Phishing and email scams received welcome attention this weekend in an expose on consumer watch program, Carte Blanche.
Alison Treadaway, Director of messaging specialist, Striata, says the only long-term antidote for phishing is education and therefore getting coverage on a program like Carte Blanche is ideal. “Teaching consumers to differentiate between a valid email and a fraudulent email is critical in the war against email scams.”
There are three different levels of sophistication evident in the fraud attempts seen over the past 6 months.
Spray Phishing, the most basic of email fraud, involves blasting out a generic spam mail to every email address the fraudsters can find. An example of this are emails informing you that you’ve won a lottery, or that you could be a beneficiary, or could stand to inherit some money. The catch is that you need to supply your details and possibly produce a down payment of some kind in order to collect the funds. There is no personalization or branding in the email, and often there are spelling and grammar mistakes.
Treadaway explains, “Spray phishing has been going on for years. It’s a numbers game: if the fraudsters distribute enough email, they are bound to find someone who will fall for the scam. Most often, the victims are new Internet users who are excited to receive an email and innocently respond, allowing the scam artists to open up a dialogue.”
The next level of scam sophistication is called User Phishing. The email comes from a recognizable brand and requests a legitimate sounding action from the recipient. Banking brands in particular have been targeted with these scams, as fraudsters become increasingly good at copying legitimate communications in order to dupe the Bank’s clients.
“We have seen emails that are perfect replicas of valid bank communications, ranging from the graphics and web links to the wording. The only difference is when you click through via a link to complete the “action”, you land up on a fraudulent web page,” says Treadaway.
The third and most sophisticated type of scam to emerge is Spear Phishing – targeting specific individuals or organizations. The criminals behind the scam have done their homework and know enough about the target to appear legitimate. Using social networking sites, free email services and any other information they can find on the Web, the fraudsters craft a customized communication that they target at a specific individual.
“The email may be addressed to you by name, it may contain information about someone you know and it will most certainly ask you either for money (to bail out a friend in trouble), to input your banking information, or just to open up a dialogue.”
Treadaway says there is no foolproof way to protect yourself against phishing attacks, other than being vigilant about your online activities and staying informed.
Follow these key guidelines to ensure that you do not become a victim:
- A Bank will never send an email requesting your personal security details. Any communication that asks you for your login, pin or password is a scam.
- If the email is digitally signed (look for the red rosette), check the signature to make sure it comes from the right sender.
- Before clicking on a link in an email, mouse-over the link and check the URL. If the URL does not conform to what you would expect, i.e. www.bank.co.za, do not click on it. Rather type the correct email address into your browser.
- Secure banking sites will publish a Web certificate that shows as a padlock next to the address bar in your browser. This proves that you are entering a secure site. The correct URL, coupled with the presence of the padlock is an indication that you are entering the legitimate site. There are websites on which you can verify the owner of a URL.
- To avoid the risk of downloading spyware or malware, change your Internet security settings to always ask for confirmation before downloading anything to your computer.
- Use anti-virus and anti-spyware software and make sure you keep them up-to-date.
- There are many sites and blogs that discuss phishing attempts. Copy and paste the content of the suspected email into a search engine, and if it is a known phishing attempt (you will most likely not be the first to receive it) there will be lots of information and discussion about it.
- Use common sense: if the email content seems too good to be true, then it probably is. Be cautious about opening unknown attachments or downloading any files, regardless of who sent them. Don’t email your personal, financial or password information, EVER.