As the holiday season kicks in to full swing and online spending and interactions increase, it has never been more important to know the facts about the most effective hook in the modern con-artist’s tackle box -- phishing.
For as long as there has been money, there have been people trying to get at it illegally. Long removed from the pickpockets of yesteryear, today’s con-artists are armed with a computer and a tireless sense of patience.
A Verisign Online Fraud Barometer Survey, shows that Australian’s have been defrauded to the tune of well over a billion dollars in the last year with one in 10 Australian net users falling victim to phishing scams. So what is phishing and how can you avoid it?
What is phishing?
Michael Lee from CBS Interactive describes phishing as “an attempt by scammers to steal a user’s personal information by pretending to be or to represent an organisation that the user would be comfortable handing their money to.”
In other words, scammers masquerade as banks and other financial institutions, sending users fake but well-crafted emails, phone calls and SMS that look legitimate.
Nearly everyone has an affiliation with a bank or lender, and everyone who works must pay taxes, so these are the most likely sources of phishing; however, scammers are expanding their scope, using devious tactics like online surveys claiming to be from companies like McDonalds in order to cast the ‘phishing net’ over a wider group of unsuspecting people.
There’s a play on words here, as scammers ‘phish’ for individuals’ details by sending out millions of random emails hoping that a nibble comes back in the form of someone responding to what they believed was a legitimate message from a trusted source.
To draw a comparison it would be similar to a con-artist dressing up as your local utility provider and knocking on your door to ask for your personal details.
Once the scammer has your details, the sky’s the limit with what they are capable of, everything from identity theft, unauthorised purchases through to stealing your life’s savings.
Types of phishing
Just as there are many types of online fraud, there are many ways thieves can ‘phish’ for your details, here are the most common.
These emails look they come from a trusted source such as your bank, the government, charity or a well-known company and will give the appearance of being legitimate through fake business numbers, forged company logos and official-looking company letter heads.
What these emails have in common is that they all will ask you to enter some form of personal identification, usually your banking details.
No financial institution or official source will ever send an email asking you for your personal banking information. If you do receive an email asking for something along these lines, disregard it.
A good general rule of thumb is: do not give your personal details to anyone unless you have contacted them first.
Some of the most common email phishing scams have been:
Hoax bank-email scam:
• In 2009, the Commonwealth Bank issued a security warning after a series of hoax emails were sent out asking customers to: ‘complete surveys, update account details, activate cards, win prizes and money and unlock frozen accounts’. Customers were fooled by the authenticity of the emails that referred to actual staff members within the organisation.
• ANZ has also experienced issues with email phishing. In November 2011, a fake ANZ email was doing the rounds directing its customers to a fake internet banking website. The email asks ANZ customers to confirm their account information by clicking on the link provided in the email. When clicked, a false ANZ internet banking page appears, and if the customer’s details are entered; they’re now in the hands of the scammers.
The email-survey scam:
• A good example of this type of scam was the supposed McDonalds offer of a $50 bonus to customers who completed an online customer satisfaction survey. Once the survey has been completed, the email then requests the customer’s bank/credit card details to deposit the money, you can guess what happens next.
How to identify an email scam
A classic example of a phishing email attempt will look like a legitimate email from a well-known company but the key is knowing what to look for.
• Pay attention to the URL at the bottom of the page. Does it direct you to the right webpage for the company the email is supposed to be from?
• Grammatical errors should set alarm bells ringing. Inconsistencies in capitalisation, odd use of title-case or poor punctuation are obvious errors. Larger organisations would not make careless grammatical mistakes – these are guaranteed methods to spot a scam.
Mobile and SMS scams
• Phishing with the phone line:
Phishers not only scam online, but use all means available to con people out of their personal details; a common tactic is requesting information over the phone.
Just recently, phishers acting as the Australian Tax Office have been making calls informing people about a partial tax refund. The scheme requires that individuals pay tax on their refund before getting the money; in other words, advance fee fraud.
Scamwatch.gov.au has issued an alert for these fraudsters, pointing out that Australian government departments will never contact you via phone or email asking for an upfront payment to claim a refund.
According to itwire.com.au – approx. 8000 people visited a phishing scam site in late 2009 after a multipronged, tax time scam campaign.
• Hoax SMS: In November 2011, a SMS scam was being sent out to ANZ customers asking them to ensure their accounts security by clicking on the link provided. Much like the hoax email, the fake SMS asks customers to confirm their details through an illegitimate page and wham! You’ve been scammed.
The important lesson to take from these examples is that fraud is not exclusive to the internet and it pays to be a little suspicious and take any request for your personal information with a truck-load of salt.
• Example hoax SMS: – taken from the ANZ anti-phishing website
"To ensure 100% security on your
account, Kindly follow the link below.
Failure to comply might lead to
ANZ BANK LTD"
• Putting aside the fact that financial institutions will never contact you via SMS asking for your details, it should be fairly obvious to most that www.anz.stv.hr is not www.anz.com.
• The choice of language is poor and there are grammatical mistakes: “to ensure 100% security on your account, Kindly follow the link below.”
• Finally the use of “Thanks” as a sign off is unprofessional and informal, not something you would expect from one of the big four.
How do you stop this happening to you?
Michael Lee from CBS Interactive gives some pointers on how to spot a phishing scam and stay protected online this holiday season.
- Be diligent with your online habits: make yourself a list of things to look for in emails or website you think are suspicious.
- Is it grammatically correct?
- Does the document contain any typos – this may be the domain URL, i.e. www.anz.stv.hr or something as obvious as a misspelt company logo or letterhead.
o Does the site look authentic? – trust your gut feeling.
- Always have the most up-to-date anti-virus software installed on your computer.
- Ensure that the internet connection is a ‘trusted connection’ – if you are in an internet café or public computer, consider delaying your purchases till you’re at home.
- Is it using encryption (https) Does your browser display the padlock symbol?
It is important to note that phishers are using increasingly sophisticated methods to target your personal information.
- Never send any sensitive information through email – treat it as an unsecure connection.
- Immediately change your password if you think your account has been compromised – never use the same password across multiple sites and ensure they are changed at least twice a year.
- Know who to call if you think your credit card has been compromised.
- After shopping online check your credit card receipts and make sure that your full card number has not been disclosed.
- Use buyer protection features on credit cards and sites like PayPal if you have hesitations about shopping online – avoid direct debit or money orders.
- Remain alert and suspicious; if it’s too good to be true, it probably is.
Scams doing the rounds at the moment
Fraudwatch International publishes a daily list of most of the phishing scams getting around. If you think you have received a suspicious email, cross check it with scam alert pages like Fraudwatch and don’t hesitate to get in touch with your provider who will have resolutions processes in place.
Phishers are getting smarter every day with the tactics they use to manipulate and con increasing in sophistication and becoming harder and harder to distinguish from the real thing. Use caution, and never give your details to anyone online or over the phone unless you have initiated the contact.
- By Jacob Joseph