Spotting a Phisher
The October 7 FBI arrest of 33 people for phishing, (the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication, per Wikipedia) has caused web design companies and users to become more conscientious about the possibility of their email accounts and websites being hacked (accessed without authorization). Once your email is hacked, there can be a domino effect that will impact other areas of your online “life”.
The fact is, many people use the same password or variations on a password for all or most of their online accounts like social networks, banks, IMs, etc. This makes a phisher’s work a whole lot easier; it’s like giving him/her the master key to your front door and all of your safes and vaults.
In the arrest of the largest group of suspects in a cybercrime case (“Operation Phish Phry”), the FBI targeted at least 100 people. According to the FBI, Egyptian authorities have charged at least 47 unindicted co-conspirators there in relation to the scam, which took place from January 2007 through September. Here’s how it worked: Per a 51-count indictment returned last week by a federal grand jury in Los Angeles, the defendants in Egypt used e-mails to entice Wells Fargo and Bank of America customers to visit counterfeit bank websites that had been set up to steal victims’ usernames and passwords. The Egyptian defendants then drained funds from the victims’ accounts into new accounts at both institutions that had been opened by the U.S.-based defendants. Slick, huh?
An FBI spokeswoman said they believe the faction tricked several thousand people into giving out their online banking information. In all, they are accused of transferring more than $1.5 million to the fake accounts. But she also said that not all of that money was withdrawn, because the banks ultimately cooperated with authorities to identify which accounts received fraudulent transfers.
But if a user is even slightly savvy, a fake URL (web address) is easy to spot. Even if you get sucked into the fake website there are clues that make it obvious that you are not where you’re supposed to be. Fake-website developers tend to be transparent in their rush to start raking in the cash, and their sites are not inclined to look as professional as those that are designed by “real” website developers. Some are downright sloppy. In addition, they will let you into their website no matter what you enter into the username and password fields (how would they know if they’re real or not?). This is clue #1. And if you actually need another clue, they soon ask for your personal information (bank account number, PIN, credit card number, etc.).
There is one surefire way to determine if a website is what it purports to be: check the source code by right-clicking on the web page and clicking “view page source”. This will reveal the actual origin of the page. Also check the port number against the one on the true website.
Just keep in mind that websites that store your account numbers, PINs, and other personal or financial information do NOT send out solicitations requiring you to enter them—they already have them. When in doubt, call the institution and ask if they are aware of any emails going out like the one you received. Better safe than sorry.