Online Phishing Scams Get Personal, Experts Caution
In a new phishing trend, spammers are focusing on individualized attacks. Recipients may be deceived into thinking the message is from a friend, but these spammers want access to their credit card accounts.
Phishing is a common scamming practice that involves emailing users under false pretenses with the aim of tricking them into revealing their private information.
The emails feature the recipients' names in the subject lines, claim to have seen them at Starbucks, and ask them to click on a link to view photos. Don't click. This is a scam. Those that take the bait may be exposed to objectionable material, incur unauthorized charges to their banking account, and may fall victim to identity theft.
Samir Patil, threat analyst for Internet security firm Symantec told TechNewsDaily, "With this tactic the phishing message is tweaked slightly to give a personalized look. The email message contains the name of the user in the email salutation. The URL provided in the message actually directs the user to the phishing website."
Here's a sample of what's circulating:
From: Jen Ward
Subject line: Hey John
Sign up for the Live Science daily newsletter now
Get the world’s most fascinating discoveries delivered straight to your inbox.
Message: How's it going John. Could have sworn I saw you at Starbucks. Anyway can u just look over here to see it, http://bit.ly/XXXXXX [The numbers and letters have been replaced with "X" for readers' protection.]
The link took John to an e-card site with a message that says she has a crush on him and asks him to proceed to another site where her "risqué" pictures are located. She warns him a credit or debit card may be necessary to establish his age, but the site itself is free. The bait is set, and if John proceeds, he may become a victim of identity theft. McAfee Site Advisor has not released a rating on this site, but users have posted they have been unable to cancel recurring charges of $39.95 to their credit cards each month.
One reason personalized email scams are effective is because people are deluged with email. According to technology market research firm The Radicati Group, Inc., worldwide email traffic totaled 247 billion messages per day in 2009. By 2013, this figure will more than double to 507 billion messages per day. According to Symantec's May 2010 State of Spam & Phishing Report, 89 percent of all April email traffic was spam and 17 percent of spam were phishing schemes, up 33 percent over March.
While it may be easy to avoid taking the bait from old school scammers like "click for your free iPod", many people have been tricked into thinking the message and directive is from someone they should know and trust.
Scammers may also use legitimate link shortener services like bit.ly and tiny.url to disguise the nefarious link. Link shorteners have become popular with the rise of microblogging sites like Twitter where posts are limited to 140 characters. Long links can be converted to 25 characters leaving more room for the rest of the message. The downside is that the link's destination is hidden in the process. Disguising the ill-intentioned link works to the advantage of the scammer in these types of schemes. There is no need to shorten a link in an email.
To avoid being taken in by personalized email scams, do not click on links that have been disguised, do not provide credit card or other personal information in response to the sender or on a form or a linked site.
Also, do not reply to spam emails, as replies often automatically generate more spam.