Phishing - the simple scam that will never die

Tony Levene
by Lovemoney Staff Tony Levene on 16 February 2013  |  Comments 11 comments

These phishing scams are as old as the internet, yet people still fall for them every day.

Phishing - the simple scam that will never die

The wonder of the internet is that sending hundreds of thousands, if not millions, of messages – spamming – is so cheap that it provides scam merchants with the biggest bang for the few cents they spend.

The second wonder of the internet is why anyone takes any notice of what they must know by now is obvious nonsense. Why does anyone fall
for tricks which are so old they have been around the block time after time? Especially when they have been the subject of warnings online, on television, in newspapers and magazines, in mailings from financial companies and just about anywhere else you can think of.

And the third wonder is the huge amount a fraudster can make if only one in 100,000 responds.

So I write this with an air of “I know I should not have to write about this for the millionth time but if someone is doing this then it is likely there will be a victim, possibly for big money.”

Phishing - the scam that won't die

The “This” is phishing - attempts by scamsters to get hold of your personal details by pretending to be your bank and claiming a security breech. Of course, they have no idea where you might bank. As a result lots of people are told that someone has their secret passwords with Barclays or Lloyds or whatever and they must contact the bank immediately or their account will be frozen or lost, even though they have never dealt with the banks in question. It's been around for years so surely everyone is aware and no one bothers to phish any more?

Wrong.  This week, I received an email headed “Errors were detected on your account (Fix Now)”. And it came from PayPal. Or at least that
is what it said – the sender was “service@paypal.co.uk but don't try it at home because it has nothing to do with the real PayPal.

It read:

from: service@paypal.co.uk <service@paypal.co.uk>

Subject: Errors Were Detected On Your Account (fix now)
Date: Tue, 12 Feb 2013 05:04:16 -0500
Reply-To:

Dear Valued Customer,

PayPal security team is sending you this notification message because we seem to be having errors in the proper verification of your account. This might be due to one of the following reasons:

*A recent Change in your Account Details
*An Internal error within our servers

CLICK HERE to rectify these Errors.

Regards,
PayPal Online Security Team.

So I clicked on the link to rectify these Errors – although I could do nothing about the errors in the grammar and erroneous use of capitals in the message itself.

But whatever the errors were, all I got was a form to fill in.  And guess what?  They want to know just about everything about me other than my great-grandfather's birthplace (which I don't know anyway).

Had I filled it in, I would have handed over my credit card details - including that three figure code on the back - so they could have spent whatever they could get away with. Credit card companies are much better these days at spotting unusual transactions – so a big purchase of something easy to sell (such as high street store vouchers) or easy to cash in (such as some airline tickets) gets picked up. 

But such protection is never guaranteed – nothing can be 100% secure.

Playing the odds

This is phishing.  PayPal says it would never communicate in this way but at first glance it looks convincing.  Now I don't have an account with PayPal. As far as possible I do not send many payments  through it – I think the last time was about three or four years ago. I find it easier to pay with my credit or debit card directly.

But the phishers are more likely to catch the unwary with PayPal than by using HSBC or NatWest. It's a simple question of odds. More people
online have or have previously had some relationship with PayPal than with HSBC or NatWest or any other high street bank.  In any case, the banks are really fast at removing phishing sites.

There's another organisation that is even more prominent than PayPal and far more in our minds especially at this time of year. So expect
a number of emails claiming to be from HMRC offering a tax rebate (usually around £280) in return for financial details to its “secure” site.

This seasonal activity is based on the recent 31st January deadline for tax returns, the end of the tax year on 5th April, and the interest in tax from next month's Budget.

Phishing folk seem stupid if you spot them – and yes, to forestall comments, I know it is obvious. But they will convince someone, maybe a vulnerable person, and they will get some money from this.  So warn those you know both about the false PayPal and those phoney HMRC
emails that will come.  HMRC has a warning about this on its website – but the problem with all such alerts is that you have to find them
before the scam merchants find you. 

Thousands are still caught each month, their identities stolen and their accounts (plus credit cards) cleaned out.

More on scams:

This vacuum cleaner scam will cost you

Criminals target doorstep charity bag collections

Warning: PayPal child pornography scam email

How to protect your PINs and passwords

Don't be a victim of ID fraud

The five most common types of fraud

The scams that target the elderly

How credit card cloning works

How to spot a fake £1 coin

Sneakiest phone scams

Enjoyed this? Show it some love

Twitter
General

Comments (11)

  • ambahall
    Love rating 21
    ambahall said

    Dear Tony

    Sorry to be pedantic about this very good article but as a travel agent who regularly sells air tickets I have to correct you on something......."or easy to cash in (such as some airline tickets)". This is not exactly true. All air tickets are refunded (if refundable) to the original form of payment whether that is an agency or a credit/debit card. Only air tickets issued for cash are refundable "over the counter" - and it would be difficult even then as only the airline can refund - so you have to go to the airline's own outlet and there are not many of them except at airports. What scamsters CAN do, of course, is sell airline tickets, issued against stolen card details, which other people can travel on - and take THEIR money. Comes to the same thing, of course!

    Report on 16 February 2013  |  Love thisLove  0 loves
  • Ginnymay
    Love rating 41
    Ginnymay said

    Interesting about the airline tickets. Seems an odd thing to buy with phished details, as the airlines seem to want the passenger details correct in all ways including spelling. Plus if this had been spotted, and the purchaser or 3rd party went on to travel instead of cashing in, security could/would be waiting at check-in. Heathrow has its own police station. I've been trying to think of easier refunds - rail companies, maybe?

    Report on 16 February 2013  |  Love thisLove  0 loves
  • fourbees
    Love rating 6
    fourbees said

    There is another clever scam that was tried unsuccessfully on me - we run 2 rental properties attached to our house and we received an enquiry for a let for 3 1/2 months - someone who worked overseas and wanted to spend his holidays with his family. We gave him the price, and he wrote back accepting and then asked for our IBAN number - we gave him the one we use for this and which the account is always very low. He then emailed me with attachments of: International Money transfer order made out to us with an extra 1000 euros, Plus an 'official' document from the Finance Bureau in Mali,signed and stamped saying that the transfer of this money could not be allowed as there was a deposit to be made and giving us the details of where to send the money. We did not fall for it but it was SO well done, all the attachments looked bona fide and they contacted us through an official letting site that it is easy to see someone thinking that the money had been transferred and it was only to send back the deposit.

    Report on 16 February 2013  |  Love thisLove  0 loves
  • oliverw
    Love rating 8
    oliverw said

    If the phishing nature of the email wasn't already clear from the "Subject:" (Errors Were Detected On Your Account) that should instantly sound a loud warning, the fact that the body of the email begins "Dear Valued Customer" should be a dead giveaway. They know it's you (because it's your account on which the alleged errors occurred), but they don't mention your name in the email? What kind of person falls for that trick? As Tony writes, if 99,999 people know it's a phish and then just 1 falls for it, the fraudster has his reward.

    Also beware of emails (I receive about 3 per month) that appear to confirm a booking for a flight, hotel or other purchase that you didn't make and ask you to look at the attachment. It's usually about 50 kB to 70 kB in size and it contains malware (virus or trojan etc.). I have looked at a few such attachments (I know how to do this safely) and my "avg" antivirus confirmed what I already knew. Example: yesterday I received an email allegedly from accounts@cavendish-hotel.net with subject "Peacock Hotel (Baslow) Ltd payslip". Its attachment was named Payslip-Sage-50-Payroll.zip and in fact contained a virus called FakeAlert.

    Report on 16 February 2013  |  Love thisLove  0 loves
  • MartinW
    Love rating 1
    MartinW said

    The scam messages supposedly from Paypal which I have received are from servica@paypal..., which is very easy to confuse with service@... if you don't read it very carefully.

    Report on 16 February 2013  |  Love thisLove  0 loves
  • electricblue
    Love rating 785
    electricblue said

    The email won't be from a genuine Paypal server. If there was a spelling mistake as servica@ or whatever, it has no bearing on the forged sender. Just look on 'view original' or 'view source' in the email and you'll recognise absurd web addresses which could not possibly be related to a genuine email.

    Report on 16 February 2013  |  Love thisLove  0 loves
  • Steviebaby1959
    Love rating 34
    Steviebaby1959 said

    All very interesting, however, I had an e-mail recently with erroneous grammar and deplorable spelling which turned out to be completely legitimate from a business manager, it makes you laugh at the current education system in this country.

    Report on 17 February 2013  |  Love thisLove  1 love
  • finnol49
    Love rating 29
    finnol49 said

    I have just emptied my spam folder; I found 11 messages purporing to come from PayPal. Most were the type with PPid headings, but some were the more popular "You have changed your email address to xxxxxx, please login (so we can rip you off).

    Report on 17 February 2013  |  Love thisLove  0 loves
  • CuNNaXXa
    Love rating 415
    CuNNaXXa said

    Some of these spoof emails look genuine because they spoof the header to look like they have come from the genuine organisation, yet will contain a link that redirects you to a lookalike page.

    For example, you might click on a link that contains the hypertext link similar to, http://lloydstsb.dummydomain.com.

    I have installed on my system Norton 360 Premier Edition which will intercept bogus web pages and display a message that this is a possible scam page. I have tried it numerous times with the plethora of email scam links, and it has blocked every single one.

    The very basics of protection is to have the right software, which should include a virus checker and spyware/malware protection. With this basic protection, you are halfway there.

    Ironically, there are millions of computers (and laptops) around the world that have absolutely no protection whatsoever. In fact, many of those systems have already been compromised and help form botnets that are used to create a Denial of Service attack that individuals use to bring down corporate sites, such as Visa.

    Computers are a brilliant tool, and can be used to do a lot of good, but like any tool, they can also cause havoc.

    Report on 18 February 2013  |  Love thisLove  0 loves
  • catswin
    Love rating 5
    catswin said

    In recent months I have received several PayPal Statements. This is something I have never received in the past despite the fact that I have had a paypal account for many years. There is also a link to click. Each one of these I have forwarded to spoof@paypal but have had no response.

    Are they now sending statements? and if so why on earth do they have a "link" to follow when we are so often told, never follow link - always log in directly.

    I still don't know if these are spam, but still treat them as such, as I never remember signing up to receive this information and don't remember ever being told about this "service" which I can well do without.

    In the past I have always forwarded dodgy looking emails and always got a response, together with the obligatory advice (which is probably not needed as I sent it in the first place - preaching to the converted eh?). But no response whatsoever to these forwarded paypal ones.

    Report on 23 February 2013  |  Love thisLove  0 loves
  • naterbox
    Love rating 13
    naterbox said

    Any communication from Paypal will always address you by name. I always forward spam emails from paypal to spoof@paypal.com They send an automated reply confirming that it's not from them, and that's the last I hear about it. All organisations say they're concerned about phishing, and ask that all examples be forwarded to them for investigation. I have over 2 pages of email address I use to report phiching, and hope that my efforts have stopped at least some fo these criminals ion their tracks, but I'll never know for sure. Most organisations don't send an automated replt to say the email has been received.

    I'll willingly pass my list on if anyone is as concerned as I am about helping to prevent innocent people being duped.

    Report on 23 February 2013  |  Love thisLove  0 loves

Post a comment

Sign in or register to post a reply.

W3C  Thank you for using Lock, Stock and Two Smoking Barrels