New report shows bogus websites and charities are key phishing techniques: Internet Scambusters #530
Information-stealing phishing attacks now number almost 3
billion a year and are growing at an annual rate of 37%.
With crooks now selling “phishing kits” to the criminally
minded, we can expect the crime to escalate further and
This week’s issue shows how clever the scammers have become,
focuses on the most common current phishing tricks, and
highlights the four red flags that should put you on the
However, we encourage you to take a look at this week’s most
popular articles from our other sites:
Can Recycling Be As Good For You As it Is For The Environment? Reusing and recycling items can help you stretch the money you worked hard for as far as possible.
More Myths About Sleep: It’s time to tackle a few more myths about sleep that may have been keeping you up at night!
Second Marriage Bridal Showers: Why the Heck Not? Jettison that old wedding shower etiquette and throw that second marriage bridal shower!
Valentine’s Chocolates Fit for a Queen (or King): If you want to make sure your Valentine’s Day Gift says “I love you” and not “I’m cheap as all heck” make sure you check out these four great Valentine’s Day chocolates brands.
Let’s get started…
Phishing Update: Key Trends and Warning Signs
Many years have passed since we first started writing about
phishing — the scamming technique for stealing personal
In one of our earliest reports, we gave advice on how to avoid
it, and we were one of the first sites to set up an identity
theft information center.
But it’s sad to report this crime has become ever more
widespread — up 37% year on year, according to latest figures.
In fact, a new report from security company Symantec (the
Norton anti-virus firm) has this to say:
“You no longer need to be a sophisticated hacker to commit
fraud on the Internet. Anyone who is motivated can join in,
thanks to the off-the-shelf phishing kits provided by a
thriving cyber crime ecosystem. Cyber criminals are even
migrating to a new business model known as
Malware-as-a-Service (MaaS), where authors of (phishing) kits
offer extra services to customers in addition to the exploit
The company reckons there are an estimated 8 million daily
phishing attempts — that’s close to 3 billion a year!
The tricks scammers use have multiplied and become so clever
that even experts have been fooled into giving away
information subsequently used for identity theft.
For example, in one recent incident, a savvy British
journalist was tricked by a call claiming to be from the
police about his credit and debit card numbers being used by
The caller offered to block the card numbers immediately but
said she needed PINs and confirmation of the full card
So far, pretty obviously a scam isn’t it?
So the journalist asked for the detective’s name and proof of
The caller gave her name and suggested the journalist hang up
and call 999 (the British equivalent of 911), then ask to be
put through to her.
He did, was answered by an apparent emergency center
controller, and put through to the “detective.”
There was also a lot of background noise as if the call was
going through to a busy office.
And the “detective” also insisted that for security reasons,
the journalist should key in the numbers on his phone, so
she (the scammer) wouldn’t even know what they were.
These behaviors were enough to convince him the call was
genuine and he gave the information.
But it was a scam, and he had just parted with information
that enabled the crooks to virtually drain his bank account.
What is more, the scammer kept the victim on the phone for
more than an hour, while his cards were hammered.
Well, here’s the secret: In the UK, if you put the phone down
and pick it up again, but the other person doesn’t hang up,
you’re still connected to them.
It doesn’t matter what number you key in, the other person is
still on the line, ready to act out the rest of the charade.
This may not be the same with phone companies in the US —
they can auto-disconnect — but everyone should know about
this cunning trick, not least because of what it tells us
about the devious way the criminal mind works.
And if you key numbers into your phone, software on the other
end is perfectly capable of reading them.
One lesson, of course, is never, under any circumstances, to
give out your PIN number.
People at your bank don’t know it — only their computers do
— and they definitely don’t need it to block transactions.
The biggest increase in current phishing activity is via bogus
websites, a fact that became very evident last holiday season.
They weren’t so much mimicking legitimate sites as posing as
retailers in their own right offering special deals.
The other key technique that’s on the rise is the harvesting
of credit card details through phony charity appeals after
natural disasters, another activity we’ve written about
previously in Charity Scams.
This was particularly prevalent in the months after Hurricane
Sandy and comes with any kind of natural disaster — a subject
we’ll be returning to next week.
The Symantec report highlights a number of other phishing
trends. Though they’re not particularly new, as with the phone
example above, they’re often delivered in a more convincing
way, often tied to current events.
* Phishing that plays on economic fears — mainly emails that
seem to come from a financial institution claiming they’ve
taken over the recipient’s bank or mortgage lender.
They may request confirmation of account details or invite you
to click a link to a bogus replica site.
This is particularly effective precisely because so many such
mergers are happening in real life.
Action: Never respond to these emails. Visit your bank’s
website by keying in the address yourself and take things from
* Blended phishing/malware threats — tricking victims into
downloading keyloggers that steal personal information.
Often this is done via an email notification about a news item
or an eCard.
When you try to view it you’re told you need to update
software on your PC. The supposed update is, in fact, the key
Action: We always advise against clicking links in email but
if you do and the result is an invitation to download or
update software, just don’t.
Most Internet security software can be set to generate a
warning if a website tries to install a program.
Switch this setting on — check your software help file to
find out how to do this.
Symantec lists four red flags you should watch out for as
warnings of a potential phishing scam:
1. Misspellings (though these are becoming less common).
2. Generic greetings instead of being personalized, or
messages urging immediate action.
3. Threats to the status of your bank or credit card accounts.
4. Any requests for personal information.
None of these, by itself, is proof of a scam but they should
immediately put you on alert and make you thoroughly and
independently check out such messages.
Says Symantec: “Phishing will continue to evolve into new
forms, while attempting to take advantage of human behaviors
such as compassion, trust, or curiosity.”
Time to conclude for today — have a great week!