Phishing Update: Key Trends and Warning Signs

New report shows bogus websites and charities are key phishing techniques: Internet Scambusters #530

Information-stealing phishing attacks now number almost 3 billion a year and are growing at an annual rate of 37%.

With crooks now selling “phishing kits” to the criminally minded, we can expect the crime to escalate further and faster.

This week’s issue shows how clever the scammers have become, focuses on the most common current phishing tricks, and highlights the four red flags that should put you on the alert.

Let’s get started…

Phishing Update: Key Trends and Warning Signs

Many years have passed since we first started writing about phishing — the scamming technique for stealing personal information.

In one of our earliest reports, we gave advice on how to avoid it, and we were one of the first sites to set up an identity theft information center.

Phishing Scams: How You Can Protect Yourself

Identity Theft Information Center

But it’s sad to report this crime has become ever more widespread — up 37% year on year, according to latest figures.

In fact, a new report from security company Symantec (the Norton anti-virus firm) has this to say:

“You no longer need to be a sophisticated hacker to commit fraud on the Internet. Anyone who is motivated can join in, thanks to the off-the-shelf phishing kits provided by a thriving cyber crime ecosystem. Cyber criminals are even migrating to a new business model known as Malware-as-a-Service (MaaS), where authors of (phishing) kits offer extra services to customers in addition to the exploit kit itself.”

The company reckons there are an estimated 8 million daily phishing attempts — that’s close to 3 billion a year!

The tricks scammers use have multiplied and become so clever that even experts have been fooled into giving away information subsequently used for identity theft.

For example, in one recent incident, a savvy British journalist was tricked by a call claiming to be from the police about his credit and debit card numbers being used by criminals.

The caller offered to block the card numbers immediately but said she needed PINs and confirmation of the full card numbers.

So far, pretty obviously a scam isn’t it?

So the journalist asked for the detective’s name and proof of identity.

The caller gave her name and suggested the journalist hang up and call 999 (the British equivalent of 911), then ask to be put through to her.

He did, was answered by an apparent emergency center controller, and put through to the “detective.”

There was also a lot of background noise as if the call was going through to a busy office.

And the “detective” also insisted that for security reasons, the journalist should key in the numbers on his phone, so she (the scammer) wouldn’t even know what they were.

These behaviors were enough to convince him the call was genuine and he gave the information.

But it was a scam, and he had just parted with information that enabled the crooks to virtually drain his bank account.

What is more, the scammer kept the victim on the phone for more than an hour, while his cards were hammered.

What happened?

Well, here’s the secret: In the UK, if you put the phone down and pick it up again, but the other person doesn’t hang up, you’re still connected to them.

It doesn’t matter what number you key in, the other person is still on the line, ready to act out the rest of the charade.

This may not be the same with phone companies in the US — they can auto-disconnect — but everyone should know about this cunning trick, not least because of what it tells us about the devious way the criminal mind works.

And if you key numbers into your phone, software on the other end is perfectly capable of reading them.

One lesson, of course, is never, under any circumstances, to give out your PIN number.

People at your bank don’t know it — only their computers do — and they definitely don’t need it to block transactions.

The biggest increase in current phishing activity is via bogus websites, a fact that became very evident last holiday season.

They weren’t so much mimicking legitimate sites as posing as retailers in their own right offering special deals.

The other key technique that’s on the rise is the harvesting of credit card details through phony charity appeals after natural disasters, another activity we’ve written about previously in Charity Scams.

This was particularly prevalent in the months after Hurricane Sandy and comes with any kind of natural disaster — a subject we’ll be returning to next week.

The Symantec report highlights a number of other phishing trends. Though they’re not particularly new, as with the phone example above, they’re often delivered in a more convincing way, often tied to current events.

For example:

* Phishing that plays on economic fears — mainly emails that seem to come from a financial institution claiming they’ve taken over the recipient’s bank or mortgage lender.

They may request confirmation of account details or invite you to click a link to a bogus replica site.

This is particularly effective precisely because so many such mergers are happening in real life.

Action: Never respond to these emails. Visit your bank’s website by keying in the address yourself and take things from there.

* Blended phishing/malware threats — tricking victims into downloading keyloggers that steal personal information.

Often this is done via an email notification about a news item or an eCard.

When you try to view it you’re told you need to update software on your PC. The supposed update is, in fact, the key logger.

Action: We always advise against clicking links in email but if you do and the result is an invitation to download or update software, just don’t.

Most Internet security software can be set to generate a warning if a website tries to install a program.

Switch this setting on — check your software help file to find out how to do this.

Symantec lists four red flags you should watch out for as warnings of a potential phishing scam:

1. Misspellings (though these are becoming less common).

2. Generic greetings instead of being personalized, or messages urging immediate action.

3. Threats to the status of your bank or credit card accounts.

4. Any requests for personal information.

None of these, by itself, is proof of a scam but they should immediately put you on alert and make you thoroughly and independently check out such messages.

Says Symantec: “Phishing will continue to evolve into new forms, while attempting to take advantage of human behaviors such as compassion, trust, or curiosity.”

Time to conclude for today — have a great week!