SECURITY
Online Fraud: Phishing
Phishing – What is phishing?
Phishing, or ‘brand spoofing’ attacks use email messages and fraudulent
websites that are designed to fool recipients into divulging personal and
financial data such as credit card numbers, account usernames and passwords,
SIN, etc. By hijacking the trusted brands of well-known financial
institutions, government agencies, online retailers and/or credit card
companies, phishers are able to convince some of the recipients to respond
to them.
What should Internet users do about phishing schemes?
Internet users should follow three simple rules when they see email messages
or websites that may be part of a phishing scheme: Stop, Look and Call.
1. Stop. Phishers typically include upsetting
or exciting (but false) statements in their email messages with one purpose
in mind. They want people to react immediately to that false information, by
clicking on the link and inputting the requested data before they take time
to think through what they are doing. Internet users however, need to resist
that impulse to click immediately. No matter how upsetting or exciting the
statements in the email may be, there is always enough time to check out the
information more closely.
2. Look. Internet users should look more
closely at the claims made in the email. Think about whether those claims
make sense, and be highly suspicious if the email asks for any items of
personal information such as account numbers, usernames or passwords.
For example:
If the email indicates that it comes from a financial institution where you
have a debit or credit card account, but tells you that you have to enter
your account information again, that makes no sense.
Legitimate financial institutions already have their customer’s account
numbers in their records. Even if the email says a customer’s account is
being terminated, the real financial institution will still have that
customer’s account number and identifying information.
If the email says that you have won a prize or are entitled to receive some
special “deal”, but asks for financial or personal data, there is good
reason to be highly suspicious. Legitimate companies that want to give you a
real prize don’t ask you for extensive amounts of personal and financial
information before you’re entitled to receive the prize.
3. Call. If the email or website purports to
be from a legitimate company or financial institution, Internet
users should call or email that company directly. Ask whether the email or
website is really from that
company. To be sure that they are contacting the real company or institution
where they have accounts, credit card account holders can call the toll-free
customer numbers on the backs of their debit/credit cards. Financial
institution customers can call the telephone numbers on their financial
statements. Never call the number given in the email to confirm the contents
validity as it will lead
to the criminals who sent the email and they will verify whatever was said.
Remember, never
respond to a message from someone you don’t know and never click on a link
in an unsolicited message, including instant messages.
If the phishing involves impersonation of Credit union Central of Canada
(Canadian Central), such as the following example, please forward the email
to security@cucentral.com. If it involves your credit union, contact them
directly as well as your local authorities, and report it to the Anti-Fraud
Centre at
http://www.antifraudcentre-centreantifraude.ca/english/home-eng.html
Dear CU Client,
We noticed that your credit union account was accessed from an unrecognized
device and location in Quang Ngai,Vietnam,ASIA
with IP: 113.160.244.109.
We also noticed that the sum of $495.98 was transferred to an external
account ending ****9811.
Due to this, your account has been blocked and your internet access
disabled. You can restore your account access by clicking on the below link:
CLICK HERE TO RESTORE YOUR ACCOUNT
If you were the one who initiated the transfer, you can chose to complete it
after you might have restored your account.
Credit Union Canada.
TOP WORDS CYBER CRIMINALS USE IN FAKE EMAILS
Following is a list of the top words cybercriminals use to create a sense of
urgency, to trick unsuspecting recipients into downloading malicious files.
The top word category used to evade traditional IT security defenses in
email-based attacks relates to express shipping, according to FireEye.
Urgent terms such as "notification" and "alert" are included in about 10 per
cent of attacks. An example of a malicious attachment is
"UPS-Delivery-Confirmation-Alert_April-2012.zip."
According to Ashar Aziz, founder and CEO, FireEye – an organization that is
involved in cyber protection, "Cybercriminals continue to evolve and refine
their attack tactics to evade detection and use techniques that work. Spear
phishing emails are on the rise because they work. Signature-based detection
is ineffective against these constantly changing advanced attacks, so IT
security departments need to add a layer of advanced threat protection to
their security defenses."
Cybercriminals also tend to use finance-related words, such as the names of
financial institutions and an associated transaction such as "Lloyds TSB -
Login Form.html," and tax-related words, such as "Tax_Refund.zip." Travel
and billing words including "American Airlines Ticket" and "invoice" are
also popular spear phishing email attachment key words.
Targeted phishing emails are particularly effective as cybercriminals often
use information from social networking sites to personalize emails and make
them look mostly authentic. When unsuspecting users respond, they may
inadvertently download malicious files or click on malicious links in the
email, allowing criminal access to corporate networks and the potential
exfiltration of intellectual property, customer information, and other
valuable corporate assets.
FireEye highlights that cybercriminals primarily use zip files in order to
hide malicious code, but also notes use of additional file types, including
PDFs and executable files.