Phishing – Nothing To Do With Fish
An Informational Alert from Information Systems
This important informational update is to forewarn everyone of new computer based identity theft tactics. The
latest, very common and one of the most effective means of stealing ones identity is through phishing,
pronounced fishing, another form of spam. This new spam is very serious, so I will lead off with a quote from a
recent article:
“If you screw this up, it will mean you lose dollars. That's right, your own personal money. Your
privacy will be invaded and your identity might be compromised. Do I have your attention now?
This is not an attack from John Ashcroft or some federal agency applying some obscure
interpretation of the Patriot Act. This is coming from real bad guys who want to steal from you.”
Phishing is spam; however these emails attempt to entice you into visiting a website and providing personal
financial information to people who shouldn't have it. The mail is professional looking and disguised to look like
it's coming from a legitimate business. In the past week, our own VP of Administrative Services received one
such message, allegedly from US Bank, and she immediately notified the Information Systems department.
After we investigated the official US Bank web-site, they had a prominent alert posted that their company was
being used in phishing scams. The US Bank warning reads:
This email claims that the user needs to update their information in case they forget their Internet
Banking password. If the user is ever locked out of the system, or forgets their password, they can
regain access by verifying their identity from information they are now asked to provide. The email
contains a link for the user to verify their personal information.
This link opens a fake (ghost) US Bank web site where the user must select their account type. They
are then presented with a form asking for personal and account information. When the user submits
the form, this information is emailed to the fraudsters while the user is redirected to the genuine US
Bank web site. The user is unaware they have just sent their details to the fraudsters. This allows the
fraudsters to Hijack the users bank account.
These e-mails are carefully crafted with HTML, and utilize graphics from legitimate companies. There are
weblinks in the e-mails that look legitimate, and they appear to point to a special website run by that business.
The mails even include disclaimers and legal notices at the bottom, often with working links to the real
company's website.
The pitch is usually subtle but appears to be serious. A typical phishing scam will state that you need to update
information about your account. It may state that your account has been inactive for some time or that your
account may have been compromised. You're then directed to click a legitimate-looking URL in the mail, which
takes you to a professional-looking site with the company's logos and a web form. You're asked to "update"
your account information, including logins and passwords, account numbers or credit card information. The
problem is, none of this information is going to the company but actually to the bad guys database.
The main clue that these are bogus is that they are addressed anonymously, usually to "valued customer" or
"account holder." Rarely will companies send e-mail asking you to provide information in this
fashion. A quick way to check is to open a browser and manually type in the URL of the company's site and
look for warnings about such messages. In the US Bank case they clearly announced a warning on their web-
site that their firm was being used in phishing scams.
Don’t Be Duped
Phishing scams are on the rise and have been reported to be nearly 5% effective in convincing individuals to
complete the form along with the private and financial information they are seeking. Some companies being
spoofed in these scams are AOL, credit card companies, banks, Ebay/Paypal, etc., and the list is rising.
Use Common Sense and Follow These Simple Steps:
1. If you receive a message like this never fill out the requested information.
2. Call the company if you have ANY questions
3. Visit the company's legitimate web-site to see if there are any warnings about their site being used in
phishing scams.
4. In some instances you can report the scam to the company (some companies provide a web page on their
site just for this purpose)
5. Delete the email
6. Pass this information on to friends and relatives so they are informed.
Note: There is no need to report these messages to the Information System’s department as there is nothing
further we can do. We have anti-spam measures in effect, however with the millions of spam messages being
sent some will slip through and get in your inbox.
Submitted by: Gary Ham
Chief Information Officer