Phishers Getting Smarter

Identity Theft Expert

It wasn’t long ago that most phishing emails were from a supposed Nigerian General Matumbi Mabumboo Watumboo. And you and I were flattered that we were the chosen ones to help the general transfer 35 million out of the country, because the Nigerian government was a bunch of jerks and wouldn’t let him keep the inheritance his wife had inherited from her deceased uncle Bamboo.

I distinctly remember getting a Nigerian phishing email in 1994-ish, back when I had an AOL account, and actually calling my bank and asking them what their thoughts were and what I should do. I mean 10% of $35 million, which the scammer offered in exchange for my help transferring the funds, was quite a fee for nominal work. All I had to do was front 10 grand in a wire transfer to make it all happen. My bank thought my Nigerian general and I were both nuts, and really didn’t know what I should do.

We didn’t have a lot of data on 419 scams or affinity fraud back then, or at least we didn’t have reliable access to that data, so I relied on what my mom told me early on: if it sounds too good to be true, it’s probably isn’t. So I deleted the email. Then I began to see more and more emails from others in the same quandary as the general.

Times have changed dramatically.

Today, with low cost delivery of email, billions of fraudulent emails are sent out every year. Any sales person knows it’s a numbers game. With billions of emails, you’ll eventually get someone to buy in.

Not too long ago, most spam emails came from a few legitimate servers. Once the government cracked down with the Can Spam Act, spam went underground. Most of today’s phishing emails originate from botnets. But what hasn’t changed much is the fraud victims’ sophistication, or lack thereof. The scammers are smarter, but the victims, not so much.

While phishing emails keep pouring in, their methods are changing rapidly. Posing as a Nigerian prince is still common, but not as effective. Even posing as a known bank or Paypal, asking to update an account for various reasons and requesting a potential victim’s user name and password is not as effective as it used to be.

Much of the phishing that occurs today is targeted “spear phishing,” in which the spammers are after a localized target. Recently, the usernames and passwords for 700 Comcast customers were posted on a document-sharing website, possibly as a result of a phishing attack. A Comcast employee with access to this type of data could easily have been tricked by a phisher posing as Comcast’s own IT staff, and foolishly released the customer information.

Going after a CEO is called “whaling.” Who better to take down than the biggest phish of them all? Most corporate websites offer plenty of data on the company officers and administrative contacts, which makes it relatively easy to create a sucker list. If scammers send an email blast to the entire company, eventually someone is likely to cough up enough data to allow the scammers to tap into the company’s intranet. Once the scammers have accessed the intranet, all further phishing emails will appear to be coming from a trusted, internal source.

Phishers even follow a similar editorial calendar as newspaper and magazine editors, coordinating their attacks around holidays and the change in seasons. They capitalize on significant events and natural disasters, such as Hurricane Katrina and most recently, swine flu. Since the swine flu outbreak, as much as 2% of all spamhas the words “swine flu” in the subject line. Numerous websites referencing swine flu in the address have also been registered.

Perhaps the most insidious type of phishing occurs when a recipient clicks a link, either in the body of an email or on the spoofed website linked in the email, and a download begins. That download is almost always a virus with a remote control component , which gives the phisher full access to the user’s data, including usernames and passwords, credit cards details, banking and Social Security numbers. Often, that same virus makes the victim’s PC part of a botnet.

How to avoid becoming a victim? Delete.

And of course update McAfee anti-virus and makes sure your PCs operating system has the latest critical security patches.

Robert Siciliano, identity theft speaker, discusses scam-baiters.