The person initiating the scam, also known as the phisher, sends an email to millions of people. This email message is designed to appear to originate from a bank, Internet Service Provider, online auction company, or any establishment that the victim can potentially have regular business dealings with.
The header on the message is spoofed, the entire message is designed to look as official as possible. The sole purpose of the message is to gather information from the victim which will give the phisher remote access to the victim's finances.
For example, a typical phishing email might allegedly come from the potential victim's bank indicating that his account is overdrawn because of a check that the victim did not even write. If the message just happens to appear to be from the bank, and is related to a serious matter, it easily catches the potential victim's attention.
Typically, such a message will urge the potential victim to take action and the message will contain a URL supposedly leading to the bank's website or phone number. Although the phone number may or may not actually be the bank's phone number, the website URL is never legitimate even if it appears to be otherwise.
Sometimes, the phisher will place the bank's actual phone number in the mail in the hope of making the message appear more authentic. Other times though, they will place another number and have someone just waiting for calls from panicked bank customers who respond.
This person manning the telephone line will ask the person who is calling for an account number, a pin number and any other information that might be useful to the phisher, such as a social security number or birth date.
The phony bank employee will then pretend to solve the problem while the victim is on the phone. Instead, the victim has given his account information directly to a thief who can use it to access the victim's bank account and launch other types of financial fraud.
How to Spot Such Scams
The official looking URL on the email message looks like that of the bank's official website. However, when the user hovers his mouse over the URL, the hyperlink that appears does not match the URL displayed in the message exactly. Typically, the phisher will replace the URL with an IP address, or a domain name that is spelled very similarly to the bank's domain name.
The key to avoiding phishing traps is to become knowledgeable about it. Other possible variations of the phish are:
Telling Victims the last Two Digits of Their Account Numbers
In a particular type of phishing scheme, phishers send out emails that request sensitive information from the victims. To prove to customers the legitimacy of such a request, the email even includes two numbers supposedly being the last two digits of the victim's account number. These two numbers are randomly generated by the phisher, and whether the numbers actually match with the victim's account number is entirely left to chance. A random two-digit combination has a one in a hundred chance of being right, so based on probability, if a phisher sends such an email to one million users, 10,000 customers' accounts will show an exact match with those two numbers.
Use of a JavaScript Applet Over the Address Bar in the Browser
In this method, when the victim clicks on the hyperlink contained in the phishing email, the phony website detects the victim's browser settings, and the phony website subsequently applies a custom JavaScript over the address bar in the victim's browser. The JavaScript applet is designed to look exactly identical to the address bar it overlaps and the bank or credit card company's authentic address is displayed on the applet. Victims will thus not be able to see the phony website's actual address, which may give rise to suspicions because of slight differences with the authentic address.
How to Protect Yourself From Such Scams
Remember that the idea behind a phishing scam is to cause the victim to panic, thus frightening him into clicking on the link contained within the email message and then getting him to enter his bank account and password.
Thus, remember to take the time to think it over. Learn to be sceptical when dealing with such emails asking for your account information. The fact of the matter is that no reputable institution is going request for the kind of information that these phishing messages ask you for.
When you get an email that requests something like that, you can choose one of the following options. Firstly, you can easily ignore it. The alternative will then to be to contact the institution directly to ask about it. Do not contact them via the Web link or phone number provided. Contact them through your usual manner. For instance, you could always type in the proper website address for the company with which you are dealing. Don't take the bait.
Phishing is a problem that is here to stay. As such, there can be no foolproof way to completely irradiate it; at best, the hit rate of such a crime can only be reduced to a minimum through the use of preventive measures. In order for the successful curtailing of phishing, and for us to be protected from this menace, there must be collaboration among authorities, financial institutions as well as the individual.
text is for email. HTML is for web pages. if you use HTML for email, you're asking for trouble.