Smart Phishing!

Hold on! I am not with the fraudsters, nor am I praising the bad guys. It’s just something about the concepts they come up with. In order to acquire sensitive information such as usernames, passwords, and credit card details, fraudsters usually masquerade as a trustworthy entity using electronic communication. But, thanks to numerous “phishing awareness” online programs, the number of people that were not fooled and took no action on phishing email rose from 75 percent in 2006 to 82 percent 2007 (survey conducted by SC Magazine).

After the run-on-the-bank issues that impacted most major banks during the 2008 global financial crisis, e-money/e-wallet stored value services came into highlight. In simple terms, an e-wallet functions much like a physical wallet, but it provides security, efficiency, and added utility to the end user and above all, it is not susceptible to the run-on-the-bank issues. The main reason for its popularity is because, unlike banks, the company maintains over 100% of deposited funds in separate trust accounts, separate from its operating cash (i.e. all of the customers’ cash is on hand and available if they all wanted it at the same time).

As we all know, the popularity of any service always attracts fraudsters, and the same goes for this system as well. The popularity of the e-wallet service provides fraudsters with a golden opportunity to use it for spam/phishing purposes.

Phishers soon started sending out spam/phishing emails redirecting users to fraudulent phishing version of these sites. In this, fraudsters are not sending any specific bank/credit union names; instead, they are allowing users to choose their own bank’s name. A scroll list of bank/credit union names is provided on the main page. When a user selects his/her bank name, it directs the user to the next page, which is a login page.

Above: The login page where two checkboxes and a scroll list are provided.

Above: After selecting a bank name from the list, the “Continue” button is clicked.

Above: The “continue” button, when clicked, redirects to the next page (i.e. the login page displaying the legit bank logo and address of the bank).

Above: If the user’s bank name is not in the list, then there is another option for entering the bank name manually.

Above: After clicking the “Continue” button, it redirects to a login page, but this time without the bank’s logo or address.

One of the main intentions for running this kind of attack may be because this phish page is giving a choice to the user to select their own bank and not to redirect the URLs to a specific bank. This may make the user feel that this is a valid page and therefore provide the confidential information apparently necessary to proceed with the login. This form of attack could be very dangerous because the possibility of losing passwords is increased since multiple accounts can be stolen through one phishing site.

Points to remember in order to avoid this type of fraud and scam:
The phenomenon of Internet phishing scams is a serious problem and the number and sophistication of these schemes are increasing all the time. Individuals using the Web for personal or business reasons must be on the look out for possible fraud, and employers should warn their employees and customers to be extremely selective about giving out personal financial information over the Internet.

The following is a list of suggestions and recommendations that will help people avoid becoming a victim of these online phishing scams:

1. Never fill out forms in email messages that ask for personal financial information. Many phishing scams are designed to get access to accounts that can then be drained of funds by the scammers

2. Check online accounts regularly, as well as bank, credit, and debit card statements to make sure all transactions are legitimate.

3. If an email looks as though it might not be authentic, don't use the links within the email to get to a Web page, as it may leave your computer vulnerable. Often the entire point of these emails is to get users to do just that.

4. Always be suspicious of any email with “urgent” requests for personal financial information.

5. If a user does have to provide personal information (like a credit card number), he or she should do so only via a secure website or the telephone.

6. Always make sure a Web server is secure when sharing sensitive information. To do so, check the beginning of the URL in the browser address bar. It should be "https" rather than "http." The "s" stands for secure.

7. It’s advisable to install a Web browser toolbar to alert the user to known phishing fraud websites.

8. If an email message is not personalized, assume that it's a shady message.

9. If emails use upsetting or exciting statements to try to get an immediate reaction, that’s a red flag signaling to stop further action; these statements are almost always false anyway.

And, the most important point:

10. Make sure your browser software is up to date and security patches have been applied.