Phishing with better bait

Mark Lyndersay
Mark Lyndersay

BitDepth#1215

ROD AND REEL fishermen pride themselves on how attractive they can make the bait they cast, spinning it stylishly into the water at the end of an almost invisible line.

Online scam artists rarely take that kind of time with their efforts to encourage people on the web to do something careless with their personal information.

Most efforts at what’s called phishing, a contraction of phoney and fishing, are sloppy, relying on the statistical advantage of reaching a vast number of people via spam e-mails and depending on inattentiveness in their reading.

It’s surprising how obviously fake the efforts are, and that’s probably because so much is sloppy and careless on the internet these days.

Some of that is the mad rush for “authenticity” which holds that scrappy is synonymous with realistic, so many efforts at duping people into doing something quite stupid fit right into that ethos.

A year ago I did a post about a scam that was making the rounds that’s since become my most read post (http://ow.ly/TU5e30pxaie).

That lure leveraged the possibility that the recipient might have been doing something very inadvisable in front of a camera-enabled computer while visiting an internet pornography website.

To add a garnish of authenticity to the e-mail, it included a password that had been gathered from an old privacy breach as proof that the nonexistent video the e-mailer had surreptitiously made of the inadvisable activity was real.

Payment in Bitcoin was then demanded

That put three axes of potential success into the mix. If someone met all three criteria and recognised the password, it was likely that they would panic and immediately set about trying to figure out how to get Bitcoin to pay off a blackmailer.

It was all rubbish.

Most spam detection systems now look out for the wording used in the e-mail and recent versions are now sent as a picture of the text to avoid such filters, but they still circulate.

Two weeks ago, I got another phishing effort in my in-box and was duly impressed by the effort put into this one.

Apparently a notice of a debit to my account at FCB, with a visual reminiscent of the ones used by the bank in its advertising, it invited me to log in to the bank’s website to check on the transaction.

The sender e-mail was genuine, using the actual FCB customer care e-mail address (picture here: http://ow.ly/muAr30pxazJ).

My first reaction was to check my account using the bank’s app, instead of clicking on the link provided. There was no debit.

On closer inspection, the link provided did not go to FCB, but to another website dressed persuasively in the bank’s colours and design dress but would be harvesting your personal information to break into your account.

What would likely have happened afterward would be a series of small debits to the account over time that you might not notice for some time.

I provided FCB with a copy of the e-mail and other pertinent information. In return, they blew my queries and requests for comment off with a rather casual, “Phishing is a major issue for us (and [our] competitors).”

I got an e-mail in FCB trade dress and it was relevant to me, because I do some banking with the institution. The same scam would work the same way and look equally persuasive for any bank in TT, and indeed the world.

Don’t click on links in e-mails unless you trust the sender and always take the longer, verified route to check your financial information.

Mark Lyndersay is the editor of technewstt.com. An expanded version of this column can be found there

Comments

"Phishing with better bait"

More in this section