Not so long ago, a friend of mine was scammed by entering his online banking credentials in what seemed to be his bank’s usual login screen. The website used the same colors, same design, same logo, same everything. He lost about $6,000 in that scam.
It’s what the internet calls a phishing scam. Why is it called phishing?
It’s just an alternate spelling of “fishing”–which is an apt description of the process. You cast out thousands of spam emails, hoping to catch just a few victims. The spelling of the name may have been inspired by the term “phreaking”, which is the term for a variety of telephone system hacks and cheats. Source: http://boards.straightdope.com/sdmb/archive/index.php/t-254890.html
Here’s how you can identify and protect yourself and business from these scams:
#1. The “We’re from Microsoft, Apple, Ibm etc” scam.
Simply put, large corporations do not ring or email offering to fix anything. If there’s a problem with one of their products, you’ll get a notification and be asked to update (*note that there’s a difference between updating your current software and installing new software).
In 2013/2014, people from all over the world received calls from scammers purporting to be from Microsoft. The scammers informed them that Microsoft had identified a virus on their computer and were offering to fix it for free. Many fell for it, assuming that since it was free, it couldn’t be a scam. However, after the scammers ‘fixed’ the non-existent issues, they offered to protect the computer from any future problems via a subscription to their program. The aim of that, of course, was to steal credit card details.
Here’s an excellent video clip showing the entire scam caught on video:
#2. The “MUST ACT NOW!!” scam.
95% of emails from unknown senders that contain words such as “must”or “last chance” or similar words denoting urgency, are scams that rely on fear as the motivator for you to take the action they’re asking you to take i.e. to click on that link.
#3. The from a known/safe email scam.
This type of scamming is not used as often as it used to be because most email applications detect that the email is a hoax. However, it’s good to be familiar with it just in case you find a strange email from a trusted contact in your inbox.
Be aware – anyone can send an email from any address. When someone is developing a website they can choose the “from” email address to be whatever they want. By doing so they would be risking their website’s IP address getting marked as a spam generator, but the email itself won’t be marked as spam the first few times. So they send you an email that isn’t out of the ordinary (e.g. an existing client or a boss asking you to click on a link), so that you trust whatever information this email gives and/or requests. For example:
However, (using the example above) if you reply to the email, your reply will be sent to email@example.com and the email will be resolved into the IP address where the email account is actually hosted rather than where it was generated from. The good news is, if you’re ever unsure of an email, reply by asking them to confirm if the email actually is from them.
#4. The ghost website scam
A ghost website is a website that appears to be identical to the original but is actually a fake or ghost site. Westpac’s clients faced this issue a while ago. Emails that appeared to be from Westpac were sent out with a link that, if clicked, took you directly to the ghost website. It looked exactly the same as the legitimate Westpac website, but the owner and domain of the website were different.
So, how can you safeguard against this? Firstly, always check the URL of the link in the email. The URL is the address of the website you are visiting. Secondly, if you’ve already clicked on the link, check the website’s address for discrepancies from the valid URL (as in the image below).
#5 The “sent via”
I received an email recently with the subject “Naguib Ihab are you aware of this?”. I know that none of my contacts would send me an email with my first and last name, and like all suspicious emails, it’s asking me to download what’s supposed to be an invoice coming from someone I never got an email from before.
What’s expected of me is to think to myself “what invoice?” and immediately download the attachment and unzip it. Other than the fact that I never contacted this person before, what would give this email away is the “via eigbox.net” part, that means that the email was never generated from “firstname.lastname@example.org”.
I will keep updating this post with any new methods of online scamming. If you feel that this post is missing any vital information that would help others avoid being scammed, please add a comment in the comment box below.
Finally, here’s a funny video by James Veitch showing what happens when a scammer meets a prankster.