'It has come to our attention that your account information needs to be updated as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. If you could please take 5-10 minutes...and update your personal records, you will not run into any future problems with the online service.'
If the receiver fails to update his records: "account suspension." If he updates it, then his online experience "will not be interrupted and will continue as normal."
According to the e-mail, the account records must be updated "on or before" a specified date. It also gives a link where the receiver the update his account records.
Rafael made one of the blunders of his life by clicking the specified link mentioned in the e-mail -- despite the fact he had never applied for the account cited and the deadline was almost two weeks ago.
"Out of sheer curiosity," he said, "I clicked on the link provided in the email. Whether a coincidence or not, I have been having computer problems since I did that, prompting me to scan my system for viruses three times over a 24-hour period. According to the scans, my system is clean."
Rafael could still be considered fortunate. He only had computer problems after doing so.
The case of James was even more troubling. When he clicked the provided link, a form was displayed and asked for his credit card numbers and password.
At first, he disregarded it. But when he received the "request" two more times, he decided to respond. He filled out the form and, soon, the nightmare started.
Two months after the incident, he received a call from his credit card company. Did he transfer his residency? Did he lose his credit card? Did he purchase something astronomical? He answered negatively to all these questions. "What all these inquiries?" he wondered.
Today, James knows. He had been a victim of phishing, one of the fastest growing types of fraud. It uses e-mails appearing to come from a legitimate company and directs recipients to bogus websites where they are asked for personal or financial information.
"Phishers create and dismantle these phony sites very, very fast, stockpiling credit card numbers, passwords and other personal financial information over the course of just a couple of days, in order to avoid detection," says Dan Larkin, unit chief at the Internet Crime Complaint Center of the Federal Bureau of Investigation in the United States.
The term "phish" was first coined in the mid 1990s by crackers attempting to steal America Online (AOL) accounts. An attacker would pose as an AOL staff member and send an instant message to a potential victim. The message would ask the victim to reveal his or her password, for instance to "verify your account" or to "confirm billing information." Once the victim gave over the password, the attacker could access the victim's account and use it for criminal purposes, such as spamming (the act of sending unsolicited electronic messages in bulk).
The term "phishing" is sometimes said to stand for password harvesting fishing, though this is likely a "backronym" -- a retroactively coined acronym. Some theories accredit the term "phishing" to originate from the name "Brien Phish," who was the first to allegedly use psychological techniques to steal credit card numbers in the 1980s. Others believe that "Brien Phish" was not a real person but a fictional character used by scammers to identify each other.
"The con men, or phishers, actually steal two identities: first, they hijack the names, and logos of trusted banks, online retailers, credit card companies, and Internet service providers, among others," wrote James Malanowski in an article published in 'Reader's Digest.'
Malanowski, who was himself a victim of phishing, further wrote: "Then, (the phisers) use the fake e-mails and websites to fool people into divulging personal data -- credit card numbers, account user names and passords, and so on. The phisers use that data to charge good or steal money."
"The biggest online scam ever" is how Malanowski described phishing.
Today, it is fast becoming a crime epidemic. Millions of computer users -- particularly new and inexperienced users -- have fallen victim to phishers. It's estimated that up to one in twenty users who receive a phisher's email will respond to it, unknowingly providing enough sensitive information to incur tremendous financial losses.
Just how widespread is the problem? We don't have statistics available in the
But Malanowski has this figure from the
From the internet, this author has learned that there are several ways phishers lure their victims. In any case, here are a few signs typical of a phisher's e-mail:
- The e-mail specifically states it's not a scam. It's kind of like when a cop stops a guy for speeding, and he immediately sputters out, "I didn't murder anybody! You can't prove anything!"
- The e-mail requires immediate action of some sort, like the one received by Rafael.
- The e-mail asks you to e-mail back sensitive information, as in the case of James. If your bank actually uses this as a method of verifying account information, you need to switch banks.
- The e-mail contains typos or blatant grammatical mistakes. A typo isn't a big deal, and a split infinitive isn't something to get too worried about. But just the same, watch for these: two or more typos/misspellings, run-on sentences, weird capitalization, blatantly bad syntax, and incorrect brand spellings.
- The email is impersonal. Instead of placing your name, the salutation would be: "Dear Valued Customer."
As a precaution, when you received an e-mail which you deem coming from phishers, here's what you need to do:
- Don't download any included attachments. Despite what the e-mail says, most legitimate organizations don't require their customers to download e-mailed programs to maintain accounts.
- Don't follow any links within the e-mail, especially if the provided link is a long and cumbersome link. Instead, open a browser window, and manually type in the web address of the company and follow links there.
- Contact customer support of the company who supposedly sent you the e-mail via e-mail or phone, and ask them to verify whatever claims are being made in the e-mail ("I received an e-mail telling me my account may be canceled if I don't confirm my account number; is this true?").
- Do NOT respond to the original email. Get the email address from the company's website after manually typing in the address.
"Phishers are the street muggers of the digital age, using computers instead of weapons to steal financial information and identities from innocent people," said Tatiana Platt, senior vice-president for integrity assurance for America Online.
Whatever happened to Rafael? Well, here's what he said: "While my trouble appears to be minor, I am not taking any chances. I decided to take the troubled system offline and replace it with a new system. Unfortunately this caused me to lose some data."
No comments:
Post a Comment