Scammers love to use current events to dupe consumers, and today’s ongoing financial turmoil offers the perfect opportunity for one of the most popular forms of fraud — phishing.
A phishing scam typically uses a phony e-mail to collect your personal or financial information under false pretenses. Its recent growth prompted the Federal Trade Commission to issue a warning in October that electronic thieves may be using Wall Street’s woes for their Internet trickery.
“We’ve become aware of various phishing ploys preying upon consumers who may be financially vulnerable and looking for solutions,” FTC spokesman Frank Dorman wrote in an e-mail.
Phishing attacks increased 16 percent from August to September and surged 103 percent from September to October, according to Web security vendor MessageLabs. Bank consolidations have provided the back stories for some of those phishing messages.
When Citigroup announced plans to buy Wachovia’s banking operations, scam e-mails urged people to click on a link and update their data because of the merger, says Paul Wood, a senior analyst with MessageLabs, which is now part of Cupertino, Calif.-based Symantec. He said copycat e-mails emerged when talks of a Wachovia-Wells Fargo merger later commenced.
Wood says his company also has noticed a rise in financial spam, including those relating to mortgages, debt consolidation and credit counseling.
“They’re really capitalizing on the uncertainty at this time,” Wood says. “Particularly anyone who may be concerned or perhaps feeling vulnerable or anxious may be inclined to fall for these types of attacks.”
Anatomy of a phish
With phishing, the e-mail sender poses as a legitimate business or institution, such as a bank, and transmits e-mails to large numbers of people, directing them to a Web site where they are asked for personal and financial information.
Even though the technique is often associated with the Internet and e-mail, phishing scams can occur over other mediums, including snail mail, the telephone and other phony Web sites as well as instant messaging and pop-up boxes on your computer. The messages will vary, but will usually entice you to respond with a reward or threat.
It may ask you to verify or update your account information or log in to resolve a problem. It also may ask you to take a survey in exchange for a small payment in return. Check out the Bankrate story “Scammers still phishing” for a few examples.
Thanks to rumors and news stories about bank consolidations, scammers have plenty of fodder for content.
“You’ll see more of these phishing attacks saying, ‘Hey, you might have read about the bank buyout, or the consolidation or the merger. Click here so we can reauthorize your accounts,'” says Peter Cassidy, secretary general of the Anti-Phishing Working Group, an industry association that fights Internet crime.
Phishing e-mails aren’t always easy to identify. Watch out for these red flags.
Fraudulent messages usually have an urgent tone and may threaten dire consequences — usually account closure or suspension, or monetary loss — if you don’t click on the link. Don’t be fooled. The link will redirect your browser to a fraudulent Web site where any information you provide will go straight to criminals.
Sometimes, clicking on a link will activate malicious software such as programs that log your key strokes and send them to computer crooks.
Phishing done over the phone is called vishing, for voice phishing. In this version of the scheme, fraudsters use Voice over Internet Protocol (VoIP) technology, which allows users to choose any area code when making a call. It can be used to spoof business phone numbers while masking the thief’s real phone number.
In a vishing scam, consumers get phone calls that appear to be from legitimate companies. The consumer is told some alarming message and then is prompted to provide personal or financial information to resolve the issue. These calls can be live or automated.
Alternatively, an e-mail message might direct you to call a phone number.
Regardless of the method, the scammer desires your information, either to commit fraud with it or to sell it to a third party.
To personalize the message, Wood says, some scammers may use information culled from the Internet. For instance, they might grab your name from an online profile or social networking site such as MySpace or Facebook.
Use bookmarked log-in pages or type the Web address into your browser. If you click through an e-mail or copy and paste the link, you risk surrendering your username and password to a thief.
Links in instant messages can contain viruses, so use caution if a stranger sends you a link. If a friend sends you a strange link, reply and ask why it was sent.
When in doubt, hang up. Call the business using a verified number from a payment card or monthly statement, and not the number on the Caller ID or the one provided by the caller. You can feel safe about supplying sensitive information when you’re the one initiating the call.