Phishing Scams
New phishing scams are born every day and come in various forms, shapes and qualities. Phishing is the act of impersonating a legitimate business that we are familiar with and in most cases do business with in order to extract personal information from the victims and commit fraud. Some scams are very creative and well done that even an expert eye may not be able to detect them at first sight. Other phishing scams are somewhat easy to detect with some basic risk assessment knowledge. For example, I received the following phishing scam in my email account:
----------------------------------------------------------------
From: BankofAmerica Unauthorized Access (Secure Code: UB05-C0B1-A-1)Online Update
Dear customers,
During our usual security enhancement protocol, we observed multiple login attempt error while login in to your online banking account. We have believed that someone other than you is trying to access your account for security reasons, we have temporarily suspend your account and your access to online banking and will be restricted if you fail to update.
https://www.bankofamerica.com/Control.do?page=corp_bofacom
Bank of America is proud to announce about their new updated secure system We updated our new SSL servers to give our customers a better, fast and secure online banking service.
If you have any questions, please call Electronic Banking Services:
For accounts in California, please call 1-800-792-0808
For accounts in Washington or Idaho, please call 1-866-399-0122
For accounts in all other states, please call 1-800-933-6262
For Small Business customers, please call 1-866-758-5972
Bank of America, Member FDIC. © 2009 Bank of America Corporation. All Rights Reserved
----------------------------------------------------------------
Most people looking at this email message will normally panic and click the link to update as requested. Before I clicked on the link, I thought about what this meant and how I should proceed.
The first thing I did was to open another browser session to visit my online account and see if the account is REALLY suspended. To my satisfaction, the account was active and my account balance appeared normal. Although I felt much better knowing that my money was still there, I started having multiple simultaneous thoughts. I started questioning the authenticity of the message but also started thinking about what if someone actually does get access to our bank accounts online. I decided to further explore the email message and potentially learn a few more things about phishing scams.
As I read the email again a few times, I noticed there were many indicating signs that this email and its underlying message did not come from a legitimate and large business such as the Bank of America. For example, the body of the message included many errors. There are different fonts, spacing issues, no period after a sentence, and there are many other grammatical errors that a large legitimate business would not make. Below are some clear observations that indicate this is one of many phishing scams:
1- First, why would the bank detect unauthorized access during its "usual security enhancement" which is not a continuous detection process. Banks have processes in place to detect suspicious activities regardless of when they occur, especially, when addressing multiple unauthorized login attempts,
2- What does "security enhancement protocol" mean any way. I know this may not make any sense to a person with no security background, but it makes no sense what it is trying to communicate,
3- "we have suspend" is a very basic English grammar error,
4- "multiple login attempt error" instead of errors,
5- "We have believed that someone other than you is trying to access your account" does not make sense in the context of the message,
6- "will be restricted if you fail to update". What will be restricted and what should be updated? Again, banks would normally give clear guidance in such urgent cases, and banks would normally call instead of sending an email, and
7- "their new updated secure system". In this sentence, the message refers to Bank of America as a third party as if the email did not really come from the bank.
After noticing the multitude of errors in the email, I decided to click the link provided in the email and see where it takes me. I don’t suggest that everyone should do this and in fact I recommend computer users to delete such suspicious emails and deal directly with the banks to resolve potential issues. Knowing that this was one of many phishing scams and I had updated security software, I decided to explore this adventure. After I clicked the link that was provided in the email message body, my computer security software confirmed this was a phishing scam which is impersonating the bank to obtain my personal information. The software gave me the option to ignore (recommended) or click the link any way.
After I clicked on the link that was provided in the email message body, the link opened another browser and took me to the following site:
http://motech.ru/tools/contacts/boa-update/boa/index.html
Now, notice that the destination URL has nothing to do with Bank of America. In fact, this phishing scam is so easy to detect that makes me believe the fraudsters are not novice phishing scammers. The phishing site was asking for card PINs, online account user ID, passcode, and other personal information that could be used to authenticate a consumer’s identity such as mother’s maiden name, security questions and answers.
In dealing with urgent banking matters such as this one that require information update and sharing personal information, you should always ascertain that the email comes from a legitimate entity. Call your bank or try to login to your bank account and see for yourself what may be the issue. Never trust the information in the email such as bank’s phone number. Obtain the number from an independent and legitimate source such as the yellow pages or from your monthly bank statement.
On the other hand, what if someone really accessed your bank account from the internet. How could you limit your losses? By spreading your balances across multiple accounts while using different passcodes.
Read other computer security articles after "phishing scams".