Brian McGregor's
Articles Archive

Email spoofs - Special Report
by Brian McGregor

Today I’d like to cover spoof emails. Also know as phishing in the spoof email trade. And phishing is becoming the accepted generic term for spoof emails and websites. Amazingly, phishing doesn't appear in eBay’s Help.

First, what is Phishing?

Phishing attacks use spoof e-mails (and fraudulent websites) designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords etc.

The phishers achieve this by making their spoof email look like its coming from trusted brands, like eBay and PayPal. They also usually convey a sense of urgency in the message. They count on people feeling somewhat of a panic when they get the message and hope that they reply right away before they have time to think. Messages might include a line like "Your account will be shut down if you don't immediately verify your account information, click on the link below." Other messages suggest that it is suspected your account has been accessed by fraudsters, and you need to log in now to have this checked out.

By hijacking the trusted names of well known online companies, banks, retailers and credit card companies, it appears that phishers are able to convince up to 5% of recipients to respond to them.

Research firm Gartner released a survey estimating that 57 million adults in the US had received a phishing e-mail in the month of May, and that nearly 11 million of those adults had clicked on a bogus phishing link. Of these, it was estimated that 1.8 million had given out personal information.

Here are some examples of recent phishing email attacks, some of which you may have received yourself:

06-Aug-04 - AOL - 'Urgent message from AOL member services'
05-Aug-04 - eBay - 'Billing Issues'
04-Aug-04 - US Bank - 'Confirm your account information'
03-Aug-04 - US Bank - 'Online banking issue'
27-Jul-04 - eBay - 'Update Your Billing Information'
26-Jul-04 - eBay - 'Your account at ebay has been suspended'
23-Jul-04 - US Bank - 'Notification of US Bank Internet Banking'

The Anti-Phishing Working Group (APWG) is an industry coalition working to eliminate the problem of phishing and email spoofing attacks. They record and share information about the problem, and promote the visibility and adoption of industry solutions.

The latest quarterly report from APWG includes the following information:

Unique phishing attacks by targeted companies in the month of May 04:

370 Citibank
293 eBay
167 US Bank
149 PayPal
33 Fleet Bank
21 VISA
17 AOL
17 Lloyds
15 Barclays
12 Westpac
10 Nationwide
9 Halifax
7 Natwest
6 Bank One
6 Chase
6 Earthlink
4 ANZ
3 e-gold
3 HSBC
3 MSN
3 Woolwich
3 Yahoo

You can read this quarterly report yourself. It's only 5 pages long, but it certainly gives a snapshot of the size of the problem.

You can download it from here: http://www.workwinners.com/nlr804.htm

And here is the APWG website: http://www.antiphishing.org

Some advice on how to avoid phishing scams:

a) Be suspicious of any email with urgent requests for personal financial information

b) Be suspicious of any email containing statements designed to invoke urgent action asking for usernames, passwords, credit card numbers, social security numbers, etc.

c) Phisher emails are typically NOT personalised, while valid messages from your bank or e-commerce company will be.

d) Don't use the links contained in a suspected email to get to any web page. Instead, type in the site's web address in your browser, and navigate from there.

e) Avoid filling out forms in email messages that ask for personal financial information.

f) Always ensure that you're using a secure website when submitting credit card or other sensitive information via your Web browser. To make sure you're on a secure Web server, check the beginning of the Web address in your browsers address bar - it should be "https://" rather than just "http://". Also, the yellow padlock icon should appear in the browser's status bar.

g) Consider installing a Web browser tool bar to help protect you from known phishing fraud websites. eBay has a Toolbar with Account Guard. This warns you when you're on a potentially fraudulent (spoof) Web site. It also lets you report such sites to eBay. If eBay verifies that a Web site is fraudulent, the information will automatically be distributed to all other eBay Toolbar members, warning them about the spoof Web site. You can read about eBay Toolbar here: http://pages.ebay.co.uk/ebay_toolbar/

h) Regularly log into your online accounts don't leave it for as long as a month before you check each account.

i) Regularly check your bank, credit and debit card statements to ensure that all transactions are legitimate if anything is suspicious, contact your bank and all card issuers.

j) Ensure that your browser is up to date and security patches applied, in particular go to the Microsoft Security home page to determine which software patches you need for your system. http://www.microsoft.com/security/

k) Report phishing or spoof e-mails to the following groups:

Forward the email to reportphishing@antiphishing.com
Forward the whole email to the "abuse" email address at the company that is being spoofed (e.g. spoof@ebay.co.uk)

eBay has a very good tutorial on detecting spoof emails which you can find here: http://pages.ebay.co.uk/education/spooftutorial/index.html

It's just a pity that all departments in eBay haven't read the spoof tutorial. One of the statements eBay consistently make is that they will never send an email requiring members to click a link within the email to enter their member details. And yet they have recently sent out two such emails relating to free auction days, where members are asked to press a link and then key in their member details. This is exactly the technique used by fraudsters in attempting to illegally extract membership details! eBay have apologised for this, and have ensure that education is being put in place to ensure it doesn't arise again.

Safe trading!

About the Author

Brian McGregor is an internet business creator, consultant and author. He is the author of several books including 'The eBay Formula', an essential guide to selling successfully on eBay. He has also written many articles and is published on the internet and in the printed media. He is also editor of the eBay Auction Newsletter, which you can subscribe to free. For a free ebook on how to use the leverage of eBay to help your business grow, go to http://www.leads-generation.co.uk/lgdl. For full information about Brian, go to his main website http://www.workwinners.com

You can copy and use this article providing it is unchanged and the About the Author profile is also attached unchanged.

Brian McGregor's Articles Archive

Brian McGregor's
Articles Archive