What is phishing?
Phishing is a scam in which the attacker sends an email purporting to be from a valid financial or eCommerce provider. The email often uses fear tactics in an effort to entice the intended victim into visiting a fraudulent website. Once on the website, which generally looks and feels much like the valid eCommerce/banking site, the victim is instructed to login to their account and enter sensitive financial information such as their bank PIN number, their Social Security number, mother’s maiden name, etc. This information is then surreptitiously sent to the attacker who then uses it to engage in credit card and bank fraud – or outright identity theft.
Many of these phishing email appear to be quite legitimate. Don’t be a victim. Look over the following examples of phishing scams to familiarize yourself with the clever techniques used.
Washington Mutual Bank phishing email
Below is an example of a phishing scam targeting Washington Mutual Bank customers. This phish claims that Washington Mutual Bank is adopting new security measures which require confirming ATM card details. As with other phishing scams, the victim is directed to visit a fraudulent site and any information entered on that site is sent to the attacker.
SunTrust phishing email
The following example is of a phishing scam targeting SunTrust bank customers. The email warns that failing to comply with the instructions may result in account suspension. Note the use of the SunTrust logo. This is a common tactic with ‘phishers’ who often use valid logos they have simply copied from the real banking site in an attempt to lead credence to their phishing email.
eBay phishing scam
As with the SunTrust example, this eBay phishing email includes the eBay logo in an attempt to gain credibility. The email warns that a billing error may have been made on the account and urges the eBay member to login and verify the charges.
Citibank phishing scam
There is no shortage of irony in the Citibank phishing example below. The attacker claims to be acting in the interests of safety and integrity for the online banking community. Of course, in order to do so, you are instructed to visit a fake website and enter critical financial details that the attacker will then use to disrupt the very safety and integrity they claim to be protecting.
Charter One phishing email
As seen with the previous Citibank phishing scam, the Charter One phishing email also pretends to be working to preserve the safety and integrity of online banking. The email also includes the Charter One logo in an attempt to gain credibility.
PayPal phishing email
PayPal and eBay were two of the earliest targets of phishing scams. In the example below, this PayPal phishing scams tries to trick recipients by pretending to be some sort of security alert. Claiming that someone ‘from a foreign IP address’ attempted to login to your PayPal account, the email urges recipients to confirm their account details via the link provided. As with other phishing scams, the displayed link is bogus – clicking the link actually takes the recipient to the attacker’s website.
IRS Tax Refund Phishing Scam
A security flaw on a US government website has been exploited by a phishing scam claiming to be an IRS refund notification. The phishing email claims the recipient is eligible for a tax refund of $571.94. The email then tries to gain credibility by instructing recipients to copy/paste the url rather than clicking it. That’s because the link actually does point to a page on a legitimate government website, http://www.govbenefits.gov. The problem is, the page being targeted on that site allows the phishers to ‘bounce’ the user to another site altogether.
The email used in the orginal IRS tax refund phishing scam has the following characteristics:
Reporting phishing scams
If you believe you have been the victim of fraud, contact your financial institution immediately via phone or in person. If you have received a phishing email, you can usually send a copy to abuse@DOMAIN.com where DOMAIN.com signifies the company to which you are directing the email. For example, abuse@suntrust.com is the email address for sending phishing emails purporting to be from SunTrust Bank. If in the United States, you can also forward a copy to the Federal Trade Commission (FTC) using the address spam@uce.gov. Be sure to
forward the email as an attachment
so that all important formatting and header information is preserved; otherwise the email will be of little use for investigative purposes.