Don’t get caught in a spear phishing scheme

By Kevin Jenkins | April 6, 2009 |

The FBI is warning consumers about a new twist on identity theft they call “spear phishing.”

According to an FBI press release, customers of a telecommunications firm recently received an e-mail explaining a problem with their latest order. The customers were asked to go to the company Web site by using a link in the e-mail, and then were to provide personal information such as their birth dates and Social Security numbers.

But both the e-mail and the Web site were bogus. (The FBI did not provide the name of the real telecommunications firm whose name was used in the scam attempt.)

As in most “phishing” scams, the scammer was trying to trick potential victims into revealing personal information that can be used in identity theft. This version used “official” e-mails to lure victims to fake, copycat Web sites, where they would be tricked into providing personal information.

“Spear phishing,” is slightly different from most of these scams because instead of sending out random e-mails, the scammer targets select groups of people who have something in common. Targeted consumers might work at the same company, use the same bank, attend the same college, or buy merchandise from the same online company. The e-mails are made to look as if they were really sent from organizations or people that send legitimate e-mails to the potential victims, thereby increasing the likelihood that the victim will be tricked into complying.

According to the FBI, spear phishing has several steps. First, criminals need some inside information on their targets to convince them the e-mails are legitimate. They often obtain it by hacking into an organization’s computer network, which is what happened in the above example. Sometimes, they acquire the information by combing through other Web sites, blogs, and social networking sites.

Next, they send realistic (but fraudulent) e-mails to the targeted victims, offering all sorts of urgent and legitimate-sounding explanations as to why they need the person’s personal information.

The e-mail directs victims to click on a link inside the e-mail that takes them to a phony but realistic-looking Web site. There, they area asked to provide information such as passwords, account numbers, user IDs, access codes, PINs, and other identifying information.

Once criminals have personal data, they can access the person’s bank accounts, use their credit cards, and create a whole new identity using the person’s information.

Spear phishing also can trick victims into downloading malicious codes or malware by getting them to click on a link embedded in the e-mail. This is an especially useful tool in crimes like economic espionage where sensitive internal communications can be accessed and trade secrets stolen, according to the FBI.

Malware can also hijack computers and organize them into enormous networks called botnets that can be used for “denial of service” attacks.

A scammer sent a timely e-mail to a Daily Journal reporter while she was writing this scam alert.

‘Dear member, We have encountered fraudulent activities on a number of 1st Financial Federal Credit Union on-line banking accounts,” the e-mail began. “A fundamental element of safeguarding your confidential information is to provide protection against unauthorized access or use of this information. We maintain physical, electronic and procedural safeguards that comply with federal guidelines to guard your sensitive information against unauthorized access. For your protection, we have limited your access, until additional security measures can be completed. We apologize for any inconvenience this may cause. Please restore your access as soon as possible! To restore your access please follow the link below…”

The link led to a copycat Web site that looked identical to the real credit union’s page. The credit union, however, did not send the e-mail. An employee said the financial institution was aware of the e-mails, which are being investigated.

“Unfortunately, phishing has been around for several years,” Michelle Rosner, vice president of marketing for 1st Financial Federal Credit Union in St. Charles County. “People need to know, we will never ask members to identify or verify any type of message by e-mail, texting or voice mail

“I always tell our members, ‘Never click on a link. Type in the URL yourself.’”

There are several ways to protect yourself from spear phishing and other Internet scams.

Most companies, banks, agencies and organizations do not request person information by e-mail. If you have any doubt about the message, call the person or company who supposedly sent the e-mail. However, do not use the number provided in the message. Instead, look it up in the phone book or on correspondence you know is directly from that source.

Use a phishing filter on you computer. Many of the latest web browsers have them built in or offer them as plug-ins. Never follow a link to a secure site from an e-mail — always enter the URL manually.

The Daily Journal has made a commitment to keep readers abreast of scams that hit our area. If someone tries to make you the victim of a scam, call us at 431-2010 and tell us what happened. We will include your story in our scam alert series to prepare others who may find themselves in the same situation. The Daily Journal will run Scam Alert stories in the paper every Monday.

Posted in News Story Archives

Leave a Comment

Related Posts

Farmington Police Dept. investigates identity-theft ring

From Our Files

Washington fiddles while China burns our innovators

Time for Raiders to enroll for classes

West County registration, open house dates announced