02.What are scams and phishing?
Scam emails come in many shapes and sizes. For example, an email we received at CHOICE supposedly came from a manager in the international branch of the Bank of China in Kuala Lumpur, Malaysia, with a business proposition valued at US$60,000,000.
Apart from the obvious ludicrous nature of the email (if it sounds too good to be true, it is) the ‘Reply’ address (not the ‘From’ address) which you can see in some email clients just by highlighting the From address with your mouse, wasn’t to a real bank (see Spoofing, below for more on this).
Then there are the Nigerian 419 scams which supposedly come from the Governor of a Central Bank in Nigeria. The ‘419’ refers to the section of Nigeria’s Criminal Code which outlaws the practice, but they can come from anywhere in the world. These emails ask you to pay money, such as fees or taxes, or give your bank account details to help them transfer large sums of money. In return, you are promised a large share of money.
There are, however, more plausible sounding scams — fake lottery scams tempt you into sending money or your personal details to claim your winnings, while an up-front payment scam asks you to provide bank account details or pay fees to gain access to what the scammer is offering. For example:
- Employment scams trick you into paying an up-front fee for a business plan or materials that never arrive or are worth nothing.
- Credit card scams try to trick you into giving your credit card details.
- Dating scam emails from lonely Russian or Eastern European girls try to entice you to write back and pay to use the scammer’s fake dating website.
Phishing emails purport to be from banks, online payment services and other financial institutions and warn you about supposedly expired passwords, accounts that need updating and security breaches.
Kathryn Kerr, manager of Analysis and Assessments at AusCERT, the Australian Computer Emergency Response Team, says “Popular phishing involves trying to capture the usernames and passwords from online banking customers.” Phishing attacks might also impersonate the Australian Tax Office (ATO) around tax time, while others try to capture your credit card information or impersonate universities to try to capture your email username and password. They may also purportedly come from a site you could have used previously, such as PayPal, eBay or Western Union.
The purpose of a phishing email is usually to lure you to a fake website to enter personal details, like bank account numbers, passwords or credit card numbers. The website appears as an authentic site to convince users that the request is legitimate. If you enter your details, they are captured by the website and can be sold and used by criminals in identity theft. If this happens, you could find your credit card being used without your knowledge and they may even gain access to your online bank accounts to withdraw funds or use the account to launder money.
Sadly, there are a plethora of phishing attacks. The domain name renewal scam will send an invoice for the registration or renewal of a domain name with a link to a fake site aimed at capturing your domain login and password. You can spot these because the domain name listed is similar to your real domain name, but may have a different ending; or the domain name may be correct, but the letter is not from the company that registered your domain.
Emails with free offers use dodgy websites that require you to provide credit card, bank account or other personal details, or they require you to pay an upfront fee to claim your ‘free’ prize or product. Emails about cheap online shopping scams will try to dupe you by selling products very cheaply so they can capture credit card or bank account details. Emails with links to online pharmacies offering drugs and medicine at very cheap prices or without the need for a doctor’s prescription are set-up to steal credit card details.
And if that wasn't bad enough, if you follow these links, you may also inadvertently download malware, like viruses, Trojans or spyware. Scammers can use spyware, for example, to see what you are doing on your computer. Recently there has been a wave of spam emails with links to fake news or celebrity sites. Once on the fake website, you are asked to download a program, such as ‘Flash Player’, to view images or video and this actually contains viruses or Trojans.
Some fake sites may also contain files with a malicious program called a keylogger which captures your keyboard strokes, including any typed information such as bank login details, email addresses and passwords. It can send your personal information to an external site or email address that has been created by the criminals to use the details for nefarious purposes such as money laundering, credit card fraud or identity theft.
Spoofing is where an email or website address that appears in an email program or on a website actually links to a different address than the one you see. For example, you may get a phishing email ostensibly from Westpac telling you to click on a link to ‘validate’ your account. The link might look legitimate, such as www.westpac.com.au. However if you highlight the link with your mouse, any good email client or web browser will show the real link it points to in the program’s status bar.
This will not be the legitimate site (it can’t be, for example only Westpac owns www.westpac.com.au) although it may still be worded to sound or look similar. If you get an email like this and the address is being spoofed, it is a phishing email and should be deleted.