by ·Comments Off on Phishing & Other Email Scams
beware of email scams

Several years ago, the most common email scam was the lure of the Nigerian Prince who needed help in moving millions of dollars from his account to a safer account outside his country. And all he needed was a kind-hearted soul who was willing to provide him their bank information to make the transfer. In return, the good samaritan would get a percentage of that money.

What is the aim of these email scams? Money. It is always about money. For the Nigerian prince, once your bank account is compromised, the hacker behind the facade, can siphon off whatever balance you may have in your bank account.

Email Trends

I heard in a conference I attended several months ago, that a white hat hacker put an end to the Nigerian email scam years ago, and that’s why you and everyone else isn’t hearing much from the prince. However, there are a new breed for email scams out there, and they fall into these general categories:

  • phishing
  • impersonation
  • extortion

Like the Nigerian prince scam, these email scam trends are all about money–stealing your money or money you have access to.

Phishing

Phishing’s goal is to steal your account information. It is done through a simple but official looking email from a trusted organization–except it is really bogus. The email might say something to the effect that you need to verify your account at your bank in order to ensure security. To do this, all you need to do is click on a link which takes you to a nice looking web page that looks like the bank’s web page. But it isn’t. It asks you for your account name and password, and after you submit it, it may say something like page can’t be found, something went wrong, redirect you to the actual bank web site, or something else. Regardless, once you click submit, they got your account. That is pure phishing.

If it was your email account that was compromised, then the result of this phishing hack could result in more phishing hacks on your contacts or other folks in your organization if the email account if for work.

Phishing is really the entry point for a hacker’s ability to monetize their efforts.

Impersonation

Anyone can impersonate anybody else on the Internet through email. How? Because anyone can create an email account with almost anyone’s name–provided the account isn’t already taken. And even then, anyone can use anyone’s name as their email display name; that is, if my email address is xyz123@gmail.com, I can use, for example “Prince Charles” as the display name. And if I was in anyway associated with or related to the actual Prince Charles, I may think that the email actually came the the prince.

Impersonation can be monetized in many ways. Two of the most common ways are:

  • asking for a favor by requesting gift cards
  • asking for a list of employee information

For the case of the gift cards, the way the perpetrator gets money is by pretending to be a person’s manager or some high ranking official in an organization. The hacker scouts out an organization’s web site and figures out the organizational structure and finds names of managers and direct reports. Once they find this, they are all set.

They simply create an email account on gmail, yahoo, or many other email sources, and sets the display name to the name of the manager whom an employee reports to. The email is sent in a very simple form–asking if the employee is in the office. If the employee responds, the ploy begins with the hacker posing as the manager and that the manager is in a meeting and needs some gift cards. And so the impersonator asks the employee for a favor to purchase one or more gift cards with a promise to get paid immediately after the manager gets out of the meeting.

If the employee agrees to help out, the impersonator asks the employee to simply take pictures of the gift cards and email the pictures back. Once the employee does this, the money is gone and the employee is out a few dollars.

This scenario is playing out everyday across the country. And it is happening non-stop because it works!

Extortion

This one is a little different, and it plays into people’s fears of the ability of hackers to capture people’s activities online. A typical extortion email in this class of scam comes in with the FROM address of the email matching the target’s email address. The claim is that the hacker hacked the target’s email account, and that on top of that, the hacker has videos and pictures of the target’s Internet activities. The hacker claims that they will expose these potentially reputation-killing information to the Internet should the target not pay up. All they need to begin this is your email address.

To pay up, the target would need to buy bitcoin click a link in the email and paste a real long string key into that web page. Once the target pays up, they are safe.

Believe it or not, some people fall for this. And it doesn’t take much success rate for the hacker to make money. They make money, and that is why they do this.

A more destructive type of extortion is the type that infects and encrypts files on your computer. These ones preys on people without any computer anti-virus or anti-malware solutions.

These can come in as an email that looks official claiming that there is an invoice you must pay or your credit will be ruined, or some other threatening reason. In the email is an attachment that looks like an invoice, but when you open it, it installs and runs malware on your computer which encrypts all your pictures, videos, and other documents. You won’t know about it until after a few days when it pops open a page saying that you must pay up to decrypt your files.

In this situation, they too ask that you buy bitcoin to pay for this. After you pay, they will give you a string key to decrypt your files.

Now, I don’t know if this is true, but the hackers seem to keep their word. People’s files are restored after they pay up, but I woudn’t really bet on it. Anyway, if you don’t want to fall prey to this, don’t open any attachments you receive via email unless you know what it is.

Conclusion

If you don’t get anything from this article, get at least this:

You cannot trust anything you get via email. If in doubt don’t open attachments or click links. If the email looks like it is coming from someone you know, call them to verify.

—forlanda.net–

by ·Comments Off on How to spot Internet phishing scams

In order to properly spot an Internet phishing scam, you need to know what it is.  When someone or some organization is phishing, they are attempting to obtain confidential information under false pretenses with the objective of stealing credit card numbers, passwords, or other personal or financial data.  With this in mind, spotting an Internet scam may be extremely difficult for a novice Internet user like grandma, grandpa, or anyone who isn’t familiar with the Internet or someone who doesn’t know what may or may not be legitimate online.

When you finish reading this article, you will:

  • Know how to spot and avoid phishing scams 100% of the time
  • Know what to do with phishing attempts against you
  • Know what to do should someone you know become a victim

Pay close attention to every word of this article; it may save you and others a lot of headache later.

Phishing scams is nothing new.  If you use Google Trends, you will see that the term “phishing” and “phishing scams” can be found in news articles ever since Google started tracking them in late 2003, early 2004.  You will also notice that the search trend for the term “phishing” took off in the second quarter of 2004.  The search for the phrase “phishing scam” only took off in the first quarter of 2005.  At the time of this writing, June 2009, there continue to be several news articles regarding the rise of phishing scams.  Here are some recent ones just to give you a feel:

  • Phishing Scams can Wipe Out your Bank Account (19 Jun 2009) – The lure of money can convince some people down on their luck to send in their bank account information in hopes to get free money.
  • Internet Job Scams (19 Jun 2009) – Job postings online lure job seekers into providing confidential information online
  • Phishing Disguised as Virus Warning(15 Jun 2009) – Users are University of Arkansas being scammed of their account information through an e-mail warning users of a virus
  • E-mail Account Phishing Scam hits Penn State (08 Jun 2009) – Penn State users being scammed through an e-mail that purports to come from the Penn State helpdesk; e-mail requests users to divulge their account name and password.

It may seem that one has to have some degree of computer and Internet literacy to spot a phishing scam.  Fortunately, that isn’t the case.  It is extremely easy to spot these scams; all you need to remember are two simple rules.

These two rules will help ensure you have a 100% hit on your ability to spot any phishing scams.

  • If it is too good to be true, it probably is.
  • Any unsolicited communication (e-mail, text, social networking message, or any other forms of communication) requesting for confidential information or asking you to click a link to sign in is an attempt at phishing.

You can apply these rules against the examples below and see how easy it is to spot a scam:

  • You receive an e-mail stating that there is some inheritance that is to be released to you; however, they need to receive your name, address, phone/fax, age, and occupation in order to release the funds to you.
  • You receive an e-mail from Mrs. Aaisha Ali Abaul who is dying and who happens to have inherited millions of dollars.  She would like to give you her millions as her last good deed; of course you will need to provide her your bank account information in order to transfer the millions
  • Bank of America sends you an e-mail stating that you need to verify your account information.  A login link is provided for your convenience.
  • PayPal sends you and email stating that your account has been breached.  They ask you to login in order to correct the problem, and they conveniently give you a link to help you do this.
Now that we know how to spot phishing scams, dealing with their disposition is very straight-forward and easy.  Simply, if they are in your e-mail box or message inbox, simply delete them.  If you cannot delete them, simply ignore them.  By all means, do not respond to any of these communications as it lets the “scammers” know you are a live one.
At this point in the article, you should never become a phishing scam victim; but what if a relative or close friend becomes one?  It is never to late to learn, so have them read this article as well and learn.  Then have them read the article at the Federal Trade Commission web site on Defend: Recover from Identity Theft. This site provides a wealth of information on what to do.
If you don’t remember anything else from this article, just remember this:  “If it’s an unsolicited communication, it is very likely a phishing scam in one form or another.”