Top

PayPal, Phishing and Identity Theft

March 26, 2008

There’s a lot of emails circulating around pretending to be from Paypal. I’ve gotten a few of them lately. I know they’re fake before I read them because I have a special Paypal email address that I don’t  use for anything but Paypal. The phishing emails came to the wrong address. The only reason I read them is to see what scammers and identity thieves are up to and report it here.

They look very convincing and are designed to make you think there’s a big problem with your account that you need to take care of right away. They even gave me a reference number to track the ‘unusual charges to a credit card linked to my Paypal account’. Wasn’t that nice of them?

There’s even a little ‘tips’ box in the email telling me to never give out my Paypal password to anyone. They’re trying hard to convince me this is a real email from Paypal because they tell me to open a new browser window and to type in http://paypal.com to "be sure I’m on the real PayPal site."

Then there was a very noticable link for me to click on. The problem with that link is that is doesn’t go anywhere near to the Paypal website. It goes to : paypal.com.3ifjmk.cn. It has a little other bit of gobbledy-gook thrown into the address to confuse you. The actual site it’s going to is 3ifjmk.cn. That paypal.com business at the beginning is meaningless.

If you clicked on that link and logged into ‘your account’, you’ll have instantly given an identity thief your PayPal password. Now they have access to your bank account and credit card account that’s linked with PayPal. You’ll get your cash wiped out in seconds – literally.

So here’s the official YourIdentitySafe policy on emails: Never Click on a Link in an Email that Asks You To Login To Your Account.

If you feel you’ve got to go check out your account, do it your usual way by typing in the address directly in your browser window. The best thing to do is delete the email and forget about it.

 

Phishing with S and T Bank

November 6, 2007

The phishers are at it again. Apparently they decided their Citizen’s Bank scheme had run it’s course. Now they’re trying to impersonate S&T Bank. They sent it to me at the same email address. I guess they’re hoping they’ll eventually hit a bank that I use and that I’ll certainly believe them.

I seem to have some kind of ‘issue’ with my (non-existent) account. They "detected unauthorized use of a bank account linked to S&T bank accounts."  This is pretty funny…. the reply-to address is Gabriel.Foster@sarahsellsthecity.com Hoo Boy – that inspires confidence!

The link in it will take me to "http://business.ebanking-services.nubi.sessions23629937.signin.aspx.nddw2.com/signinaspx.htm" which is really some domain named nddw2.com – I bolded it in the address above.

They signed it with " S&T bank Account Review Department". I guess they don’t think the word ‘bank’ in their name deserves to be capitalized.

Who wants to go there first?

 

Telephone Phishing Scam

November 5, 2007

I heard about a credit card telephone scam recently that was quite well done and easy to fall for. The thieves sometimes identify themselves as from Visa and sometimes from Mastercard.

Here’s how it works…..

You answer your phone and the person calling you says they’re from the "Security and Fraud Department at VISA (or Mastercard)". They even tell you their badge number.

They say your account has been tagged for an unusual purchase pattern and they’re calling to verify it. [Now that has a real ring of truth. I’ve had my credit card company verify purchases in the past.] They even have the name of the bank your card is issued from.

They ask if you purchased an Anti-Telemarketing Device for $497.99 from a company in Arizona. Naturally, you say ‘no’. [Note – this is one of the few times you get to say anything.]

The caller will then tell you you’ll get a refund issued before your next statement. They say the credit will be sent to (reads your address) and asks if that’s correct. So you say ‘yes’.

This is starting to establish a pattern of trust and believability because up to now, the caller knows your credit card number, the bank issuing it and your address.

The caller goes on to say they’ll be starting a fraud investigation and if you have any questions, you should call the 800 number on the back of your card and ask for ‘Security’. You’ll also be given a six digit reference number to use if you call.

So by now you figure this is legit and maybe you’re even looking at the back of your credit card for that 800 phone number. The thief is just about to set  the hook on this phishing scam.

So far, you haven’t provided any information a thief could use and the caller seems to know all about your card and is doing his best to help you with a fraudulent charge. You’re just a little rattled thinking your number has been stolen and grateful that the "Security and Fraud Department" is on the ball.

The one last thing the caller says is that he needs to verify you have actual possession of your card. He’ll ask you to look at the back and read off the 3 security numbers that are usually in the upper right corner on the back. You think that sounds reasonable and read them to him. He will tell you that you’re correct and thank you for verifying it. Then tell you to call if you have any questions. Good-bye – have a nice day.

Presto – you’ve been scammed.

Many times thieves get your name, addredd and card number. They’ll even know the issuing bank but unless they have posession of the card, they won’t know the security code on the back. Once they have this code, they can order anything online – it’s just like holding your card in their hot little hands.

When you get your next statement, you just may find you now have a $497.99 charge for that anti-telemarketing device along with a lot of other charges for things you never ordered.

Your credit card issuer will NEVER ask you for any numbers. If they call you to verify a charge, they already know they’re talking to you and they won’t ask you to verify any numbers. They’ll just ask if you made that charge. Never give out any information over the phone to anyone.

A classic ploy for telephone phishers/scammers is to tell you some kind of alarming news. That gets your brain side-tracked and keeps you from thinking normally. Then when they ask you to verify information, you just blurt it out. If you keep your wits about you and refuse to ‘verify’, the next step the scammer will usually do is to threaten to shut down all your financal accounts. You think your bank would really do that to you knowing full well there’s another bank on the corner you can switch to?

Never give any stranger such information as:

  • Social Security number
  • PIN number
  • Security number on the back of your credit card
  • Driver’s license number
  • Bank account number
  • Credit card number
  • Password
  • Mother’s maiden name
  • Birth date

When agressive sales people (even honest ones) call on the phone and shoot questions at you, we have a tendency to answer them. They start off with, "How are you today?" just to get you started answering. Next thing you know, they’ll ask if you rent or own, how much your mortgage is, yada yada. It’s a sales techinique. If you wouldn’t tell a stranger on the street this type of thing, don’t tell someone who calls or emails either. 

 

How to Spot a Phish

October 17, 2007

Judging from the search terms YourIdentitySafe has gotten on the Citizen’s Bank Phishing email, I think quite a number of other people have received that email. The same guys are still sending out their phishing poles but now they’re using Compass Bank. These are really lame looking but be aware that some do look very authentic and the site they take you can have the exact apperance of the real site.

Perhaps many people don’t understand how to look at a web address and tell exactly what the actual domain name is. At its simplest, this is a domain name: ‘domain.com’ . Sometimes you’ll see www in front of it, sometimes not – that’s really not important.

When you see a ‘/’ after the domain name, anything after that is a page on the website. So: ‘domain.com/folder/info-page’ is a page on the site named ‘info-page’ and it’s in the subdirectory named ‘folder’. A page file can have a lot of different endings like: html, htm, php, asp, or nothing at all.

Now, the important part to telling a phishing scheme is what’s going on before that last part of the url which in our example is ‘domain.com’.

All kinds of words, letters and periods can be added to the beginning. Much like: compassbank.com.domain.com. You see the compassbank.com part and maybe think it’s legit. It’s not. It’s still at ‘domain.com’.

Phishers like to put LONG strings of words separated by periods in hopes that it will confuse you into thinking you’re going to the legimate site. All you have to do is look for the last period. The part right in front of it is the actual domain name.

Usually phishing sites use weird domain names like ‘crs89.net’. That’s the domain my latest Compass Bank phishing attempt is trying to send you to. Here’s the whole address: http://e-access37579210.compassbank.com.ibscompass.cmserver.welcome.default
.verify.cfm.csr98.net/Internet%20Cash%20Management.htm
.
Wow, that looks totally official – I see ‘compassbank.com’ and ‘welcome’ and ‘verify’ and ‘default’ – it must be a safe and welcoming site!

I got that address by hovering my mouse over the link in the email that looks legit. Then I right-clicked on it and chose ‘copy link location’. I then pasted it into a Word document – any text editor also works for this. The real address showed up. All that gobbledy-gook in front of ‘csr98.net’ doesn’t mean anything.

Hovering your mouse over a link will show the true web address in the little address bar at the bottom of your email window, too.

Learn to look for the real address in any link in emails you receive. The safest way to be sure you’re going to the correct website is to type an address into a browser yourself and not click on links – especially links that say you need to update your account information.

Phishing in eMail

October 3, 2007

Here’s my latest phishing email I got today. It supposedly came from ‘Technical support <accounts@citizensbank.com>’. This one isn’t really very sophisticated. It was sent to my personal email address that only friends and family are supposed to have. That was the worst part. I’ve tried to keep that address ‘secret’.

My mail program correctly identified it as a phish but I would have known because the subject line was, "Protect your Citizens Bank online account". I don’t have a Citizens Bank account. And, I got the email two days after the date my account needed to be ‘updated’. Maybe that was supposed to make me think I missed something and had better hurry up.

Here’s what it said – I disabled the link.

————————————————————————

CAUTION: On October 1, we will be moving to a new Internet Banking system.

You will need to print any previous records (statements, cancelled checks, Bill Pay information, etc.) you wish to retain since they will not move to the new service.

Your Internet Banking access will resume on Monday, October 1.

Previous merger with Signature Bank’s parent company, Money Manager GPS, Completed on March 1, 2007.

Payments with a scheduled payment date of October 1 or before will be processed and should not be resubmitted.

Any payment scheduled for payment after October 1 will not be processed and other payment arrangements should be made.

If you previously had e-bills or payees setup with Bill Pay, Wire, Ach, etc., you will need to re-apply for the service, and re-enter the bill payment information on the new system starting October 1.

If you have any questions about your Internet Banking service or our merger, please feel free to call us at 1-888-9797-7711. All information you provide to us on our web site is encrypted to ensure your privacy and security.

Beginning on October 1, you can access the new Citizens Internet Banking system by clicking here:

https://www.citizensbankmoneymanagergps.com/

Sincerely,
Citizens Bank Online Billing Services Team

© 2007 Citizens Bank Online, Inc. All Rights Reserved

————————————————————————–

That link looks safe enough – and it even has the ‘https’ at the beginning indicating it’s a secure site. So you may just go ahead and click without thinking.

Whoa – slow down, Sparky….

One of the the tip-offs to look for in a phishing email is to see if the link shown in the email actually is the same as the destination. When I held my mouse cursor over that link, the address bar at the bottom of my email program showed this address: securelogin-63815387.moneymanagergps.com.fgs45.com/login.htm.  At a quick glance you see it starts with ‘securelogin’ and you see ‘moneymanagergps.com’. It wants you to login right off the bat. If you do, you just gave up your username and password to your bank account.

That link is actually is taking you to a domain named ‘fgs45.com’ not ‘citizensbank.com’. All that stuff in in the address is just there to try to fool you into taking their bait. The link was created with a bit of script that showed one thing but led to another. If you google that domain name, you’ll see that it’s been identified as a phishing site.

Another thing to look for are misspelled words. I think someone writing from a bank  would know how to spell ‘canceled’. However, look in the second sentence – it’s misspelled as ‘cancelled’. What about that phone number – 1-888-9797-7711. It’s got an extra number in it. There are a few other boo-boo’s that should have been edited. Real corporations carefully edit and proofread anything they send.

This phishing email wasn’t one of the better ones out there. It didn’t have any official looking graphics or layout. It did have a gray background and was written in big letters – I guess to impress me. There are some very well-done phishes out there that look quite authentic – even the website the links take you to look like the real thing.

So here’s the Phishing Rule #1 – Never click on a link in an email. Especially if it is asking you to go to a site to provide secure or personal information. Type an address directly in the address bar on your browser if you think you need to go there.

I don’t know what’s at the domain the link tried to send me to and I’m not going to go there to see – I don’t recommend you go there either. It’s obviously a website run by crooks.

Bottom