An excellent article on phishing scams from HP Small & Medium Business

You’ve just received an email from the bank, telling you that there was an error in your favour in your last bank statement, and that you should “click here” to claim what’s owing to you.

Fantastic news! Isn’t it?

No: you’re about to become a victim of a type of cybercrime called “phishing”.

Baiting the hook

First given the name in 1996, “phishing” describes a scam which is designed to trick you into giving away your online passwords. The hook is often an e-mail from an apparently trustworthy source, with a link to a website that looks exactly like one you are familiar with. There you’ll be asked to provide details which would enable scammers to obtain money, take out credit card loans in your name or commit other crimes. And as soon as you’ve clicked on the link or opened the attachment, you’ve exposed yourself to computer viruses that can detect your keystrokes when you log on to your accounts.

Phishers are always coming up with new ways to target people or organisations; with smartphones and the use of social media on the rise, opportunities are ever greater for these attacks. “Vishers” (voice phishing) try to obtain information by phone; “smishers” send text messages (SMS); and spear phishers target corporate employees. All of them want to take your money; all are committing criminal acts.

Typical scams

  • An email comes from your bank, claiming to have found an error in your favour. “Click here to claim your money!”
  • Someone from the bank phones because a large amount has been deducted from your account. “Before we can check it, I need a few details from you.”
  • Your friend, or a work colleague, tells you in an e-mail that they’ve discovered a brilliant scheme to get rich. “Click on the attachment!”
  • A message comes from a famous online auction website, asking you to confirm account details. “Click here.”

These are all typical scams; people become victims every day.

Play safe
So remember these three rules:

1. Check the URL.
If an email comes from your bank, look carefully at the URL.

First comes http:// or https://

Next comes the host name, for example xxbank.com

But check it carefully! Scammers often include your bank’s name in front of their own website name. For example, if your bank’s address is xxbank.com, a scammer called badbank.com might use xxbank.badbank.com, or even xxbank.com.badbank.com.  They own the website “badbank.com”, so they can put whatever they want in front of it.

Something else to watch out for: sometimes, scammers insert hyperlinks to their own websites, hidden behind innocent-looking text. For example, the hyperlinked text says: http://www.xxbank.com, but the actual hyperlink is to http://www.badbank.com  Again, the only sensible thing to do is NOT TO CLICK. Banks and other financial institutions do not send e-mails about important issues.

2. Don’t trust strange emails or phone calls.

Remember that banks, credit card issuers and similar institutions would never e-mail or phone customers with important information; they would send a letter. So no matter how pleasant or convincing the “bank employee” on the phone is, end the conversation quickly without giving any information. If you aren’t sure whether an e-mail or phone call is genuine, phone your bank yourself or write them a letter.

3. Use up-to-date software.
The best thing you can do: install the latest software to protect your computer from malware (malicious software).

Is it too late?

  • If you have already revealed bank account or credit card information, report your suspicions immediately to the bank or credit card issuer, and then preferably cancel your account and open a new one. Whether or not you are liable to pay what is owed on your account depends on how quickly the theft is reported and also on the laws in the country you live in.
  • If someone else is using your online auction website account, contact the auction house, where there is a link for “hijacked accounts”. They will probably suspend your account while they investigate.
  • If you’ve downloaded a virus, install anti-virus and personal firewall software, update all virus definitions, run a full scan and confirm every connection your firewall allows. Change all your passwords and check all your online accounts, especially bank accounts, auction website accounts, email, online trading accounts and anything else for which you have an online password.

Once you’ve got your anti-virus software and personal firewall installed, you should be safe – but it’s still wise to remember what they told you when you were a child: “Don’t talk to strangers.” At least, don’t tell them your passwords.