Phishing - the simple scam that will never die
These phishing scams are as old as the internet, yet people still fall for them every day.
The wonder of the internet is that sending hundreds of thousands, if not millions, of messages – spamming – is so cheap that it provides scam merchants with the biggest bang for the few cents they spend.
The second wonder of the internet is why anyone takes any notice of what they must know by now is obvious nonsense. Why does anyone fall
for tricks which are so old they have been around the block time after time? Especially when they have been the subject of warnings online, on television, in newspapers and magazines, in mailings from financial companies and just about anywhere else you can think of.
And the third wonder is the huge amount a fraudster can make if only one in 100,000 responds.
So I write this with an air of “I know I should not have to write about this for the millionth time but if someone is doing this then it is likely there will be a victim, possibly for big money.”
Phishing - the scam that won't die
The “This” is phishing - attempts by scamsters to get hold of your personal details by pretending to be your bank and claiming a security breech. Of course, they have no idea where you might bank. As a result lots of people are told that someone has their secret passwords with Barclays or Lloyds or whatever and they must contact the bank immediately or their account will be frozen or lost, even though they have never dealt with the banks in question. It's been around for years so surely everyone is aware and no one bothers to phish any more?
Wrong. This week, I received an email headed “Errors were detected on your account (Fix Now)”. And it came from PayPal. Or at least that
is what it said – the sender was “firstname.lastname@example.org but don't try it at home because it has nothing to do with the real PayPal.
from: email@example.com <firstname.lastname@example.org>
Subject: Errors Were Detected On Your Account (fix now)
Date: Tue, 12 Feb 2013 05:04:16 -0500
Dear Valued Customer,
PayPal security team is sending you this notification message because we seem to be having errors in the proper verification of your account. This might be due to one of the following reasons:
*A recent Change in your Account Details
*An Internal error within our servers
CLICK HERE to rectify these Errors.
PayPal Online Security Team.
So I clicked on the link to rectify these Errors – although I could do nothing about the errors in the grammar and erroneous use of capitals in the message itself.
But whatever the errors were, all I got was a form to fill in. And guess what? They want to know just about everything about me other than my great-grandfather's birthplace (which I don't know anyway).
Had I filled it in, I would have handed over my credit card details - including that three figure code on the back - so they could have spent whatever they could get away with. Credit card companies are much better these days at spotting unusual transactions – so a big purchase of something easy to sell (such as high street store vouchers) or easy to cash in (such as some airline tickets) gets picked up.
But such protection is never guaranteed – nothing can be 100% secure.
Playing the odds
This is phishing. PayPal says it would never communicate in this way but at first glance it looks convincing. Now I don't have an account with PayPal. As far as possible I do not send many payments through it – I think the last time was about three or four years ago. I find it easier to pay with my credit or debit card directly.
But the phishers are more likely to catch the unwary with PayPal than by using HSBC or NatWest. It's a simple question of odds. More people
online have or have previously had some relationship with PayPal than with HSBC or NatWest or any other high street bank. In any case, the banks are really fast at removing phishing sites.
There's another organisation that is even more prominent than PayPal and far more in our minds especially at this time of year. So expect
a number of emails claiming to be from HMRC offering a tax rebate (usually around £280) in return for financial details to its “secure” site.
This seasonal activity is based on the recent 31st January deadline for tax returns, the end of the tax year on 5th April, and the interest in tax from next month's Budget.
Phishing folk seem stupid if you spot them – and yes, to forestall comments, I know it is obvious. But they will convince someone, maybe a vulnerable person, and they will get some money from this. So warn those you know both about the false PayPal and those phoney HMRC
emails that will come. HMRC has a warning about this on its website – but the problem with all such alerts is that you have to find them
before the scam merchants find you.
Thousands are still caught each month, their identities stolen and their accounts (plus credit cards) cleaned out.