"Phishing" E-Mail Scams

"Phishing" E-Mail Scams:

Have you ever heard the term 'phishing' used in relation to computer scams? Years ago, I think it was the second day I had an account with AOL, a message popped up on the screen stating there was a problem with my account and AOL needed to verify my credit card information. All I needed to do was enter the card information in the convenient little message box and all would be well with the account. Even back then the process of trying to gather personal information by unauthorized means was known as phishing.

Being a suspicious person by nature I didn't bite in spite of the dire warnings my account would be suspended or cancelled, but I wonder how many did take the bait and send off the requested information. Phishing has been going on for years. Only the level of sophistication and methods employed have changed. Because e-mail has become so popular it only stands to reason it would become a popular vehicle for phishers to deliver their scams. If you're online and have an e-mail address you can be targeted by phishers. The scam e-mails are spammed to millions of users in the hope that users with an account at the targeted organizations will respond. The question is, how do you recognize when you're the target of a phishing expedition and what steps do you take to avoid being taken in by the scams.

There's no doubt the sophistication level of scams has increased over the years, but truthfully, your best defense against phishing predators is your own common sense. Think about what you're reading, what you're doing, and what's being asked of you. As hard as it may be to believe, I know users that have actually been duped into supplying their personal information to fake sites targeting legitimate businesses where the user doesn't even have an account. Some of the fake sites can be that authentic and realistic in appearance.

It must be serendipity. While I was typing this article. I'd taken a break to get some coffee and go check the mail. While I was wandering around outside I was thinking I needed a phisher e-mail for the article but was pretty sure I hadn't saved any of the dozen or so I receive every week. Sure enough, I come back inside and what was sitting in the inbox but a brand spanking new phisher ploy just itching to be in this article. Here's the e-mail someone received. Obviously, the slightly sarcastic comments in italics are theres.

Dear U.S. Bank account holder,

First of all, until I did a quick Google search I had no idea if US Bank was even a real entity, but one thing I do know is that I don't have any accounts with them. And even if I did have an account with them I'd expect them to know my real name and account number and include it in the heading of the letter.

We regret to inform you, that we had to block your U.S. Bank account because we have been notified that your account may have been compromised by outside parties.

The 'regret' word. That's always a sign of bad news. Before I even have a chance to read the letter I know this isn't going to make me happy.

Our terms and conditions you agreed to state that your account must always be under your control or those you designate at all times. We have noticed some activity related to your account that indicates that other parties may have access and or control of your information in your account.

Here's the set up. Let's make this perfectly clear that if anything bad has happened it's your fault because you violated the 'terms and conditions' agreed to when the account was opened.

These parties have in the past been involved with money laundering, illegal drugs, terrorism and various Federal Title 18 violations.

What a tidy little laundry list of crimes. Not only does the author of the letter know who these criminals are, but now I've been lumped into the same group. Woe is me; how am I ever going to be able to disassociate myself from these criminals, prove that I'm a law abiding citizen, and have access to my accounts. The Title 18 violations is a nice touch. Even if you aren't aware Title 18 violations deal with conspiracy, racketeering, counterfeiting, and a number of types of fraud it still sounds like something you'd rather not be associated with.

In order that you may access your account we must verify your identity by clicking on the link below.

Thank goodness, there is a way I can solve this problem and it's as simple as clicking on a link.

Please be aware that until we can verify your identity no further access to your account will be allowed and we will have no other liability for your account or any transactions that may have occurred as a result of your failure to reactivate your account as instructed below.

Wait - wait, I'm clicking right now. I'm a slow typist. Please, I'll tell you anything you want to know - just don't deny me access to the account.

Thank you for your time and consideration in this matter.

Damn, you'd think a letter as important as this one would have a name and a phone number so I could contact them directly if there was a problem with the hyperlink.
https://www.usbank.com/account_verify/cgi/index.htm ???? See example at end.

Before you reactivate your account, all payments have been frozen, and you will not be able to use your account in any way until we have verified your identity.

One final little jab with the word 'frozen' to get you clicking on that link just in case there was any doubt in your mind that this might be a phisher scam.

Compared to some of the phisher e-mails I've received this one scrapes the bottom of the barrel. It's pretty much old school thinking in that it tries to use scare tactics to motivate the recipient and is missing many of the touches that add a sense of legitimacy to more modern scam e-mails. If you've seen any of the e-mails that make heavy use of graphics, formatting, and logos you're aware of how realistic they can appear. They accurately duplicate the format that companies use to send legitimate e-mail and can easily fool even the trained eye into thinking they originated from a legitimate source.

What can you do to protect yourself against phishing and other scam e-mails? Again, use common sense and follow these suggestions.


Be suspicious. The days of innocence on the internet are over. Just because the e-mail says it's from [insert company name] and has all the official looking logos and graphics, it isn't necessarily so. I've been at this a long time and can honestly say, with one exception, I've never received an e-mail from a legitimate organization that wanted to update my personal information. The one exception I mentioned was a newsletter from one of the major internet publishers threatening to cancel my no cost subscription if I didn't update my personal information. I saved them the trouble and cancelled it myself.

What do you do if you think the e-mail might be legitimate? Look and see who the e-mail is from, or at least who the address claims it's from. In the example e-mail I used above, it was so poorly done that the senders e-mail was actually a Yahoo e-mail address. Here comes the common sense thing again. Do you really think a legitimate organization entrusted with your personal information would have a Yahoo, Hotmail, or other throwaway type e-mail address?

However, just because the e-mail address looks like it's genuine that doesn't mean it is legitimate. It's a simple matter to 'spoof' an e-mail address so it appears to come from one place when in reality it's as fake as [deleted plastic surgery body enhancement reference].

Understand that in spite of all the work that goes into a phishing e-mail to make it realistic, the sole purpose of it is to separate you from your personal information that can be used to steal your identity, bank accounts, credit, cards and whatever else a thief covets. That is done by enticing you to click a hyperlink within the body of the e-mail that takes you to a fraudulent website where the information is collected. The solution is simple -- don't click. Delete the e-mail.

If it was that easy the phishers would be out of business, but human nature being what it is, there are going to be those that go ahead and click the hyperlinks anyway, or at least those users that will be tempted to click just to see what happens. Rest assured that whatever happens it's not going to be in your best interest.

Using the hyperlink from the example e-mail above, https://www.usbank.com/account_verify/cgi/index.htm, it seems pretty straightforward that you'll be taken to a web page on the bank site. That isn't the case. Although I've deactivated the hyperlink for this article, if it was a working link and the mouse was hovered over it you could see that the real address for the link is http://www.usbank.com%01@bos.es.kr/index.htm.

Even though the second address starts out the same way as the one in the e-mail, the real link contains "%01" and "@" characters that can basically redirect an unsuspecting user to fraudulent websites. This is accomplished by exploiting a known flaw in Internet Explorer that has yet to be addressed by Microsoft. I suggest you read Microsoft Knowledge Base Article - 833786 / Steps that you can take to help identify and to help protect yourself from deceptive (spoofed) Web sites and malicious hyperlinks for a full explanation. I have no idea why this issue hasn't been addressed by Microsoft, but given the severity of the consequences I think it's past time for some action.

Thanks CJI Computers.
My Links:
http://cji-cji.blogspot.com/2006/03/disk-drives-cji-computers.html
http://cjicl.blogspot.com/2006/04/windows-command-line.html
http://trocji.blogspot.com/2006/03/trojan-horse-keylogger.html
http://profile.myspace.com/index.cfm?fuseaction=user.viewprofile&friendID=61684657