Download a copy of this letter here

/fiSHiNG/  noun: phishing
1. the activity of defrauding an online account holder of financial information by posing as a legitimate company.

               Phishing is a type of Internet fraud that seeks to acquire a user’s credentials by deception. It includes theft of passwords, credit card numbers, bank account details and other confidential information.

Phishing messages usually take the form of fake notifications from banks, providers, e-pay systems and other organizations. The notification will try to encourage a recipient, for one reason or another, to urgently enter/update their personal data. Such excuses usually relate to loss of data, system breakdown, etc.

Phishing attacks are becoming more advanced in their exploitation of social engineering techniques. In most cases, fraudsters try to frighten a recipient by providing a seemingly important reason that the recipient should divulge their personal data. Such messages usually contain threats to block an account if a recipient does not fulfill the requirements therein. For instance, “if you do not provide your personal data by the end of the week, your account will be blocked”. Ironically, it is not unknown for phishers to make reference to the necessity of improving anti-phishing systems as one of the reasons for the disclosure of confidential information. A typical ruse might be “if you want to secure yourself against phishing, click the link and enter your user name and password”.

Phishers are becoming more and more sophisticated in designing their phony web sites. There's no surefire way to know if you're on a phishing site, but here's some hints that can help you distinguish a real web site from a phishing site.
Often the web address of a phishing site looks correct, but actually contains a common misspelling of the company name or a character or symbol before or after the company name. Look out for tricks such as substituting the number "1" for the letter "l" in a web address (for example, www.paypa1.com instead of www.paypal.com).


What are some recent examples of phishing attacks?
   A recent e-mail scam asks PayPal customers to provide additional information or risk getting their account deleted because of changes in the service agreement. Recipients are urged to click on a hyperlink that says "Get Verified!"   E-mails that look like they come from the FDIC include a subject line that says "check your Bank Deposit Insurance Coverage" or "FDIC has officially named your bank a failed bank." The e-mails include a link to a fake FDIC site where visitors are prompted to open forms to fill out. Clicking on the form links downloads the Zeus virus, which is designed to steal bank passwords and other information.

E-mails that look like they come from the IRS tell recipients that they are eligible to receive a tax refund and that the money could be claimed by clicking on a link in the e-mail. The link directs visitors to a fake IRS site that prompts for personal and financial information.

A legitimate-looking Facebook e-mail asks people to provide information to help the social network update its log-in system. Clicking the "update" button in the e-mail takes users to a fake Facebook log-in screen where the user name is filled in and visitors are prompted to provide their password. When the password is typed in, people end up on a page that offers an "Update Tool," but which is actually the Zeus bank Trojan.

In this example we can see a very useful way to identify the originating web-site. The trick is to point at the link or logo, DON'T CLICK, then read the hidden address. You will see that it's very suspicious.

Characteristics
The content of a phishing e-mail or text message is intended to trigger a quick reaction from you. It can use upsetting or exciting information, demand an urgent response or employee a false pretense or statement. Phishing messages are normally not personalized.
Typically, phishing messages will ask you to "update", "validate", or "confirm" your account information or face dire consequences. They might even ask you to make a phone call.
Often, the message or website includes official-looking logos and other identifying information taken directly from legitimate websites. Government, financial institutions and online payment services are common targets of brand spoofing.

Catch phrases:
E-mail Money Transfer Alert: Please verify this payment information below…

It has come to our attention that your online banking profile needs to be updated as part of our continuous efforts to protect your account and reduce instances of fraud…
Dear Online Account Holder, Access To Your Account Is Currently Unavailable…

Important Service Announcement from…, You have 1 unread Security Message!
We regret to inform you that we had to lock your bank account access.
Call (telephone number) to restore your bank account.

Example of a Phishing E-mail
With the recent increase in fraudulent activity, I thought a few simple reminders may save some of my clients a lot of money and a great deal of frustration.


1) Please be aware that legitimate tradesmen and technicians do not make random phone calls. Microsoft will not be calling to tell you that you have a virus on your computer. (these types of phone calls occur hundreds of times every day)


2) The FBI or the RCMP will not be emailing you any warnings about your illegal software, and they will not be demanding that you pay a $400.00 fine. (this very common email scam will often result in the loss of all personal data (pictures) on the victims computer).


3) There are no miracle cures for your health or the health of your computer. Green coffee beans and "Super System Sweeper" (or whatever free software), is a scam and will do nothing useful. (these useless programs install instantly when visiting random websites, you can tell by the extra buttons added to your internet browser)


If you think you may have been scammed or just want more info here is a great website from the Canadian Government
http://www.antifraudcentre


It’s quite alarming how many people are falling victim to these scams. My recent experience helping computer users recover from this new threat has revealed that people are being tricked into paying these companies $90 - $450.00 dollars. If you have signed-up to a service contract and you believe it to be a scam, the first thing you need to do is to call your credit card company and cancel the card before the scammers can add more charges, then you can report the scammers and ask for a “charge back”. And lastly, get your computer’s security restored by a professional.

 

George Rettich, Owner of Webspinner Computer Service.   604-318-1035   Abbotsford, BC.

               Download a copy of this letter here

WEBSPINNER COMPUTER SERVICES
PRIDE IN SERVICE AND WORKMANSHIP

Copyright © 2001 Webspinner Computer Services All Rights Reserved