大象传媒

bbc.co.uk Navigation

Maggie Shiels

Top G-man in Phishing scam

  • Maggie Shiels
  • 9 Oct 09, 09:11 GMT

Over the last few days, many of you will have read all about the on Gmail, Yahoo, Hotmail and AOL involving more than 30,000 accounts.

Online banking screenshotAnd while the 大象传媒 and other organisations have been for a long time, it is understandable why so many people fall for them.

Cyber-criminals are increasingly sophisticated in their approaches these days and because so many of these fake websites look so authentic, it is easy to understand why users get hoodwinked.

Don't feel bad if this means you because even the most security-conscious and hyper-aware can be taken in. Robert Mueller the head of the Federal Bureau of Investigation told the in San Francisco.

"Cyber crime is a nebulous concept. It is difficult to grasp intangible threats, and easy to dismiss them as unlikely to happen to you.
 
"Intruders are reaching into our networks every day, looking for valuable information. And unfortunately, they are finding it, because many of us are unaware of the threat these persons pose to our privacy, our economic stability, and even our national security."

then revealed that he himself was nearly suckered by a phishing attack after he got an e-mail that "looked perfectly legitimate" on his home computer that seemed to come from his bank.

He told the audience that he answered the first few questions, but pulled the plug on the whole thing when he was asked for his password.

In a mea culpa moment. Mr Mueller admitted that even though he is "someone who spends a good deal of [his] professional life warning others about the perils of cyber crime, [he] barely caught [himself] in time."

The FBI director told the audience that he quickly changed all his passwords and tried to brush the incident off to his wife as a "teachable moment". She replied: "It is not my teachable moment. However, it is our money. No more internet banking for you."

Mr Mueller went on to point out that while these scams are becoming a fact of life, it's a technique that terrorist groups are also relying on to fund their activities.

"We know the game of our adversaries. They will keep twisting the doorknobs and picking the locks until they find a way in. But we must not let them in. We must change the locks. We must bar the doors and we must sound the alarms when we notice anything out of the ordinary."

As an example of co-operation across borders, Mr Mueller also announced , involving a wide-ranging phishing attack that targeted American financial institutions and around 5,000 US citizens.

He said that the FBI, the Secret Service and state and local law enforcement worked closely with their counterparts in Egypt to close down the "largest international 'phishing' case ever conducted."

While Mr Mueller tried to underline the need for everyone to "take ownership of cyber-security," one audience member was not so convinced that cyber-criminals are the real threat to American security.

A written question to the FBI head read, "I'm not worried about a teenage hacker reading my e-mail. I'm worried about you reading it."

Comments

  • Comment number 1.

    IMO, you need to pass an exam before you go on the internet and use it.

  • Comment number 2.

    Good post Maggie, no really. It's scary to think how many people sleepwalk into these kind of scams (The head of the FBI no less!). A lot more mainstream publicity about the dangers and how the average user can protect themselves is needed.

  • Comment number 3.

    I had an idea for an extra layer of protection, it won't stop people falling for phishing scams but it will hopefully reduce them. Instead of the username & password on one page as it is now, have 2 pages.

    1st page is when you enter your username, it then either takes you to a page in which you can enter your password underneath a known picture/phrase or if it can't match your IP address up-to your history it prompts you to enter an answer to a personal question before taking you to the password screen.

    It's scary to see how many people sleepwalk into giving their personal details away, just look at facespace!

  • Comment number 4.

    I'm one of the people who got their Hotmail hacked, and I can let you know there was no phishing scam. I never follow links from anyone and always type the site address of my bank etc into the browser instead.

    The hacker then had access to my secondary email in my profile, which explains the Gmail, Yahoo etc addresses also being available. My eBay was hacked and my Livejournal blog, too. Fortunately, I had immediately cancelled my bank cards so financially I wasn't hit, and the guys at eBay etc were really helpful.

    The idea that this was a phishing scam is sheer nonsense and a way for the people at Microsoft to avoid responsibility by declaring 'user error'.

  • Comment number 5.

    Nice Post.
    How many of us go "tut tut" when someone we know gets pickpocketed..robbed in the street and assume that it will never happen to us? We all do.
    The same applies online and it is important that we are all educated about the possible threats in the same way we all hark on about not leaving wallets in back pockets when on holiday

  • Comment number 6.

    I have been working in It now for several years and consider myself to rather savvy to these scams etc but i myself got caught out once. Not exactly a phishing scam - rather a spam email but along similar lines.

    I was on holiday in Spain and was checking me emails with my girlfriend sat next to me - i saw an email saying "Hi xxxx it's xxxx from Utah. I'm finally coming to the UK to see you. Now we can meet in meet in person. Message me back xxx" or something along those lines. The girlfriend went mad and thought i'd been talking to girls on messenger services so, like a dumbass, i replied to the email saying "Sorry i don't know you". Tow days later i checked my email and there was 302 spam emails in my inbox - messages from credit card companies banks etc.

    Even for people who are 'in the know' sometimes it's possible to get unwittingly dragged into thses scams.......

  • Comment number 7.

    It really isn't difficult to pick out phishing emails - in most cases there are some GLARINGLY obvious clues that what you're reading is nothing more than an attempt to scam you. You really do have to be seriously lacking in common sense to get caught out.

    Firstly, no matter what the circumstances, any organization of repute (your bank, Amazon, eBay, PayPal, whoever) will NEVER email you asking you to 'confirm' or 'verify' your password. If they need legitimate access to your account then they have much easier methods at their disposal, which does not involve contacting you.

    Secondly, in many cases, the email presents a link to an apparently valid website (which is actually nothing more than a front-end to a script that harvests usernames/passwords) - at first glance, the URL presented in the email may look valid (for example, www.yourbank.co.uk/verifypassword), but if you hover over the link in your email client, you'll notice that the actual URL it directs you to is completely different; it might be a throwaway domain, or even just the IP address of the phishing scammer's webserver.

    As a rule of thumb; if you recieve any suspicious messages that appear to come from your bank, or your credit card company, or your long lost uncle from Nigeria who wants you to wire a couple of grand of good faith money to an offshore bank account in order for you to inherit the family fortune...mark the message as junk (or 'phishing scam', if possible) in your client, then delete it.

    Simple.

  • Comment number 8.

    Step 1
    Install and use an email program that comes from a different supplier to your operating system.

    Step 2
    As your default, view all your emails in text-only mode. The scams will be much more obvious; and you can then view any messages that have other content when you know they are safe. And what does HTML add to emails anyway? It is a text medium.

  • Comment number 9.

    @7 and 8,
    All good points, however, having worked in tech support before, I can assure you that half the problem here is that those most likely to get caught out by these scams are people who don't understand what an operating system is, or an email client, or a web browser, and have no clue what a URL or IP address is. To them, they click the blue-circular button for the internet, and the envelope for email. They certainly don't have a clue how to set up their email client to disable HTML.

    Therein lies the problem - too many clueless people on the internet. While some will benefit from education - an ECDL course or something similar may at least vaguely help them get up to speed, many of them are too far beyond help, and ought to be banned from the internet for their own financial safety.

  • Comment number 10.

    "9. At 5:08pm on 09 Oct 2009, IRcutekitten wrote:

    @7 and 8,
    All good points, however, having worked in tech support before, I can assure you that half the problem here is that those most likely to get caught out by these scams are people who don't understand what an operating system is, or an email client, or a web browser, and have no clue what a URL or IP address is. To them, they click the blue-circular button for the internet, and the envelope for email. They certainly don't have a clue how to set up their email client to disable HTML.

    Therein lies the problem - too many clueless people on the internet. While some will benefit from education - an ECDL course or something similar may at least vaguely help them get up to speed, many of them are too far beyond help, and ought to be banned from the internet for their own financial safety."

    Couldn't agree more.

    And if the FBI are falling for "phishing scams" then one has to wonder about the credibility of the FBI.

    I for one am sick of seeing such scams put into practice, if people took the time to learn a bit more about computing they would hopefully be a little more wiser and take the proper measures thus stopping the large majority of such scams in their tracks.

    The majority of scams rely on peoples gullibility, and the fact they affect so many speaks volumes about our society...

  • Comment number 11.

    Apart from the 419 scams where there is a separate money transfer where the punter actively engages in being scammed, in almost every other case of online fraud, there needs to be a direct relationship between the victims bank and the scammers bank. Educating the semi IT literate is almost certainly too much of a challenge, but focusing on the banks, perhaps using better IT to manage patterns or horror of horrors, engaging and working with their customers would certainly eliminate a lot of fraud. Also pressing the banks to not deal with scammy operators.

    If I am taken in by a boiler room scam, that scammer would need a bank account, card processing, perhaps even an 0800 number! In being taken in by the fraud, I would then rely on my bank transferring large amounts of money (an extraordinary activity) to a dodgy account. Of course the banks will say this is just not possible to manage, but if I go to my bank and try to change 拢200 into foreign currency I will be questioned and perhaps the transfer will be refused, contrarily, if I (or somebody proposing to be me) sets up a transfer of all my money to an account in Russia, it is likely to succeed!

  • Comment number 12.

    If it looks to good to be true it probably is. If people want your details, they don't know you. Don't give them your bank account.

  • Comment number 13.

    Lets not forget, phishing is not just a phenomenon affecting email, it also includes a whole raft of 'social engineering' which can be used to collect personal information. Banks for instance, still make unsolicited calls to customers from call centres and open the conversation with 'for security purposes, can you tell us xxx personal information'. Generally people seem to respond, especially to banks, by providing information but what if the call is not actually from a bank? The victim has now handed over information which could be used by the unscrupilous to build up a dossier which could then be used elsewhere including emails. I personally always to give out such information on calls which I have not initiated, but of course, this does not go down well with banks. Until we can change the practices of banks, what hope have we of changing peoples hearts and minds to deal with email phishing

  • Comment number 14.

    As a timely postscript to my original post which should have said "I personally always refuse to give out such information", I had a call from a bank this evening in which the usual information was requested. What made this one so interesting was just how angry the woman from the call centre sounded when I asked for a number to call back to (which verified on the internet). In this information age, banks really need to give some thought to

  • Comment number 15.

    Phnuff, good idea that when you get a phone call from a 'bank' asking you to confirm some personal details, getting a confirmed number to call them back to be safe. If they are geniune they won't mind (although chances are that they were phoning to offer you a 'great' promotional deal they currently have on for loans/credit cards/cheese etc)

  • Comment number 16.

    The biggest problem is that Paypal and Banks etc. don't digitally sign their e-mails, so you can't tell the difference between real messages and fakes, except by carefully examining the content yourself and looking for clues.

    Sometimes the genuine messages have clues in them that make you think they probably aren't genuine - e.g. I've seen messages from banks that have linked to marketing companies that count the number of times a link is clicked on, rather than linking directly to the bank.

  • Comment number 17.

    A public service campaign about personal computer security would be a great way to teach security fundamentals that are immediately useful to everyone. Celebrities could give sound bites like "... this is how I got phished..." or testimonials from a public figure could be used to help underscore the widespread reach and primary methods of computer attacks. Detailed information about how to improve web and online surfing security from security experts can educate people about how to develop a security protocol. The basic points that are worthwhile to share with friends and family about computer security include; 1) Keeping computers scanned for parasites; and 2) Changing social network login and online email passwords frequently.

  • Comment number 18.

    @Kite09 - So you bank with Alliance & Leicester then? Don't go trying to pass off systems that are already in place as your own idea! It just makes you look stupid.

  • Comment number 19.

    Did I say it was my own idea?

  • Comment number 20.

    I don't have internet banking, so I can be certain that any phishing emails are phishing. But surely if my bank wanted to get in touch with me they would either write a letter or put a message on the screen once I had logged in. One thing they wouldn't do is send an email!

    Perhaps banks should put a large message on their landing page saying that they don't send emails, and if it looks like they have then it's a fake. Would that make any difference in educating users?

    On the rare occasion when I have answered a phone call which was probably from a bank (0845 numbers go to the answerphone usually) I've never confirmed any details. I explain to the person on the other end that I've no idea who they are and I won't give any personal information to them, whereupon they do get quite cross. All good fun.

    Andrew

  • Comment number 21.

    Kite09 you wrote, 'I had an idea for an extra layer of protection' - of course you were trying to pass it off as your own idea. Keep digging.

 

The 大象传媒 is not responsible for the content of external internet sites

大象传媒.co.uk