I have a computer and use the Internet. What should I be concerned about?
Recently, a phishing email arrived in my inbox. Phishing is a method of fraudulently
obtaining personal information, such as passwords, Social Security numbers, and
credit-card details, by sending emails that look like they come from trusted sources,
such as banks or legitimate companies.
Typically, phishing emails request that recipients click on the link in the email
to verify or update contact details or credit-card information. Like spam, phishing
emails go to a large number of email addresses expecting that someone will disclose
their personal information.
The phishing email that came to me looked like a legitimate email. How did I know
it was a phishing email? Easy. I don’t have an account with the bank it was
purportedly sent from. If I had an account with this company, how would I know not
to respond to this request for “extra verification?”
Well, McAfee® recommends that you look at these types of email carefully. So
that’s what I did, and I noticed that the email address from where it was
sent was suspiciously long and odd. Then I decided to closely study the text.
Because of (sic) unusual number of invalid login attempts on your account,
we had to believe that, their (sic) might be some security problem on your account.
So we decide to put (sic) an extra verification process to ensure your identity
and your account security.
Please click on continue to the verification process and ensure your account security.
It is all about your security.
There are several errors in the text. The odd word choices and sentence structure
are other indications that this is a phishing attempt, most likely written by an
off-shore, non-native-English speaker. You can be sure that this world-renowned
institution would not send out such a poorly written email to its customers.
If you clicked the “Click here” link (which the message refers to as
“continue”), it would take you to a web site that looked like the real
bank site. If you then signed in, your account number and password would now be
captured by the cyber-criminals. They would then go to the real bank site and clean
out your account—transferring money into their own accounts. Don’t believe
me? I did “click here” just to see what would happen.
I was taken to a site that looked like a real bank web site with fields asking for
“Online ID” and “password.” Studying the site, I found a
big clue that it wasn’t real. It had a very strange web address (also known
as a URL) that began “www.preciouslordtakemyhand.com.” Doesn’t
sound like a respected financial institution’s web address, does it? The phishers
were clever enough to have some of the links on this page connected to the real
web site. It certainly helps with the ruse if you are not paying close attention.
You can enter any “online ID” number or “password” because
they are being captured, not verified as would happen on the real banking site,
so when I entered a bogus ID number of “12345678910,” it was accepted.
However, when I entered a password “Phishers Suck,” I received an error
message for having a “space” in the password.
This error message actually reinforces the feeling you’re on a legitimate
banking site, but really this criteria was added to the page coding because the
thieves know it is a rule that most companies require passwords to have no spaces.
Obviously, criminals want the correct password so they can bilk your account without
running into any difficulty.
After typing in my password without any spaces and clicking on “Sign In,”
my trusted protection from McAfee SecurityCenter alerted me that I was preparing
to visit a “potential phishing” site. What a relief to know I am protected
by the Power of M™.
When I overrode McAfee SecurityCenter’s recommendation and chose to “Allow
this web site,” I was presented with an online form that included requests
for my Social Security number and credit-card numbers. If I had filled out this
form completely, I would have given these criminals everything they needed to steal
my identity and my money. It would have been just like walking up to a stranger
and presenting them with my wallet and my keys.
After entering bogus information to the form, I clicked “Submit.” I
was very curious to see where this phishing trip would lead. Believe it or not,
another screen popped up, asking for even more personal information. “What
is your grandmother’s maiden name? What high school did you graduate from?”
These identity thieves wanted to be sure they found out as much as they could about
me. They were looking for answers to these questions just in case they later ran
into any trouble emptying my bank account. By the way, this page has a very sloppy
layout. The questionnaire is way too close to the edge. The real bank wouldn’t
tolerate this unprofessional layout on its web site.
After answering these personal questions with more bogus information, I clicked
on the “Submit” button. Up on the screen popped a “Thanks for
updating your account!” message. It might as well have said, “Thanks
for helping us rip you off!”
Within seconds, this page was automatically redirected to—who would’ve
guessed it—the real bank’s web site home page! Pretty sneaky. So if
I had any suspicions about the site’s legitimacy, I might be fooled into feeling
reassured. Only later, when I tried to access my bank account again, would I realize
that I had been robbed.
I´m glad I´m protected by McAfee security
products and services.