Phishing Scams

This summary from Windows XP news seemed worth repeating:

Phishing comprises a broad category of fraudulent activity, the objective of which is to obtain your personal information, account information, passwords and other sensitive information to use it for illegal purposes. Those purposes can range from merely embarrassing you by posting something inflammatory, offensive or inaccurate under your name on your social networking site to wiping out your bank accounts and destroying your credit record. With the right information and the highest degree of malevolence, a phisher might even be able to get you arrested by committing crimes using your identity.
In an age of electronic communications and a world where so many people who don't know each other are connected to one another through the Internet, there are many different ways to steal information. For example, a hacker can use an operating system or application exploit to gain access to a computer and download files that contain the info, or install a key logger that will record usernames, account numbers and passwords you type in and send it back to him. But the easiest way is to let the victim do most of the work for him.

The techniques used for that are called social engineering, and most phishing expeditions are a type of social engineering technique. Whereas the example above would be analogous to a burglar breaking and entering a home to steal valuables, social engineering is more like a con man tricking the victim into inviting him in and giving him the valuables - perhaps by claiming he's a police officer and is going to take them to the police station to mark them with your driver's license so they can be identified if they're ever stolen. Or maybe he uses intimidation tactics and tells you that your property is suspected to be stolen and you'll go to jail if you don't give it to him so he can "investigate" and verify that it's really yours. But he's not who he claims to be and he's the one who is really the thief.
That's how phishing works. The phisher claims to be someone or something you're likely to trust, and tricks you into revealing the information he wants to use to profit (or, less often, just to hurt you). The term has been around since the late 1980s and became common on America Online (AOL) in the 1990s, when phishers pretending to work for AOL started sending instant messages and email messages asking users to "verify their accounts" by replying with a message containing their passwords and/or their credit card information.
AOL cracked down on phishers years back but phishing attempts continue to flourish, and today phishers flood mailboxes with messages wherein they pose as bank and credit card company employees, representatives of well known corporations with whom many people do business (such as Microsoft, Ford, Dell, HP, etc.), IRS agents and other government officials.
Phishing attempts have been on the rise for the last few years. Unique phishing reports reached a record high of 40,621 in August 2009. The number of phishing web sites was even higher, 56,362. The most targeted industry was, not surprisingly, the financial services industry. The good news, though, is that the number of computers infected with desktop "crimeware" (such as phishing-based keyloggers and other data-stealing malware) dropped some, to just over 11 million. Still, that is lot of infected systems out there. And although you might think most of the illegal sites are hosted on overseas servers, it turns out that the vast majority are hosted in the U.S. China, Canada, the U.K. and France are also consistently in the top ten list. For more about these statistics, see the 3rd Quarter 2009 Phishing Activity Trends Report by the Anti-Phishing Working Group (APWG) at
http://www.wxpnews.com/CN93IL/100209-Phishing-Trends-PDF

On the other hand, China is reported to be the world's largest victim of cyber attacks, including phishing. That makes sense, as they have more potential victims than any other country. Phishing web sites have caused huge economic losses there, and over the last year, the government has begun to crack down harder on these types of crimes.
http://www.wxpnews.com/CN93IL/100209-New-Laws

Phishers can be creative when it comes to ways to profit from their scams. Last week a phishing scheme was reported to have been responsible for the theft of over $4 million USD in carbon emission permits registered with the German Emissions Trading Authority. Over 250,000 of the so-called "carbon credit" certificates were moved out of the accounts of seven different companies.
http://www.wxpnews.com/CN93IL/100209-E-mail-Scam

Many phishers love to prey on their victims' generosity. The recent earthquake in Haiti has spawned a plethora of fake charity solicitation messages and donation web sites, set up to con you into giving your credit card information in the name of doing a good thing. The same thing happened in the wake of Hurricane Katrina, September 11, and other major disasters.
http://www.wxpnews.com/CN93IL/100209-Haiti-Scams

Other phishing scams don't rely on anything as benign as gentle persuasion; they find scare tactics to be more effective. These can be relatively mild (such as the threat that your credit card will be cut off if you don't respond immediately) to severe (such as the threat that the IRS is about to seize your property and charge you with a criminal offense unless you provide the information they're asking for).
Then there are those that count on your greed. Just yesterday, one of these landed in my mailbox. It was a notification from the "Managing Director of the HSBC Bank, UK," informing me that "the Obama's Foundation and the United Nations" had designated me as a beneficiary of $900,000 USD (why not a cool million?) as compensation for being a scam victim. Oh, the irony. Of course, to claim my money, I would have to fill out a form providing my personal information. Does anybody really fall for this? Apparently some people do.
In the U.S., the official census data is collected every ten years, and 2010 is the year. Expect to see scam emails, requesting that you fill out and return an emailed attachment purporting to be from the census bureau, or containing a link to visit a web site purporting to be an official census site and provide your information there. These fake census forms and sites are likely to ask for information that the real census form doesn't require, such as your social security number, driver's license number, information about your mortgage loan, etc. The real census form asks only ten questions; you can see what they are here:
http://www.wxpnews.com/CN93IL/100209-Census

If you receive a bogus message that uses the census premise in a phishing attempt, report it to the Census Bureau's fraud reporting address. You'll find that here:
http://www.wxpnews.com/CN93IL/100209-Scams

Some phishing messages don't ask you to respond electronically. On the belief that most people are more trusting of someone they talk to on the phone, some phishers provide a phone number for you to call. These are usually Voice over IP (VoIP) numbers, which are portable and make it hard to track the physical location where the phone is. Some of these even use technology that fakes the caller ID information to make it appear that the phone belongs to a legitimate company or government agency.
Popular web browsers now contain anti-phishing mechanisms, but it's important to be sure you have it turned on, and to realize that the technologies can't offer 100% protection against phishing.
However, there has recently been controversy over the 3-D secure authentication protocols used by Visa and MasterCard to verify the identities of online customers, because it goes counter to most anti-phishing advice. That's because it pops up a box that asks for your password, which makes attacks easier and makes it harder for users to determine whether the site is secure (since there is no address bar to display indicators that SSL encryption is being used).
http://www.wxpnews.com/CN93IL/100209-3D-Secure-is-Insecure

Have you ever been the victim of a phishing scam, or do you know someone who has? Have you come close (maybe by clicking a link and starting to enter your information before realizing that something was "not right" about the web site)? Do you take any special precautions to protect against phishing? Or do you believe that only dummies could possibly fall for the phishers' scams and that anyone who does, deserves what he/she gets? Tell us about creative (or ridiculous) phishing attempts you've seen. We invite you to discuss this topic in our forum at
http://www.wxpnews.com/CN93IL/100209-Forum-Discussion