-fighting tool.
The FTC Says Happy Father's Day, Don't Get Phished
Happy belated Father's Day from the Federal Trade Commission -- here's a cute explanation of some ways you can protect yourself from getting phished.
It's funny and user-friendly, if kind of strange. If your Dad is a little nervous about Internet privacy, but isn't particularly tech-savvy, this e-card could be a nice belated Father's Day greeting.
“Pharming” and “phishing” scams are quickly becoming one of the highest threats to the Internet community according to a recent study. Although viruses are still a major concern, they are beginning to drop off while browser-based attacks continue to steadily rise.
Lately, the most common question to our feedback e-mail address has been about whether or not an e-mail someone has received is a phisher email.
The 10 tips below should help you recognize a phisher email.
1. Generic greetings. Many phisher emails begin with a general greeting, such as: "Dear member." If you do not see your first and last name, be suspicious.
2. A fake sender's address. A phisher email may include a forged email address in the "From" field. This field is easily altered.
3. A false sense of urgency. Many phisher emails try to deceive you with the threat that your account is in jeopardy if you don't update it ASAP. They may also state that an unauthorized transaction has recently occurred on your account, or claim they’re updating their accounts and need your information fast.
4. Fake links. Always check where a link is going before you click. Move your mouse over it and look at the URL in your browser or email status bar. A fraudulent link is dangerous. If you click on one, it could:
- Direct you to a phisher website that tries to collect your personal data.
- Install spyware on your system. Spyware is an application that can enable a hacker to monitor your actions and steal any passwords or credit card numbers you type online.
- Cause you to download a virus that could disable your computer.
5. Emails that appear to be websites. Some emails will look like a website in order to get you to enter personal information.
6. Deceptive URLs. Only enter your EarthLink password on EarthLink pages. These begin with https://www.earthlink.net/, ...my.earthlink.net, ...webmail.earthlink.net, etc.
- Even if a URL contains the word "EarthLink," it may not be an EarthLink site. Examples of deceptive URLs include: www.earthlinksupport.com, www.earth1ink.com, www.accounts-earthlink.com, and www.earthlinkcom.net.
7. Misspellings and bad grammar. phisher emails often contain misspellings, incorrect grammar, missing words, and gaps in logic. Mistakes also help fraudsters avoid spam filters.
8. Unsafe sites. The term "https" should always precede any website address where you enter personal information. The "s" stands for secure. If you don't see "https," you're not in a secure web session, and you should not enter data.
9. Pop-up boxes in an email are not secure. Don’t enter personal information into them.
10. Attachments. Like fake links, attachments are frequently used in spoof emails and are dangerous. Never click on an attachment unless you know the person that sent it to you. Most people become infected by clicking on some sort of attachment that causes them to download spyware or a virus.
An email claiming to contain a Microsoft “culmulative update” patch to deal with vulnerabilities in Internet Explorer, Microsoft Outlook and Outlook Express, actually contains the Pinfi virus. Apparently this email scam is the latest attempt to piggyback onto Microsoft’s monthly patch updates.
Many of you have sent feedback in asking what to do with a suspected Phisher e-mail so I thought I would talk about that for you.
You can report a Phisher e-mail via our "Report a Scam" page.
If you'd like to do some more reading about Phisher e-mails you can do so here.
Last, but not least, we recommend you download and use the EarthLink Toolbar to avoid even browsing to these Phisher sites.
On a separate note, I'd like to encourage the readers (this is you) to use the comment function at the bottom of each post to communicate back to us about whether a post has been helpful, you have an opinion about what we've said, etc...
Using our feedback e-mail address is great, but then only I get to read what you have to say. Don’t you want to share?
There's an interesting BBC article on the difficulty most people have in following tech-jargon related to security issues.
The article is funny -- it includes the % of respondants who thought spyware was software to tell you what your spouse was up to. But it also includes a nice short explanation of various Internet security terms (phishing, pharming, rogue dialler, etc).
I think that I have read my 100th list of what a person can do to avoid becoming a victim of phishing. I myself have helped put these "Consumer Tips" out over the last few years. This is very important information to put in every Internet user's hands. They usually say various things from "don't respond to email asking for personal information" to "always type in a URL". One big problem with this is that these tips are against what the typical consumer has come to expect out of the Internet: ease of use and convenience.
The bigger problem is that consumers have to do these things at all. This means that companies are still communicating the same way they always have and are not doing much to "help" consumers do business with them on-line. They still send out emails with crazy looking links to pages that ask them to input personal information. They still use other companies to send out email for them so that a consumer has no idea who is sending it. As long as you keep doing this, people will expect it and will be more likely to fall for fraud. The next step in fighting phishing is for companies that do business on the web (everyone) to change the way they communicate with their customers.
There may be some lists for businesses out there somewhere but I have not seen one so I am starting my own:
(By the way, the list posted by the Anti-Phishing Working Group is where I usually send people, so I used it as a guide for my business tips. http://www.antiphishing.org/consumer_recs.html )
Business Advice: How to Avoid Phishing Scams
The number and sophistication of email sent out by businesses is continuing to increase dramatically. So is phishing. As a general rule you should be careful about asking for personal financial information over the Internet. You should also communicate with customers and ask them to take action in a consistent manner that makes it easy for them to do business with you. The list of recommendations below can help you avoid having your customers become victims of phishing scams.
Don't send out any emails with urgent requests for personal financial information
- don't assume that a digital signature takes away all the risk. Most consumers don't have any idea what those are.
- don't include upsetting or exciting statements in your email to get people to react immediately
- don't ask for user-names, passwords, credit card numbers, social security numbers, etc. by email
- try to personalize the email as much as possible. Phishers don't usually have this information
Don't put links in an email to get to a web page, if it requires a consumer to enter personal information
- instead, tell consumers to log into the website by typing in the Web address directly in their browser
- always tell them to go to the same URL no matter what type of communication it is
Don't send out forms in email messages that ask for personal financial information
- you should only ask customers to communicate information such as credit card numbers or account information via a secure website or the telephone
Always ensure that the website you're using to collect information is a secure website
- if it does not say "https://" don't put a form there to collect information
Let customers know where they can get a tool bar to help protect them from known phishing fraud websites
- a good free one for all Internet users: http://www.earthlink.net/earthlinktoolbar
Encourage customers to regularly log into your website
- give them a reason to get used to going there to do business with you
- make this your default way to conduct every transaction with a customer
- encourage customers to regularly check their bank, credit and debit card statements
- make it easy for them to contact you if there is a problem
Encourage customers to regularly update their browsers and get security patches
- put common security links on your website
Make it easy for consumers to report "phishing"
- tell them how to properly forward header information to:
* An easy to remember address that you set up like fraud@
* The Anti-Phishing Working Group at reportphishing@antiphishing.com
* Federal Trade Commission at spam@uce.gov
* the "abuse" email address at the company that is being spoofed (e.g. "spoof@ebay.com")
- tell them to notify the Internet Fraud Complaint Center of the FBI by filing a complaint on their website: www.ifccfbi.gov/
If you're having a hard time distinguishing between phisher emails and legitimate communication pieces from companies you do business with, here's one common way to avoid getting scammed: Look for your name in the body of the email.
In most cases, scammers don't know your name. That's one of the things they're trying to steal, along with your passwords and credit card numbers. When a scammer creates a fraudulent email disguised to look like a well-known company, they often use generic greetings such as "Dear customer" or "Hello eBay member," and they spam it out to millions of email addresses hoping to hook a few unsuspecting users.
Real companies, on the other hand, already know your name and should be addressing their emails directly to you. For example, Citibank does a nice job of this. You can feel confident that emails from Citi are legitimate if they contain an "Email Security Zone" that displays your full name and the last four digits of your card number. Learn more Email Safety from Citibank. Citibank Email Security Zone
PayPal also warns users against generic greetings. Fraudulent emails pretending to be from PayPal say "Dear valued PayPal member," like in the fake email below. Legitimate emails from PayPal will address you by your first and last name. For more information from PayPal, visit their Security Center.
PayPal Spoof
If you're still unsure about an email you've received, do not click any of the links in the email and contact the company by phone to verify its authenticity. You can also open a new web browser window and manually type the company's main URL into the address bar. Then log in with your username to access your account information. For example, instead of clicking on the links in a suspicious looking email from eBay, open your browser and type "www.ebay.com" into the address bar.
As I sat down to start my first contribution to EarthLink's Protection Blog I had reason to take pause. Two years ago I was working in Digital Music, and I could talk endlessly about topics such as: which sounds better, mp3 or wma?
Now here I am, pontificating on how to protect your personal information, the latest online scams and other fairly serious issues. But you know what? I've spent the last two years researching the threat of online fraud, talking with industry experts and reading endless articles and I really do have some good information to share. So here we go...
Online fraud is becoming more frequent and sophisticated. Most common are fraudulent emails that appear to come from a familiar company, like EarthLink, asking you to provide sensitive personal information that criminals intend to steal.
We "industry experts" call these “phishers”. Scam emails that ask you to click a link and redirect you to a fake — but very real-looking — Web site. Others ask you to submit information on an email form, by replying to the email, or by fax.
First lesson, young grasshopper: Guard your personal information like it is, well, your personal information. Be careful who you do business with online and use the tools available to you to protect yourself. The internet is a fun and useful tool, but so is a skillsaw.
Les Seagraves, Executive Editor EarthLink's Chief Privacy Officer, Les Seagraves, serves as Executive Editor of the Protection Blog. Les is a general counsel with EarthLink's legal department, where he leads the legal battle against spam and fraud. He's a frequent speaker for trade groups, conferences, continuing legal education and college classrooms. A true technology lawyer, Les has testified in congress and consulted with federal and state legislators on privacy, spam and other areas of technology law.
Mike Strutton As the Director of Product Management for EarthLink's Software Products, Mike has been engaged with many of EarthLink's protection products, aka The Blockers, as well as TotalAccess for Windows and Mac. Mike has been with EarthLink for over 10 years and has over 12 years of internet experience. Mike is an avid fan of the Apple Macintosh, but don't let that fool you, while he totes his Powerbook everywhere, he surrounds himself with 3 Dells in his office and 3 more at home.
Stephen Currie EarthLink's Director of Product Management for Communication Products is Stephen Currie, who oversees the EarthLink mail client, including the development and implementation of email tools like EarthLink spamBlocker. Stephen has also represented EarthLink at industry coalitions aimed at eradicating spam and other Internet abuse, and his expert opinion on spam has been featured in national media coverage.
Scott Mecredy A Senior Product Manager for Protection Software at EarthLink, Scott Mecredy has been developing consumer software for over 7 years. An industry thought leader (place pointer finger on chin and look longingly into space), he helped create ScamBlocker, the first comprehensive Phisher protection product available in the market. Scott's a Rock Star (in his own mind), and lives for one thing: a successful software launch.
Liza Barry-Kessler EarthLink's Senior Product Manager for Parental Controls. Although new to EarthLink, Liza is ancient in "internet years" having been online since 1987. She began her career in Parental Controls as a First Amendment lawyer at the Center for Democracy & Technology (www.cdt.org), where she was part of the team that launched the industry-wide internet-safety and privacy initiative, GetNetWise, in 1999.
Liza is also a nationally recognized expert on web filtering and internet privacy issues, both in the home and in school and library environments, and is co-author of the book "Privacy in the 21st Century: Issues for Public, School, and Academic Libraries," forthcoming from Libraries Unlimited publishers in June 2005.
