Phishing in eMail
October 3, 2007
Here’s my latest phishing email I got today. It supposedly came from ‘Technical support <email@example.com>’. This one isn’t really very sophisticated. It was sent to my personal email address that only friends and family are supposed to have. That was the worst part. I’ve tried to keep that address ‘secret’.
My mail program correctly identified it as a phish but I would have known because the subject line was, "Protect your Citizens Bank online account". I don’t have a Citizens Bank account. And, I got the email two days after the date my account needed to be ‘updated’. Maybe that was supposed to make me think I missed something and had better hurry up.
Here’s what it said – I disabled the link.
CAUTION: On October 1, we will be moving to a new Internet Banking system.
You will need to print any previous records (statements, cancelled checks, Bill Pay information, etc.) you wish to retain since they will not move to the new service.
Your Internet Banking access will resume on Monday, October 1.
Previous merger with Signature Bank’s parent company, Money Manager GPS, Completed on March 1, 2007.
Payments with a scheduled payment date of October 1 or before will be processed and should not be resubmitted.
Any payment scheduled for payment after October 1 will not be processed and other payment arrangements should be made.
If you previously had e-bills or payees setup with Bill Pay, Wire, Ach, etc., you will need to re-apply for the service, and re-enter the bill payment information on the new system starting October 1.
If you have any questions about your Internet Banking service or our merger, please feel free to call us at 1-888-9797-7711. All information you provide to us on our web site is encrypted to ensure your privacy and security.
Beginning on October 1, you can access the new Citizens Internet Banking system by clicking here:
Citizens Bank Online Billing Services Team
© 2007 Citizens Bank Online, Inc. All Rights Reserved
That link looks safe enough – and it even has the ‘https’ at the beginning indicating it’s a secure site. So you may just go ahead and click without thinking.
Whoa – slow down, Sparky….
One of the the tip-offs to look for in a phishing email is to see if the link shown in the email actually is the same as the destination. When I held my mouse cursor over that link, the address bar at the bottom of my email program showed this address: securelogin-63815387.moneymanagergps.com.fgs45.com/login.htm. At a quick glance you see it starts with ‘securelogin’ and you see ‘moneymanagergps.com’. It wants you to login right off the bat. If you do, you just gave up your username and password to your bank account.
That link is actually is taking you to a domain named ‘fgs45.com’ not ‘citizensbank.com’. All that stuff in in the address is just there to try to fool you into taking their bait. The link was created with a bit of script that showed one thing but led to another. If you google that domain name, you’ll see that it’s been identified as a phishing site.
Another thing to look for are misspelled words. I think someone writing from a bank would know how to spell ‘canceled’. However, look in the second sentence – it’s misspelled as ‘cancelled’. What about that phone number – 1-888-9797-7711. It’s got an extra number in it. There are a few other boo-boo’s that should have been edited. Real corporations carefully edit and proofread anything they send.
This phishing email wasn’t one of the better ones out there. It didn’t have any official looking graphics or layout. It did have a gray background and was written in big letters – I guess to impress me. There are some very well-done phishes out there that look quite authentic – even the website the links take you to look like the real thing.
So here’s the Phishing Rule #1 – Never click on a link in an email. Especially if it is asking you to go to a site to provide secure or personal information. Type an address directly in the address bar on your browser if you think you need to go there.
I don’t know what’s at the domain the link tried to send me to and I’m not going to go there to see – I don’t recommend you go there either. It’s obviously a website run by crooks.