Close call

Last week I nearly got caught in the phishing net. Find out what happened and what you need to know to avoid being trapped..

  • E-Mail
By  Cleona Godinho Published  November 5, 2007

Last week I received an e-mail from Moneybookers.com, an online payment site I started using three months ago. I often receive e-mails from the site after I make a payment or re-charge my account, but this time the message informed me that my account had been credited by a service I use regularly. So what happened next? Read on...

Apart from looking like a legitimate e-mail, Microsoft Outlook 2007 did not flag the e-mail as a phishing mail, which it has done with almost all Paypal and eBay e-mails in the past, so I felt it was safe. Here's an excerpt of the e-mail:
________________________________________
Money Received

Dear Moneybookers customer,
Greetings from moneybookers.com!
We would like to inform you that you have received a payment.
Payment Details
Amount: EUR 56.25
ID: 49573824
Subject: You must use the link below to accept the payment.
Note: https://www.moneybookers.com/accept
Your money is waiting for you: https://www.moneybookers.com. We hope you enjoy your cash.
________________________________________

At first glance the link above looks very safe; it even includes ‘https' in front of the link, which is used to indicate a secure website. So what's the harm in clicking it right? I thought the same but as I was about to click on the link I noticed something very peculiar.

When I held my cursor over the link, the proceeding hyperlink pop-up displayed this address: http://mail.sgp.org.pe/a.html. This link was actually taking me to a domain named sgp.org and not https://www.moneybookers.com.

The link in the e-mail was essentially bait and I was its potential catch of the day. I then searched for the domain in Google and found out that it was an identified phishing site. I must admit that whoever drafted the e-mail knows their stuff. Not only did it look slick, it also included a security reminder at the end of the message, which said to beware of phishing e-mails. Very clever, I must admit.

So what's the moral of the story? First of all, no matter how authentic an e-mail might look, never click on an e-mail link unless it's from someone you know and trust, such as a family friend or co-worker. This is especially important if the e-mail is instructing you to click on a web link to enter sensitive information such as passwords or personal details.

If you feel you have to visit a certain website, type the address directly into your web browser.
Another safety tip is to use a secure browser such as Firefox 2 or Internet Explorer 7, both of which are designed to identify phishing websites. Just a week ago, Abe Olandres was almost duped by a new breed of Gmail phishing scams . Luckily, Firefox 2 immediately detected that the site was a fraud.

In case you're wondering, I don't have a clue what the phishing site they were directing me to looks like and I'm not planning to visit it. I don't suggest you go there either.

I do however recommend clicking here and taking the Phishing IQ test. This rates how good you are at distinguishing real e-mails from ‘phishy' ones. I thought I would get all the questions right, however spotting a phishing e-mail is not as easy as it might seem. It took me about 10 minutes to complete the test and the best part is the site provides a post-mortem of each e-mail and explains why that particular message was legitimate or not. I got 7 out of 10. I would have liked a full score but I'm satisfied with being a little bit wiser for now...

For more tips on spotting phishing e-mails, check out our Now or Never security feature in the January 2008 issue of Windows Middle East, out in stores in December.

4239 days ago
Derek

The 1st indication to a phisher mail is the question 'is it addressed to me personally?'. If you are dealing with a bank or other financial entity they will know your full name and will address you accordingly. So be suspicious of any mail that starts 'Dear customer' etc. 
If they don't know your name - why are they offering you financial rewards?

4239 days ago
Harikrishnan

Phishing is a curse of this digital age and not even banks are spared from this menace even with banks of computers and watchful eyes of the operators. A couple of months back somebody stole my ABN AMRO Credit Card number and made 4 transactions worth USD 2,000. I had to run virtually from pillar to post to reverse these 4 transactions. And for one of it even ABN AMRO Bank turned me down claiming that it was a legitimate transaction since it was made through a secured server. But thankfully i was able to speak directly with the Online vendor in Holland who reversed the transaction on my appeal. It indeed was a nightmare.

4240 days ago
Reghu

user awareness is the key, technology and process will always be compromised, the key lies with the users in protecting their information..

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code