Beware of 'phishers'
MUSCAT — A top Omani Internet expert has warned that Internet pop-up scammers
were targeting bank customers around the world and fooling them into revealing
personal account details.
“It is the easiest, newest and cheapest way by making use of the electronic
mail and the Internet to fool people, especially when Internet banking is
widely promoted by every bank.
“It has happened in Australia and I have heard that such scammers were making
their way into the Omani Internet banking scenario,” Tariq Hilal Al Barwani, a
prominent net expert who is now doing his Master’s in Information Technology,
told the Times Business in an e-interview yesterday.
The scamsters’ modus operandi was to use an electronic e-mail to trick/fool
the recipient into revealing his/her critical information.
“It is called ‘phishing’ (pronounced fishing), and is used to define a person
who uses e-mail to deceive the recipient into revealing his/her personal
information. Here, the fisher is the hacker, the bait is the e-mail (the
trick) and the customer is the fish.
“Currently, ‘phishers’ are targeting banks (Internet banking users),” he said.
Tariq, who has been doing research on this topic during his Internet security
course as part of his Master’s Degree in Information Technology in Australia,
said the scamsters used near-foolproof methods to draw unsuspecting bank
customers to reveal their critical information.
“The ones behind this are very smart and clever — I have seen the pop-ups and
they do look quite genuine,” he said.
Tariq also explained how it worked: “An e-mail is sent to a customer, which
appears to have come from a legitimate source (i.e., the bank). The e-mail
looks pretty genuine and official. The colour scheme is just about right and
it carries logos, graphics, letterheads, etc.,” Tariq said.
He also gave an example of how such an e-mail would look like: The e-mail
would look as if it came from some bank. For example: tech.support@(banksname)-.com.
Followed by such text, the intention was to draw immediate attention:
“Technical services of the (banksname) are upgrading the software. We
earnestly ask you to visit the following link to confirm your data in order to
avoid blocking of your access: http://www.banksname.com/ This instruction has
been sent to all bank customers from all countries and is obligatory to
follow.”
The (banksname), which comes as the link of e-mail is replaced and could be
given the names of any of the local banks in Muscat, which has Internet
banking facility.
According to Tariq, there are hordes of such examples, and all look very
professional and real.
What happens when the user clicks on the url link in the e-mail is that they
are taken to the fake site that fools them into filing out their account
details — account number, credit card numbers, passwords or PIN numbers.
“Hackers or ‘phishers’ hijack the address bar of your Internet browser (be it
the Internet Explorer, Netscape or others) by making it appear that the
customer is visiting the bank’s site, but what actually happens is that it
directs him/her to a fake site that happens to look exactly as his/her
Internet banking site.”
Many customers from four major Australian banks — ANZ, Commonwealth Bank,
National Australia Bank and Westpac — were fooled by such e-mails. “The
e-mails appear and look as though it is coming from the bank in which it
alerts the customer to the fact that a certain amount of money has been
transferred out of their account. The e-mail provides a link as well. This
link takes the user to a genuine looking bank website where the user is asked
to key and fill in their Internet banking account details. “But, of course,
the site is nothing but a fake one although it is designed to look identical,”
Tariq said.
According to him, all scam and phishing e-mails have the following traits:
l sender e-mail address
The e-mails would usually be like this: Bank.operation@(bankname).com.
The ‘bank.operation’ could be anything from a staff name to a department of
the bank, but the (bankname.com) will usually be faked or forged bankdomain
address and could even give the names of the local banks.
l subject line It is randomly generated, but specifically to a targeted bank.
Example:
l urgent information from ‘X’ group (where ‘X’ denotes a bank’s name)
l notification of transfer from your bank account
l important security information from ‘X’ (where ‘X’ is the bank’s name)
l Warning from ‘X’ bank (‘X’ is the bank’s name)
l Notice to all ‘X’ bank users
l Content of the e-mail: “Phishers use targeted bank’s images and text styles
(logo, fonts and formatting style) to portray their e-mail as genuine. The
content does not specify the you, the customer’s, name, but instead address
you as a general customer (as it is targeted to all, but not specifically
you).
An example of such an e-mail would be:
“Dear customer,
“Our new security system will help you to avoid frequently fraudulent
transactions and to keep your investments safe.
“For reasons of technical updating, we ask you to confirm online your banking
membership details.
“Please follow the link below and fill out the form: http://www.(banksname).com/logi”
“Tariq said that he was aware of users having received such e-mails, which
were disguised as though they were emanating from a local bank. “I have
personally received quite a few from my Omantel account,” he said, citing an
example of an email he had received.
“E-mail address: support@(banksname).com
“Subject: Important fraud alert from (bank’s name).
“I will not be surprised if local banks with Internet banking facility would
not be targeted. Customer oriented banks would by now have already put a
notice on their websites to alert customers,” Tariq said.
The motive of these scamsters were very simple: “To make money. By tricking
users obviously,” Tariq said.
Steps to counter ‘phishing’
Tariq Al Barwani has given users some quick measures to counter the phishing
menace:
l Never entertain e-mails, which ask for user accounts. As far as I know banks
will never send out e-mails asking for your account details. If you are unsure
as to what to do, call the bank and cross check.
l Do not click on the website links on any e-mails, because what you click is
not necessarily where you will end up going. There’s a way to hack browsers by
hijacking the link. Instead, directly type in the link in the Internet browser
address bar. (Note, clicking and typing are two different ways of accessing a
link.).
l Make sure that you use an anti-virus, firewalls, and adware/spyware
programmes to help alert you with such attacks.
l Review credit card and bank account statement as soon as you receive them to
check if there are any authorised charges.
l Do not reply to such e-mails.
l Be careful about opening any attachment or downloading any files from
e-mails you receive, regardless of who sent them.