I’ve just received the most believable phishing scam sent to my inbox to date. It’s still suspicious to ninety nine per cent of users, perhaps, but these things are certainly starting to look more believable.
For those who don’t know what phishing is, you should. It’s when someone purporting to be from a trusted organisation or person (such as, say, a bank) tricks you into giving them your details by contacting you, usually via e-mail. They’ll usually pretend that your account information needs updating, and will usually convey a sense of urgency.
Before clicking on that link, here’s a couple of important things to remember:
- If in doubt, go to the bank’s website directly. That is by opening your browser and then typing its web address into the address bar. You could also phone the bank or go in person.
- These messages usually try to instil a sense of urgency, with dire warnings such as “YOUR ACCOUNT WILL BE STOPPED IF YOU DO NOT VERIFY YOUR ACCOUNT”.
- If someone purporting to be from a bank (or purporting to be a bank) e-mails you, automatically be suspicious. Even if you trust the organisation and/or hold an account there, phishing scams are often sent out to thousands and thousands of people at a time, in the hope that some of them will fall for it.
- Remember, banks will NEVER e-mail you asking for confidential information. They will almost always write to you with regular snail mail, or phone you up and ask you to call them.
With that out of the way, here’s the e-mail:
Note that Mac OS X Mail didn’t render this as HTML, but other e-mail clients may well do, adding to the realism.
The text talks about ‘enhanced security measures’, which are, in fact, real. More and more banks have started giving you the option of having a Chip and PIN machine connected to your PC to add an extra layer of security to online transactions.
However, the website this links to actually looks incredibly realistic by phishing standards: it ties in relatively well with NatWest’s real site (leaving our site) and could certainly fool the novice computer user.
Note: I seriously discourage anyone from following the link in a phishing e-mail. It can do all sorts of things such as fiddle with your browser, and worse. I was going in because I wanted to demonstrate what a phishing site would look like, and because I was using a secure web browser (Safari).
Of course, there are ways to just irritate the phishers using this page.
As soon as our hypothetical gullible computer user has entered his/her account number, he is asked for his PIN and password. Alarm bells should be starting to ring here. Remember that this e-mail has arrived out of the blue, and has sent you to a site that is now asking for your password and PIN number.
If the user was gullible enough to enter his information here, the site next asks him for - wait for it - HIS DEBIT CARD NUMBER. Anyone with half a brain should realise that the bank should have your debit card number. It shouldn’t ask for it if you try to log in.
After this, quite cleverly, the phishing page redirects to NatWest’s real latest offers page (leaving our site) having captured Joe Gullible’s personal information. That information will now be sold on a seedy website somewhere for around £8. (That is around US$15.)
So, the moral of the story? Don’t believe everything you receive in an e-mail. Simple as.
