Don’t Phall for the Phishing Scam
In Lesson 2 of the Identity Security Warriors Academy, I told you the secrets of identifying phishing and spearphishing attacks. What better way to put into practice your new skills than with a real example that just arrived in my inbox only yesterday. Let’s start with the hook.
Emails like this always start with bad news. Like this “Warning! Your PayPal account was limited.” The first indication this is a scam is the email address from PayPal. In this case it’s “email@example.com”. Stop right there. This goes into the trash.
Besides the obvious bad grammar and spelling (which should be major clues), let’s assume this didn’t stop you. The next clue is that PayPal, along with thousands of other real companies, will never ask you to ‘click here’ to confirm your account information.
Nor will they ever ask for a password. When in doubt, go back to a saved bookmark and go to the site yourself. Simply hovering over the URL in the email shows you it’s not a PayPal site. But let’s say this still didn’t stop you,, what’s really happening underneath the hood, so to speak. Not to get too geeky, by by viewing the page source, I can show you the scary part about this.
It’s well known crooks, criminals and thieves will share tools on the Internet. Heck, many times some enterprising criminal will package up this stuff and sell it to other criminals. In this case, this page name is “Scam Pro By Thug-Net-Ever & punisher”.
The Phishing Page
Ok…you’re still not getting the message. Now you click on the link and go to the actual page. Looks pretty simple. Except the real danger is what follows next. The minute you put your real email address and password, they scammers have you. But wait – there’s more.
By giving your credentials, the scammers are pretty sure they get get even more information from you. Enough to steal your identity. So go ahead, put in your information. Right when you get ready to click the ‘Log In’ button, you get a sudden flicker of remorse. “Maybe I shouldn’t click this button” you say to yourself. The scammers have even thought of that.
Now the next obvious clue is that the warning box says the message is from ‘skyline.websitewelcome.com’. I’m pretty sure that’s not PayPal.com. The threat is that if you leave this page, your account may be blocked permanently. Sacré bleu! This cannot stand.
What do I do? If you click ‘Stay On Page’ you are redirected to the next page of the scam. Except the scammers can’t even get that right. So even after all these warning bells, flashing lights and clues that this is a scam you still persist.
Giving Away The Farm
Yes – if you fill out this page you are giving away the farm, your identity, most likely naming rights to your first born child. Why is your mother’s maiden name needed to update a ‘billing’ address? Because it’s used as a security question on numerous other sites you most likely use, like your banking site. How would they know your bank? Because it’s listed in your PayPal account information that you have just given the scammers access to. Successful phishing attack.
Here’s the easy way to find out of this is a scam. Enter a bunch of fake info, along with an incorrect zip code and state. No errors you say? Hmmm – not the case with legitimate sites who use software and error checking against databases on things like zip codes.
Giving Away The Bank
Of course you need to update your credit card information. Besides getting a valid card number and your security code, the scammers also want your SSN – Social Security Number. Of course they do. Their plan to totally take over your identity is nearly complete.
All you have to do is click ‘Continue’ and your journey to the Dark Side will be complete. Oops…Star Wars flashback. So when this is all done, what do you get as a result?
Thanks For Playing The Phishing Game
A Thank You. Thanks for letting us steal your PayPal information, bank account and credit card data, name, address, date of birth, mother’s maiden name, social security number, email address and PayPal password. Whew! I’m tired already of thinking how I’m going to spend your money.
It ends badly. It always does. You bank account is cleaned out, you have 2 mortgages in your name, collection agencies are calling non-stop and all your credit cards get declined. And it all started with just one link.
Stop. Think. Don’t click that link.