Phishing crime's up nearly 600%. Don't get hooked!
Criminal "phishing" attacks have risen by nearly 600 percent this year, according to a report from the Anti-Phishing Working Group, an association of financial institutions, online retailers, law enforcement, security and research groups that have combined forces to fight Internet crime.
Phishing is typically carried out by e-mail, instant messaging or text messages that appear to be from banks, online retailers or auction sites. Phishers are using increasingly sophisticated techniques to trick people into divulging information, usually by directing them to a fake website that appears nearly identical to the legitimate site.
Earlier this month, for instance, the FBI announced it had arrested 100
members of an international criminal ring that used e-mails to direct banking
customers to phony bank Web sites, where they were asked to provide account
log-ins, passwords and other information the crooks then used to raid their
bank accounts. Victims included
thousands of customers at U.S. banks, including Wells Fargo and Bank of
America, according to the industry trade publication Bank Information Security.
As Mueller put it:
“After changing all our passwords, I tried to pass the incident off to
my wife as a ‘teachable moment’. To which she replied: It is
not MY teachable moment. However, it is OUR money. No more Internet banking for
you!”
The reality is that cybercrooks are getting better at what
they do and bank or credit card accounts are among their prime targets, so
assuming you’re not at risk is the true mark of naïveté. Even our
technology-savvy colleague Paul Eng describes how he almost fell for a clever
phishing text message that appeared on his cell phone, falsely warning him that
his Chase card had been deactivated and instructing him to call a toll-free
number listed in the message to provide information needed to reactivate his
account.
Ironically, customers at credit unions, community banks and
big banks such as Citibank recently have been targets of robo-calls that claim
the customer’s account has been temporarily suspended because of a suspected
security breach. Customers are
instructed to “press 1 now” to be transferred to the bank or credit union’s
security department, where they supposedly can reactivate their accounts by
entering their debit or credit card account numbers and PINs. That gives thieves what they need to
start charging away or draining bank accounts, making that imaginary “suspected
security breach” a reality.
The bottom line: Never respond directly to phone calls or
click on links in messages sent to your computer or cell-phone that purport to
be from your bank or any other company you do business with, no matter how
urgent or persuasive the message is. Instead, initiate a call yourself to the
customer service number listed on your monthly account statement to verify that
any communication you’ve received is legitimate.
You’ll find more detailed advice here on how to spot and avoid phishing scams. Plus, you can take a Consumer Reports test to see if you can spot fake e-mail here.
And if you’ve already given out information you shouldn’t have or clicked on a link in a suspicious message that may have infected your computer with malware, here are some tips on what to do to limit the damage.–Andrea Rock
Previous
Posted by: The Garland Group | Oct 29, 2009 2:30:01 AM
That figure is staggering and scary! It's hard to fathom that this is such an everyday occurrence. The onus is on Banks to increase their customer data protection by 600%! It's no longer OK to be FFIEC compliant. Educating customers, employees and creating a culture of security is now mandatory. And as customers we have to be on our toes. Trust goes out the window, yet again!
Posted by: John Hilst | Nov 2, 2009 1:52:49 PM
These are good statistics to be aware of as we enter the holiday shopping season and more folks start spending their hard earned cash via online transactions. No doubt phishing attempts will only increase as the days go by. Along with the tips mentioned here, at Thawte we'd like to remind people that using sites with Extended Validation SSL -- the green url bar -- is a great protection method. If you know your bank or online merchant has the green url but for some reason the site isn't displaying it, it's a good tip-off.
One last thing -- I find the FBI Mueller story fascinating in that he gave up online banking despite NOT having his info compromised -- in other words, he was smart enough to notice that it was a phishing scam and not a legit request for credentials. If only we all had the same suspicions.