One Wrong Click - Mary Beth Guard
One Wrong Click
by Mary Beth Guard, BOL Guru
My personal scale for rating the scariness of scams ranges from "There's no way I would ever fall for that one" to "Man! I could easily have been tricked by this." A phony email I received this weekend ranked high on the "Coulda Caught Me" scale. It illustrates the sad truth that scammers are getting smarter and slicker, and that means the likelihood of your customers falling prey to their tricks grows higher every day. Much has changed since the early days when phishers could barely string together a coherent sentence and their emails were chock full of misspelled words.
Financial institutions and e-commerce companies must be proactive in order to retain the ability to effectively use email to have legitimate contact with their customers, while empowering their customers to spot counterfeit communications. This weekend's phishing email provides a great example of how that can be accomplished.
Here's what PayPal has on its Web site. (Annotations in red are ours.)
Here is the phishing email I received.
With the guidance provided on the PayPal Web site, it was easy to see this was a fake, so I didn't click the link. I did, however, forward the email to firstname.lastname@example.org. In return, I received an email confirming the first message was bogus, and telling me other steps I might need to take.
Even customers who may be too smart to actually type in personal information are at risk. According to an article published June 26, 2004 in The Washington Post, "A new Internet virus has surfaced that allows hackers to steal passwords, credit card numbers and other personal information when someone merely visits an infected Web site..." One wrong click. That's all it takes. Whether your customers make that click or not may depend upon how well you inform them about how to tell the difference between legitimate emails and fakes.
What Web site are you really on?
by Andy Zavoina
Knowing what website you are going to can be vital. It would be cumbersome to check each one and would drastically slow your productivity. One way to defend yourself is with spoofstick from http://www.corestreet.com. This is a free download. In Internet Explorer and Mozilla Firefox, it adds another line to your toolbar that tells you what site you are on. In the example below, it added the text "You're on paypal.com". This better validates that you are not on the hook of some phisherman when you are at a valid address. This will not protect you 100%. If you swim with the sharks, keep your eyes open and ask yourself, does that worm look like a free lunch?
RELATED LINKS to Help Make Sure Your Institution Is Up To Speed on Phishing
- Could Someone Successfully "Phish" for Your Customers?
- BOL Guru Hussam Al-Abed's PowerPoint Presentation on Phishing (right click, choose "Save target as", then open the saved file in PowerPoint)
- Secure Pipe Comments on a Prior Aggressive Phishing Attack
- Phishing Scams on the Rise
- Email from IRS? Nope, Just More Phishing
- Phishing Around the Globe
- FTC Consumer Publication on Phishing
- FDIC FIL-26-2004 on Safeguarding Customers Against Phishing
- FDIC Consumer News on Phishing
- OCC ALERT 2003-11 on Phishing
First published on BankersOnline.com 05/03/04
First published on 05/03/2004