The crooks get even slimier
This column originally ran in ComputorEdge on March 17, 2006
Every year we express surprise and dismay in this space at the new depths of selfishness to which online thieves have sunk.
And each year, we manage to find examples of further descent on the part of online scam artists, spammers and other reprobates.
So it is with a sense of sadness but very little in the way of surprise that we report yet again that the phishers have descended to as-yet-unknown levels of sneakiness and duplicity.
Now that we the phishers' would-be marks have wised up and no longer will buy into e-mails warning us that our bank/eBay/PayPal account has been compromised and just click here to fix it, they're getting more creative.
A recent message making the rounds appears to be a receipt from PayPal for an eBay purchase.
Only, of course, you've made no such purchase and are wondering what the heck is going on. Oh, how handy "If you haven't authorized this charge, click here to file a dispute."
How phishing works
The link does not really go to PayPal, obviously. It goes to a fake, PayPal look-alike page. The URL in this case was "www.paypal.somethingelse.us," with the "somethingelse" part not included here to prevent anyone from accidentally getting phished.
Those who go there and "log in" to PayPal are then reportedly redirected to PayPal and and a script logs you in. You're now in PayPal, with no record of the non-existent transaction the fake e-mail warned you of. And the phisher now has your PayPal login and password courtesy of their fake front door.
Unless you realize very quickly what has happened, they will log into your PayPal account and change the password, effectively locking you out while they either empty your PayPal account (assuming you have a balance) and/or ring up expensive purchases on your account, assuming you have a bank account or credit card assigned to it. (They can then return the purchased items for refund to other accounts, accounts they have permanent access to.)
Fortunately, even if I weren't savvy after actually falling for an eBay phishing scam a couple years back and giving away my eBay info - my e-mail client and browser both noticed the phishing scam and warned me that the link was not secure.
Eudora 7 displays a pop-up window telling me that the actual host is different from the host in the hotlinked text and asking me if I'm sure I want to continue.
Being stubborn for the purposes of this column, I do want to continue. Eudora warns me again, and I have to click OK on a pop-up dialogue window in order to launch my browser and open this link.
When Netscape 8.1 launches, it warns me that the security encryption certificate for the site does not match the site's URL, and gives me the option of closing the connection.
Now, not everyone uses Eudora or Netscape, and I can't vouch for how IE or Outlook handle this particular scam.
Still, it is apparent that the legitimate software publishers are catching up to the phishers and making it more difficult for them to fool us.
So how do you make sure you're not scammed? That you're not a victim of online identity theft?
The most important way may be to simply never click on a link in an e-mail claiming to be from a merchant or financial institution. Instead, if you receive what appears to be an e-mail from a bank, a store or, yes, even PayPal informing you of some sort of issue that needs resolving, go to your browser and manually type in that institution's URL (or use your normal bookmark). Log in as you normally would and see if your account really has an issue.
Second, every time you get a fraudulent e-mail claiming to be from an institution you have an account with (your bank, PayPal, eBay) forward it to their anti-fraud office. (You can go to their Web site to get this info usually an e-mail address.)
© Copyright Jim Trageser
All rights reserved