|
To restore your account access,
please take the following steps to ensure that your account has not been
compromised:". It continues with a link to a webpage, which looks very similar
to original web page of the bank.
The misleading web site appears
authentic with familiar graphics and logos. The wordings are professional right
down to the legal disclaimer at the bottom of the page.
If you happened to be holding
an account of the claimed bank, followed the instructions of the email and input
your account, pin, password, etc. you are doomed. You just have handed over
access to your account to a con artist, who, in a matter of days, will drain off
all the money available in that account.
This new scam, which is
proliferating in a very rapid pace, is called "Phishing". Phishing is a form of
identity theft, where a con artist with the help of official looking email
containing link to phony web pages capable of harvesting information, tricks an
unsuspecting victim into divulging sensitive personal data. Scammers use these
data to bilk victims out of their savings.
One of the most common phishing
campaigns being waged has targeted users of Web auction giant eBay and its
PayPal division with financial services giant Citibank serving as another
popular target. However, recently, every major bank has been hit with this scam.
Crooks send out huge amounts of emails with an expectation that some of these
email address owners may have online access to their accounts at the bank.
The term "Phishing" is a
deviation of the word "Fishing". In hackers’ lexicon, in many words, "F" becomes
"Ph". The term derives from the fact that scammers use sophisticated bait as
they "fish" for users’ personal information.
According to Gartner, a
research firm, illegal access to checking accounts gained via phishing has
become into the fastest growing type of consumer theft in the United States.
Roughly 1.98 million people reported that their checking account was breached in
one way or another during the last year and US$ 2.4 billion were defrauded from
the victims!
Gartner also estimated that 57
million U.S. Internet users have received phishing emails and 3 percent of them
may have fooled into revealing their personal sensitive information
The Anti-Phishing Working Group
has also spotted a dramatic increase in reports of phishing attacks in recent
months. Since November, 2003 phishing scams increase by about 110 percent each
month. In April alone, the group identified 1125 unique phishing scams, a sharp
lift of 178 percent from the previous month.
Message Labs, a company that
watches phishing scams closely, has noted an even more dramatic increase in
number of phishing emails. It claims to see phishing messages jump from just 279
in September, 2003 to a staggering 215,643 in March of 2004.
The scammers also started to
use more sophisticated technologies in recent months. The latest generation of
phishing scammers uses several methods to trick users, including pop-up graphics
to mast the true web URL of the phishing site and the installation of Spywares
and Trojans on victim’s computer. The perpetrators also take advantage of
security bugs in web browsers, in which the URL in the address bar appears to be
for one site but is, in fact, a link to a totally different site.
A new Windows worm under the
name "Korgo" is able to infiltrate into victim’s system with a key logging
Trojan, steal information that the victim input in web forms and secretly
transmit to designated server. There are a number of variants of this worm and
they are spreading rapidly. However, Microsoft in April came up with a patch to
seal this glitch. Many computers without the patch are still vulnerable to this
potentially dangerous worm.
A U.S. Treasury report provides
consumers with steps to prevent and report phishing scams:
- Do not respond to or open any
e-mail that warns that an account is about to be closed. Contact the company
directly by phone and inquire of this e-mail.
- Do not submit financial
information unless there is a symbol for a locked padlock on the browser's
status bar. Also look for the https:// at the beginning of the Web address. If
both of these signs are absent, the Web site is not secure.
- Always review your bank
statement and credit card statements immediately upon receipt.
- Verify the domestic telephone
number listed on the Web site through directory assistance or other reliable
sources and call the number. Many phishing attacks have originated outside the
U.S. and don't have a domestic number.
- Report suspicious activity or
if you have been defrauded to the FTC and the FBI in the US or the Fraud Squad
in the UK or local Police station.
- Phishing e-mails can be
forwarded to uce@ftc.gov. Complaints can be filed at www.ftc.gov. Phishing
attacks can also be reported to the Internet Fraud Complaint Center at
www.ifccfbi.gov.
Other
cautionary measures you should take in order to protect yourself are:
- Since most of the phishing
emails come through spam, get a spam filter and install on your computer
- If you suspect a phishing
attempt, report immediately to the bank. Every bank web site has a link or a
toll-free number to report scams. Don't be ashamed if you were tricked into
divulging account information. If you report it immediately, your account will
be protected until you receive a new PIN.
- Change your password and PINs
regularly. Banks advise that you use separate PINs and passwords for different
accounts, that way if one gets compromised, your entire financial life won’t be
revealed. - If you are a frequent user of EBay, download its Web browser
toolbar, a small program that runs with a user's Web browser. It flashes red
when the user visits a possible spoof site. The toolbar uses a database of spoof
site URLs, submitted by customers and is updated quite often.
- Check your computer frequently
for possible Trojan virus.
|
