Is There Anything Left to Phish? Fake Wells Fargo Credit Card Authorization Notification

I hate phishing. Not only has it cost the world's financial institutions tens of millions in fraud losses, it's just about killed the email channel in terms of getting your customer's attention in a timely fashion, and it's diverted management's attention from much-needed online marketing improvements. That's much worse than the actual fraud losses. 

Like most people with widely published email addresses, I get a half-dozen phishing messages every day (note 1). I rarely give them a second look unless they purport to be from my bank. Almost all of them are placed in the junk folder by Outlook, one of the nicer services of Microsoft Office.

Phishers have to be much more creative these days. The time has past when a few paragraphs of broken English and the bank's logo could net the fraudsters a few extra coins. Now I get fake emails asking me to verify my security settings, authorize account changes, or claim a sweepstakes prize.

Wells Fargo credit card authorization phish CLICK TO ENLARGE For example, today I received a fake credit card authorization request from Wells Fargo (see inset). I'm not sure why it prompted a blog entry. Maybe because I use a Wells card or maybe because I've been talking to mobile banking execs about this very subject. But the fake was good enough to force me to take a closer look. The biggest clue is the wrong format for the USD charge, using a "comma" instead of a decimal point between the dollars and sense. But otherwise it's pretty good, and may even net a few card numbers before its taken down.

Analysis
I am optimistic that email can still be effective if financial institutions clearly personalize their messages (see samples here and here). However, gaining customer trust back, especially for security-related messages, is a long-term project. That's why we are telling financial institutions to invest in RSS/XML feeds (Online Banking Report #135/136) and/or mobile banking (Online Banking Report #138/139) in order to reach their customers in a way that is less prone to fraud, at least for now.

Notes:

1. A great online repository of phishing examples is housed at MillerSmiles.co.uk

2. There's a whole book on phishing, click on cover above to go to Amazon's description of the title.

Phishers Use Craigslist to Stay Ahead of the Curve

Criminal minds are usually the most fertile. Just how fertile was displayed last week, when a phisher actually advertised for victims on Craigslist, the popular classified ads web site.

The ad, posted at 7:00 AM on April 26, asked Bank of America customers to send the poster their account and telephone numbers, in return for which he or she promised to deposit $1,000 per day into their accounts. The victims were supposed to take 15 percent for themselves, and immediately forward the balance to another Bank of America account. The poster couldn’t do it him/herself, they said, because they were currently in New Zealand.

We stumbled across the ad at 9:00 AM and immediately forwarded it to Craigslist, which removed it within an hour. We also informed Bank of America, which later said it was aware of the scam. Bank of America’s response led to the obvious inference that the scamster had been active earlier, since the ad had been posted on Craigslist for only two hours, but it—and Craigslist—declined to explain the apparent discrepancy in the time line.

The Federal Bureau of Investigation, which likewise declined to respond specifically to the event, said the ad was a new version of the old “freight forwarder” con game, in which the victim is asked to receive payments and forward them and then, after a few successful transactions, is asked to cash a check for more than the usual amount, and refund the balance. If they’re successful, the crook predictably vanishes. The scam also has much in common with the—by now—hoary Nigerian scam, in which someone posing as a Nigerian lawyer or government official emails the mark for help smuggling enormous amounts of money out of that country.

The scam breaks new ground, says Avivah Litan, vice president and research director at Gartner Inc. “I’ve never heard of this—it’s very clever social engineering,” she says. “I doubt that BofA knew about it—they just want to seem like they’re on top of things.”

At a minimum, the scam should get a prize for sheer brass, not to mention minimum effort. Typically, a phishing scam involves a skillfully crafted and apparently genuine email from a bank or popular e-commerce site, and an equally well-designed, fake website in which the unwary enter their account information. In this case, the scamster just posted an ad, hoping to snag one or two victims before the ad was spotted and taken down.

In this case, whether the perpetrator succeeded is unknown, but the Craigslist ad is very similar to similar scams commonly found on job want-ad sites like Monster.com. “The jobs boards are filled with these things, and the FBI is constantly having to trace them back to the sender, but this is the first report I’ve heard about a Craigslist ad,” says Peter Cassidy, secretary general of the Anti-Phishing Working Group.

Cassidy says this is a new wrinkle in the game. “It’s phishing, but not the usual retail phishing, where they’re looking for your banking credentials—it’s definitely a new hybrid,” he says.

And, he adds, he’s unsurprised. “People are putting up things like deceptive software that infect your computer and call it freeware or games. Why should we be surprised that people are putting up deceptive ads in order to phish people?”

For the record, we post the ad below, complete with misspellings.

Reply to: job-154729485@craigslist.org
Date: 2006-04-26, 7:09AM EDT
We´re an e-gold exchanging team. I own a website, and I`m looking for Bank of America customers, as i'm an account holder as well, I´m able to transfer UPFRONT to your account, daily amounts of $1000. All you have to do is withdraw and send to one of our exchangers. Remember that you get to keep 15% for yourself.If you are wondering why I can´t do it myself, it is simply due to my current unavailability; I`m in New Zealand visiting with relatives, and that´s why I´ll need your assistance.

As I am going to send upfront, I´ll need some things, such as:

– You must own this account for at least 3 months (I call to verify)
– You must suply a land line phone #
– You must be from USA and you´re not allowed to use a third party.
– The amounts should be sent within 24 hours, delays will not be tolerated.

You may also be wondering:

– What information do you need to transfer the amount into my account!?

I´ll need only the following information: Account holder #, last name and zip code, ONLY

– Is there any possibility of having my account hijacked with performing such activity!?
Absolutely not, it´s a typical transaction between bank of america accounts, and you can make sure about that calling up bank of america customer service with these questions, or simply using your bank online referring to transfer and if you notice, they will require the information I previously requested to.

a.. Compensation: You´ll receive 15% from all amounts. Up to 65k annually, your weekly share will be $1800.
54729485
——————————————————————————
(Contact: Craigslist, 415-566-6394; Bank of America, 415-622-6367; Federal Bureau of investigation, 202-324-3000;Gartner Inc., Avivah Litan, 301-610-7482; Anti-Phishing Working Group, Peter Cassidy, 617-491-2952)

Everbank Goes on the Offensive Against Latest Phishing Scheme

Everbank_homepagel_phishwarningIf you are a smaller bank or credit union and are phished for the first time, you might consider the approach Everbank took in response to a phishing incident today.

The bank took the unusual step of sending an email to its customers warning them about the fraudulent email (click on the screenshot below for a closeup). They even included a copy of the phishing message at the bottom of the warning. Everbank_email_phishwarning_1The bank also posted a small red-outlined box on its homepage (see inset) with a link to the same email message.

Analysis
Although it may seem futile to send an email warning about a fake email, we think it’s a good idea if the phishing episodes are infrequent. The big targets such as Citibank or PayPal can’t do this, not with dozens of attacks every month; however, smaller companies should consider proactive email communications, but no more than a few times per year, otherwise customers won’t pay any attention.

Most users will realize the Everbank response is genuine, because it doesn’t ask for any customer information, especially when they compare it to the fake message at the bottom of the screen.

Yes, some customers will be even more confused. But hopefully their calls to customer service will provide you with a chance to put them at ease. There are costs associated with these anti-fraud efforts, but that’s part of the trust involved in being in the banking business.

JB

Phishing Awareness Less Than 30%

We’ve warned against using too many scare tactics on your website (see OBR 119, Marketing Security). Here’s data to support that argument.

The latest Pew Internet Project survey (PDF) found that more than 70% of Internet users had either never heard of the term Internet phishing (15%) or were unsure of its meaning (55%), leaving just 29% who said they had, "a pretty good idea of what the term meant." In comparison, 88% of Internet users had a pretty good idea of what Spam meant, 78% knew Firewall and also Spyware, while 68% understood Internet cookies, and even 52% knew Adware.

JB

Ebay Toolbar Provides Phishing Defense

 


 

We’ve been a proponent of increasing your presence on the desktop through browser toolbars, pushed content, and other means . We were looking at it from a usability and marketing standpoint. It turns out there’s another use, as a security enhancement.

04-april-b15.jpg

Leave it to eBay to come up with the first proactive anti-phishing system. Ebay toolbar users received the Account Guard upgrade in February. It has two functions. First, whenever a user visits a valid eBay URL, the background color of the account-alert section of the toolbar changes to green. It’s a subtle but effective technique – quite noticeable when a spot on the top browser controls suddenly changes color, and much more effective than a locked or unlocked padlock in the lower corner. Second, an optional feature launches an alert box whenever you type your eBay username into a non-eBay URL.

It’s not a foolproof system. It only protects against browser-based phishing. It wouldn’t guard against phishing attacks that ask users to update their account within the body of a phony HTML email. We’ve also heard that it’s possible to spoof the toolbar itself, pasting a phony one at the top of a fake browser.