Is it just me or is everyone else noticing that the amount of “phishing scams” is on the rise? I think I’ve gotten at least a half dozen attempts in the last 4 or 5 days. For those of you who may not be familiar with this scam the idea is simple: Send a bunch of people an email claiming to be from PayPal or eBay telling them there’s been some sort of issue with their account. Perhaps you’re doing a routine check to ensure the account is still active so you can delete inactive ones (popular PayPal scam) or that someone has tried to log into their account unsuccessfully so they should go to a link you’ve handily supplied them and log in to verify that their account hasn’t been hijacked.
Even though Microsoft has patched IE to deal with this exploit it’s only effective if people apply it and we know how bad people are about keeping their systems updated. As a result reports of this scam have increased almost 200% in the month of April and the scammers are inventing new tricks to fool folks into handing over their info. Citibank is a favorite target with over 475 unique phishing scams in April according to The Anti-Phishing Working Group with eBay and PayPal coming in second and third.
Clever spoofers are even finding ways to deal with patched browsers. According to the folks at Miller Smiles in the UK the newest trick is to spoof both the address bar and the status bar using a new browser window with these features turned off and graphical images in their place:
These pages were constructed in the following manner …
- a link in a spoofed email opens a new browser window which is scripted to immediately close itself and reopen with the address bar (and possibly the status bar) removed,
Examples of both eBay versions and PayPal version have already turned up in user’s inboxes. I got the eBay one myself this morning. It wasn’t hard to tell it was fake if for no other reason than I have never had an account on eBay. I do, however, have a PayPal account so it’s important to know that neither company will ever send you an email asking you to submit credit card data in a form in the email. Nor will they provide you with a link to login to your account with. If you use eBay or PayPal with any regularity than you already know what the URL to get to their site is so they’ll expect you to go there on your own if they need you to do something. That’s your first line of defense: Know the policies and practices of the companies you deal with. In addition to that it probably wouldn’t hurt to keep tabs on the folks at The Anti-Phishing Working Group as they’ll keep you informed on new scams as they come up. At the very least, you want to be sure you think carefully about any request you get via email claiming to be from a recognized company that asks you to submit personal data and credit card information directly into a form they provide you. Always go to the site in question on your own without using any of the links in the email and check to see if they have any news of scams or frauds being perpetrated through email. Both eBay and PayPal have special email addresses you can forward these emails to in order to check if they are spoofs. Citibank probably does as well, but I’ve not checked their site for it.
I’ve posted a couple of examples of these scams at the bottom of this entry for those who want an idea of what to look for. Click ‘em for a bigger pic: