Wednesday, May 13, 2009

Who’s Behind Phishing Scams

“Why did you send me this scam!” That’s the G-rated version of what some people say when they call to complain about receiving a phishing scam.

It’s easy to understand the recipient’s anger. Receiving a phish whether on the phone or through email can seem like a personal invasion. They’ve got your number. They know where you bank. They know that you use e-Bay. Or do they?

The whole reason these scams fall into the phishing category is because like actual fishermen, phishers throw out a lot of bait in hopes of making even just one catch. They don’t really know where you specifically conduct financial business, but there making a pretty good guess.

Phishing scams can be documented as early as 1996. Back in 2003, Internet access provider Earthlink became so angry over phish scams sent in their name that they went on a manhunt. What they found was a bunch of kids in Eastern Europe and Asia. Today it’s not uncommon for more than 250,000 phishing attempts to be sent in one day against any one financial institution. But it’s not just bored teenagers anymore. Phishing has become a complex organized crime. According to a report by Cloudmark, Inc. “Phishing does not occur in isolation, but rather, operates within a complex network. In fact, individuals involved in phishing do not typically understand how to orchestrate an entire phishing attack.”

This flow chart (you can click to enlarge) created by Cloudmark shows the various steps in creating a single phish scam. The individuals involved in each component probably don’t all know each other they are just performing their task.

The recipient lists can be acquired in numerous ways. One way is to just randomly generate email names with common provider extensions. Another is purchase lists via the black market. It isn’t unusual for one individual to receive phish scams from several financial institutions within a few days. Remember, their phishing to get the right bait.

I don’t pretend to understand all the techno gobbledygook about how phish scams actually happen or operate. But I can tell you that it’s not your credit union, eBay, PayPal or any other reputable company that’s setting this up.

For consumers, phishing most often results in monetary loss. I read one story on the FDIC site that said that one victim responded to a phish at 12:10 am and money was taken from their account at 12:13 am. Frighteningly fast! But there’s more…

For businesses preventing phishing spoofs leads to rising costs in prevention and remediation, as well as brand-erosion and loss of customer trust.

What can you do to deter phishing? Be suspicious! And forward any suspicious messaging whenever possible to the organization being impersonated.

ONE LAST THING: Phishing isn’t restricted to email. Phish scams have been sent through phone calls and text messaging too. Don’t click links. Don’t press buttons. Don’t call back. Just don’t.

masked woman by greendragonflygirl

No comments:

Post a Comment