Wednesday 18 August 2010

Identity theft via phishing

The term phishing ( fishing) refers to luring techniques used by identity thieves to fish for personal information in a pond of unsuspecting Internet users. Their objective is to take this information and use it for criminal purposes such as identity theft and fraud. Phishing is a general term for the creation and use by criminals of emails and websites which is designed to look like they come from well-known, legitimate and trusted businesses, financial institutions and government agencies in an attempt to gather personal, financial and sensitive information.

These criminals deceive Internet users into disclosing their bank and financial account information or other personal data such as usernames and passwords.
Canada's Department of Public Safety and Emergency Preparedness and the United States Department of Justice are jointly issuing this special report to advise the public about the risks of responding to phishing emails and websites, and the steps to take when they encounter them.

Since 2003, law enforcement authorities, businesses and Internet users have seen a significant increase in the use of phishing. A growing number of phishing schemes are using the names and logos of legitimate financial institutions, businesses and government agencies in North America, Europe and the Asia-Pacific region for illegal purposes.

At first glance, phishing emails and the associated websites may appear completely legitimate. One recent phishing attempt in the U.S. used the names of the Federal Deposit Insurance Corporation (FDIC) and two of its officials, as well as the Department of Homeland Security. What Internet users may not realize is that criminals can easily copy logos and other information from legitimate businesses' websites and place them in phishing emails or bogus websites.

In addition, if the recipient of a phishing email clicks on a link it contains, even the window of the Internet browser that opens may contain what looks like the true Internet address (URL) of a legitimate business or financial institution.

Unfortunately, some phishing schemes have exploited a vulnerability in the Internet Explorer browser that allows phishers to set up a fake website at one place on the Internet, which will make it appear as if the Internet user is accessing a legitimate website at another place on the Internet.

Most phishing emails include false statements intended to create the impression that there is an immediate threat or risk to the bank, credit card or financial account of the recipient. The phony FDIC emails mentioned above falsely claimed that the Secretary of Homeland Security had advised the FDIC to suspend all federal deposit insurance on the recipients' bank accounts. Other recent phishing emails have falsely claimed that the recipients' credit card was being used by another person or that a recent credit card transaction had been declined.

As another example, a mass email circulated in the summer of 2004 advising customers of a leading Canadian financial institution, which had experienced information technology problems, that they needed to enter their client card numbers in order to access their accounts. In fact, the email was not sent or authorized by that financial institution.

In some cases, phishing emails have promised the recipients a prize or other special benefit. Although the message sounds attractive rather than threatening, the objective is the same: to trick recipients into disclosing their financial and personal data.

People who receive phishing emails are also likely to realize that the senders may have used spamming techniques (mass emailing) to send the message to thousands of people. Many of the people who receive that spammed email do not have an account or customer relationship with the legitimate business or financial services company that is purportedly the originator of the email. The people who create phishing emails count on the fact that some recipients of those emails will have an account or customer relationship with the legitimate business, and may be more likely to believe that the email has come from a trusted source.

Ultimately, people who respond to phishing emails may be putting their accounts and financial status at risk in three significant ways. First, phishers can use the data to access existing accounts to withdraw money or purchase expensive merchandise or services. Second, phishers can use the data to open new bank or credit card accounts in the victim's name, but use addresses other than that of the victim. Finally, the Internet users may not realize that they have become victims of identity theft.

Canada 's Department of Public Safety and Emergency Preparedness and the United States Department of Justice recommend that Internet users keep the following three steps in mind when they see emails or websites that may be part of a phishing scheme:

1. Recognize it – If you receive an unexpected email from a bank or credit card company saying that your account will be shut down if you do not confirm your billing information, do not reply or click on any links in the email. Phishers typically have one purpose in mind: to entice people to react immediately by clicking on the link and inputting their password or credit card number before they take time to think through what they are doing. Internet users need to resist that impulse.

2. Report it – Contact your bank or credit card company if you have unwittingly supplied personal or financial information. You should also report the matter to your local police. They will often take police reports even if the crime may ultimately be investigated by another law enforcement agency. In addition, a creditor who mistakenly believes that you are the person responsible for a fraudulent transaction may want to see a copy of a police report before correcting your credit account or credit report. Finally, report your identity theft case immediately to the appropriate government and private-sector organizations. Canadian and American agencies such as these are compiling information about identity theft to identify trends and assist law enforcement agencies in potential investigations.

3. Stop it – Become familiar with the practices of your financial institutions and credit card companies. They normally will not use email to confirm an existing client's information. Keep informed of the latest advisories and steps on how to protect yourself from identity theft and fraud. A number of legitimate companies and financial institutions that have been targeted by phishing schemes have published contact information for reporting possible phishing emails as well as online notices about how their customers can recognize and protect themselves from phishing.
In addition, people who use the Internet Explorer browser should immediately go to the Microsoft security home page to download a special patch that will protect against certain phishing schemes.

Here are examples of what I received by these scammers who were hoping that I would fall for their schemes and give them my personal information.

Dear friend,

It's my pleasure to acquaint you with this proposal for a financial and business assistance.I know my message will come to you as a surprise.Don't worry I was totally convinced to write you in reference to the transfer of USD$10.5M to your account for onward investment ( Hotel industries and estate building management) or any profitable business in your country.

Please,if you are interested,Email me so that I can give you more information. Remain bless while expecting your prompt co-operation.

From Johnny Peters
(Officer in African Development Bank)

This scammer wanted my bank account number.Here is a similar one sent to me.

Dear friend.

It's my pleasure to acquaint you with this proposal for a financial and business assistance.I know my message will come to you as a surprise.Don't worry I was totally convinced to write you in reference to the transfer of USD$10.5M to your account for onward investment ( Hotel industries and estate building management) or any profitable business in your country.

Please,if you are interested,Email me so that I can give you more information. Remain bless while expecting your prompt co-operation.

From Hassan Adama

The only thing that is different is the name of the scammer.I think it is the same scammer because you will note that in both messages, there are no spaces after the commas.

Dear E-mail Account User,

We have temporarily limited all access to sensitive account features, in order to restore your account access, you need to reply to this email immediately with your E-mail account Username here:( __________) and password here: (___________).

Due to much junk/spam emails you receive daily, we are currently upgrading all email accounts spam filter to limit all unsolicited emails for security reasons and to upgrade our new and improved E-mail account features and enhancements, to ensure you do not experience service interruption.

You must reply to this email immediately and enter both your user name and password in the space provided to enable us upgrade your E-mail Account properly.

A confirmtion link will be send to you for the Re-Activation of your e-mail Account, as soon as we received your response and you are to Click on the "Confirm E-mail" link on your mail Account box and then enter this confirmation number: 1265-6778-8250-8393-5727

Your failure to provide your e-mail account login details will lead to a temporarly disabled of your e-mail account or we will immediately deactivate your e-mail account from our database.

Thanks For Your Understanding.

It is obvious what this scammer wanted. He wanted to get access to my computer so that he could use my email address to commit further crimes. Needless to say, my e-mail account wasn’t deactivated like he claimed it would be.

The National Lottery
P O Box 1010
Liverpool, L70 1NL
(Customer Services)
Ref: UK/9580X2/45
Batch: 062/01/ZY469


It is obvious that this notification came to you as a surprise, but please
finds time to read it carefully as we congratulate you over your success in
the following official publication of results of the e-mail electronic
online draw held by UK NATIONAL LOTTERY.

We happily announce to you the draw (#942) of the UK NATIONAL LOTTERY,
online Sweepstakes International program held on friday, 19th of february,
2010. It is yet to be unclaimed,and you are getting the FINAL NOTIFICATION
as regards this. Your e-mail address attached to ticket number:16474620545
188 with Serial number 5268/02 drew the lucky numbers:4-7-9-11-15-30 (bonus
no.25), which subsequently won you the lottery in the 2nd category i.e
match 5 plus bonus.

You have therefore been approved to claim a total sum of 1,000,000 (One
million pounds sterling) in cash credited to file KTU/9013115308/03. This
is from a total cash prize of 10,000,000 shared amongst the(5)lucky winners
in this category i.e Match 5 plus bonus.All participants for the online
version were selected randomly from World Wide Web sites through computer
draw system and extracted from over 100,000 unions,associations, and
corporate bodies that are listed online. This promotion takes place weekly.
To file for your claim, please contact our fiduciary agent:

Dr. Gerald Watson

Contact him by sending him with the underlisted informations :


*Name of
of Kin:.........

Yours faithfully,
Mrs.Lorraine Dodds.
Online coordinator for THE NATIONAL LOTTERY
Sweepstakes International Program.

If I was stupid enough to give this scammer all that private information about me, he could get a credit card in my name. The clue that stands out about the fraudulent aspect of this message is him asking me for my occupation. Why would he need that information if I really won a lottery?

Hello ,

i am private business consultant ,Here I have some interested top government officials who need your business experience and connections to invest in your country.

I wait your response to provide you with more information.

Yours faithfully,


If I fell for that scam by responding, he would then ask me for information about my firm (if I had one) and then he could order things in the name of my firm and have them delivered to his own address. What follows is a similar scam.

You have won 1,000, 000.00GBPS. Send NAme,Address,Tel

How do you like that one for brevity?This one was sent to me many times.

Dear Internet User,

This Email is to inform you that you emerged a winner of the sum of 750.000.00 Euros with the following numbers attached Ref Number: PW 9590 ES 9414,Batch Number: 573881545-NL/2010 and Ticket Number: PP3502 /8707-01 on our online draws which was played on the year 2010.For further Information about your Winnings,contact your Lottery Claims Officer with the following contact Address Below.

Mr. Robert Anderson
Tel: +447045721780


Of course, if I contacted him, he would pump me for all kinds of personal information.

Dear Sir/Madam,

My Names are Mr. Paul Anderson, Staff of Nat West Bank UK. I would like you to
indicate your interest to receive the transfer of $11.5 Million Dollars. I will
like you to stand as the next of kin to my late client whose account is
presently dormant for claims. Please once you are interested in my business
proposal, further details of the transfer will be forwarded to you as soon as i
receive your return mail. clik on the blow link to confirm the genuiness of the
deceased death.

Mr. Paul Anderson
Please send your Reply to my private email address.

There is no doubt in my mind that he was seeking information with respect to my bank account.

Your mail id has won 1,000, 000.00 Pounds in the Uk lottery send:

Then he would send me a form to fill in which would include spaces for my bank account and password.

Dear Sir/Madam,

We are Guangxi Machinery & Equipment Import & Export Corp.
( GXME ) based in china, We are interested in employing
your service to work with us.

Are you looking for a lucrative job? The job takes only
2-4 hours a day, And its a chance for you to make over
$1,000 extra per week depending on how useful you are
to the company .

Also you do not need to resume at any office to get
started , Its a work from home and you do not pay any
fee to get started. Try now without risking your
current job by sending us an email with the following
informations to(

Full Names........Residential Address...........Phone...........

We awaits your prompt response if interested.

Gang Wang.

My name, address and phone number won’t be the only information he would have wanted from me.

Remember that old adage. If it sounds too good to be true, it isn’t true.

No comments: