Saturday, July 22, 2006

Avoiding trapping in phishing scams...

Beware of Phishing Scams!

Some one has quoted that in 20th century, human’s basic needs will expand a little and will be: Roti, Kapada, Makan aur Internet (Food, Clothes, Home and Internet). At least, it might be true in its entirety that in 20th century, most scam’s basic needs will be Internet. Every day many more people and organizations are embracing internet for their financial transactions and for their every-day activity, the dangers of financial losses due to scams are getting worse every day.

Everyday your mailbox might be flooded with emails of offers from all sorts. Some of it claims that it can give you huge financial benefit if you follow some steps as advised. Most of such mails are just marketing gimmicks and a few actually leads you to scams. Suddenly, mailboxes all across the Globe are flooding with help messages wherein some Lady / Gentleman wants mail recipient’s help to divert millions of dollars of illegal money from some location to other. Most understand that it is just a fraud, some ignorant soul got in to their trap and loose their hard earned money and mental peace.

But what do you do if you get a mail that appears genuine enough that it had come from your Credit Card Banker, asking you some information about your accounts? If you think yourself double smart, you will double check it with the company via some other route. i.e. through phone etc., that you should always do. But if you are in hurry or doesn’t have any idea about something phishing going on underneath, you will innocently give them reply divulging your vital statistics. You later know that the mail that looks genuine was in fact a cooked one, a fraud, and had been devised to cheat users like you. Within hours of submitting your credit card numbers, they steal your money electronically. And you are not alone; hundreds are phished in similar manner!

While mailboxes of hundreds of recipients are flooded with Nigerian type help messages these days, where individuals are lured showing them huge financial benefit, some phishers are targeting innocent users by mass mailing them genuine-look-alike email messages requesting their Credit card numbers for some cooked up reasons that you may believe in first instance. Such cases are increasing exponentially at an alarming rate. At a particular time,, an organization that is involved to crack such scams was involved to investigate as high as 20 big Phishing scams that targeted some big financial institution and thousands of innocent Internet users. If you are among lucky few that have not got such emails; might be wandering what fuss is all about, nonetheless, one fine day, this barrier is going to break finally and before you find yourself trapped in a scam, read on further to educate yourself.

How they throw their net for phishing:

There may be more, but incidents of two types of scams are being reported frequently. Nigerian type scams are pure scams and individual are themselves responsible for the losses they suffer. Here, recipient’s mailbox receives mail messages wherein help is sought to transfer some huge amount of unclaimed or illegal money on a percent sharing basis. Since the benefit looks huge, recipient reply these stupid messages or call them back. After some initial negotiations, some money is extracted from the catch (mail recipient who responded) towards operating expenses; thereafter operators got vanished. Similarly, some hoax send mails that recipient had won a lottery or sort of thing like that, and want their consent and operating expenses so that they can send them the booty they had won. Again, the message looks stupid enough, yet very small percent did respond and got trapped. Increasing number of such mails in every other mailbox shows that operators of such scams are really having fun. The cheated catch seldom complains and, since it is an international matter, there are different laws; therefore, cases are seldom registered. The second kind, called Phishing scam are more sophisticated, more harmful and targeted to organizations and innocent users. Therefore, it is serious cause of concern for everyone. What is phishing and how they work? Read on:

How they go Phishing:

Phishing, some say Carding and some others know it as Brand Spoofing; targets successful, popular online services, banking services, credit card, e-shops or financial organizations that have huge consumer / user base. For example, they choose big companies like CitiBank or eBay. Next, they break in and capture some web server generally located at Asia or Eastern Europe and have no or little security and plant a web page that serve them various purpose. Now they design an email message in HTML that may contain everything authentic from Company Logo to company web address etc. Thy design their HTML page so that it may use actual graphics and other matters from authentic site to have very authentic look. The email explains recipient that due to certain emergency or maintenance work or for security issues or due to Govt. requirement etc., recipients need to furnish their credit card numbers etc., to a web site (to the the planted one) otherwise these services will not remain available to them. They mass mail this message either with already available email database or with the help of Trojans that mails its own copy to everyone from Outlook’s address book folder. Since this email reach to every recipient without discrimination whether he is the user of said service or not, if the recipient is not a user, he smells rats and throw it in his trash. But users of the service may think that the mail is genuine and had come from company itself. Without a second thought, if they simply fill in the desired information and submit them, scam occurs. Later they realise that they have been robbed off money and their faith from the trusted company had broken. The loss may be small for an individual user, but is certainly big for established financial institution which is phished. No industry, bank or financial institution bitten by such phishing attacks wants to get infamous therefore most of them do not disclose their losses or report even such attacks.

How to detect phishers

Phishers use other’s computers for their activities hence are very hard to nab them if not entirely impossible. In fact, entire activities are automated through some one else’s computer and the poor guy had no idea about any phishing things. While it is easy to identify the source computer where information are routed; still it can take anywhere between 24 to 48 hours minimum to pin point the exact server after the first incident of reported phishing attack. By the time the phisher’s page from the server is loaded off, damages may have already been done. Phishers initially transfer their money to a temporary account and then pass it electronically to a safe location and therefore are very hard to trace their route.

In fact, phishers can be smelled in the first instances while examining their email messages. Normally, messages are poorly written with grammatical and spelling errors. They cook messages like this- “The company is enhancing its security system to avoid possible frauds and the users are asked to click the link below to re-activate the account where you need to fill up account number” or like this- “The bank is updating its records and wants you to give your ATM card number for verification through email”. These messages clearly signals that there is something phishing about it. No system administration will ask you to submit your account numbers or card numbers from you. It is always remain available with them. It is, therefore, is essential that we should educate ourselves to avoid such phishing scams. Here are other few advices that may help you evading phishing scams:

How to evade phishers:

  • Stop using HTML email message. When you can do your communication with plain, straight words, why using fancy HTML in your mail? Go straight to your mail client’s Tool/Options menu and deselect HTML in reading and sending email from now on.
  • You have been advised numerous times to do not open unanticipated email attachments even from known person. A recently sneaked Trojan from your buddy’s PC may have automatically sent a copy of itself to you!
  • Don’t click on any message box / OK button on your HTML mail. Do not submit any kind of form and even do not reply messages you think have come from un-known, unwanted person.
  • Use highest security level in your browser.
  • Use a tightly configured firewall.
  • If you receive suspicious emails then report the phishing messages to at , an organization dedicated to nab phishers, help you fight phishing attacks and email scams. It may be none of your business in getting involved and waste your time, but for human’s sake and for better Internet tomorrow, take a few minutes off your work before deleting the message and report the incident. Try to include the email internet header (in Outlook Express6, click on the message, click on File then select Property from dropdown menu and click on Details tab on window that appears. You will see internet headers for the selected message. Copy-paste it in your report.) in your report which contains information that helps identifying and nabbing phishers.
  • Internet Explorer has a feature, which is lately being used by phishers and now it is being seen as serious flaw. If you insert in its address bar, it will show in its address bar but will take you to In fact, IE ignores everything in the address prior to @ sign and that is why you were taken to xyz instead of abc. You are taken to phisher’s site that looks alike genuine site with genuine address in its address bar. To know exactly at which location where you are in IE, right click on an empty space and select Properties from the context menu that appears. It will show the opened page’s real URL. Till this flaw is fixed, consider using other browser.

Screenshot descriptions:

Phishing01 Email scam. The mail notifies that 2 lakh Euros had been won by the recipient out of the blue! Reply such mail and you are trapped!

Phishing02 The infamous Nigerian type scam on prowl. In such messages, help are sought from email recipient to fix huge amount of illegal money on a percentage sharing basis. Money is extracted from trap by demanding the initial operational fund.

Phishing03 Another similar email scam message sent to hundreds of email addresses. If spam catchers fails, it lands on inbox. Most users throw them in trash, but a miniscule, ignorant percentage still got trapped.

Phishing04 Phishers attack big financial institutions having huge client base so that even if a nominal fractional base respond with them, phisher’s gain are substantial.

Phishing05, an organization, which is seriously behind phishers, phishing scams and email scams.

Phishing06 Phishers use HTML tag that are different than that what is showing on the screen to lead you phisher’s site for filling up information like credit card numbers.

No comments:

More Articles...

Translate in your own language

Want to translate this article in your own language? Just click the Flag below