Information on Merchant Accounts,
Ecommerce and Credit Card Processing

March 28th, 2006 by Jamie Estep

Gone Phishing – Protecting yourself and identifying phishing attempts.

Filed in: Fraud | 5 comments

Paypal and other financial institution phishing is a major concern for many individuals and businesses. I personally get several hundred phishing emails per day and a huge percentage of them are ebay and paypal phishing attempts.

Phishing is type of fraud where an email is sent to a person and the sender of the email is acting like a major institution, trying to get the user to log into their website. What the person getting the email sees when they click on the link, is a duplicate of the real website, made by he person sending the email. The duplicate website will have a form that the user inputs information into, and is normally a login box. Once the user enters their information and presses submit, the information is sent to the person who sent the email. The phisher just obtained the login information from the person who was phished. They also now have full access to whatever website the user-name and password are used at. They can empty your bank account, make fake ebay purchases, or anything else that the website allows them to do, and they are doing it as you…

Phishing a normally easy to spot, but recently I have been receiving better planned and implemented websites and phishing emails.

The sure proof guide to not getting phished.
First off you need to know two things. First, reporting phishing attempts does absolutely nothing, so don’t waste your time. Phishing attempts and the website’s that go with them are almost always hijacked, so reporting them will not lead authorities or anyone else to the responsible party. Second, there is nothing you can do to stop getting phishing emails, so don’t concern yourself with that one either.

1. Don’t Click
The most important thing to do, to not get phished, is to never click on a link in an email that asks, requests, begs, prays, or anything else in attempt to get you to login or even access a website. If you need to access the website, open a new browser window, type the website address in the new window, and login to the website from there. Whether you think the email is a phishing attempt or not, this is just plain common sense to protect yourself. If you never click on a link to a phishing website, you will never be a victim of phishing fraud.
New Window

2. Delete any identified phishing emails
Identifying phishing emails can be difficult, but a few simple flags will tell a phishing email from a real email almost every time. One thing you should have is a computer based email program. Online email like yahoo or hotmail, are terrible at helping a user to identify a phishing email. If you need an online email, I recommend using gmail, which also allows POP3 access from your home computer. Use Microsoft Outlook or Outlook Express to view your gmail emails. Using Outlook or Outlook Express will allow you to view extra information that is sent with each email. Whether you use an online program or Outlook, there are several flags that will make phishing emails stand out.

  1. Email sender is not who the message is from.
    • The email sender in the header or the from box is different than who the message appears to be from. This would be like getting an email from chase bank, but in the FROM: field, Reply-To: field or in the header itself the message is from someone9876@earthlink.com.
  2. The link that the page wants you to click on is a large, fake, or obscure address.
    • A phishing email will always try to get you to visit the fake website to enter your information. When you place your mouse over the link, look at the URL that appears. Another way to view the link in a web based email is to right click on the link and select ‘copy target’ or ‘copy link location’. Then paste the link in your web browser address bar and look at the link. If the email is real, the link will be directly to the website organization. If the email is fake, it will normally have a large obscure website address.
    • Good Link: http://www.paypal.com/us/
    • Bad Link: http://mabarrackfurniture.com.au/images/www.paypal.com/cgi-bin/webscr.php?cmd=_login-run
  3. The email ends up in your spam box.
    • As simple as it seems, emails that end up getting hit by spam filters are filtered for a reason. While recently I have been seeing phishing emails routinely make it through the most strict spam filters, the majority of phishing emails will get caught in web based, and outlook spam filters. If it goes in your spam folder, it did so for a reason, so be extra careful with that email.

3. Use a different email address if you run websites
This is targeted at webmasters and others who manage websites. If you have websites and you have customer service email addresses on them, never use those email addresses for paypal, ebay, your bank, or any other personal, financial, or access related purposes. Keep the email addresses on your websites completely independent of ones you use for paypal, ebay, etc. The reason is that, spammers get huge lists of email addresses by scrubbing websites for email addresses. They send phishing emails to the email addresses that they collect. If the phishing emails you get are sent to the email addresses that your website’s use, then you instantly know that they are fake.

4. If you click on a link, make sure you are where you should be
If you do click on a link in your email, make sure that the link sends you to the actual organization’s website and not a fake. Look at the address bar. Does it look right?
Phishing
Notice how the link in the address bar is not paypal, but the page looks just like the login page. This a phishing page. Never enter your information if the address in the bar is different from the organization that you are trying to visit.

A good phishing example:
This example is one of the best phishing emails I have ever seen. It instantly made me want to click on the link. It passed every spam filter I have and if I did not know exactly what to look for in a phishing email, I could have been a victim of it.

The email is a simple paypal payment receipt that stated that I paid for some merchandise, and that they payment was received. The payment is for something that I do not recognize, and it is being shipped to someone else.

Phishing

The email address showed to be from paypal. The email related to an auction on ebay that was real and had ended recently before the email was sent. The only way that I could tell it was fake, was the link sent me to a website that was not actually paypal.

The bottom line is that it is very easy to tell a phishing email from a normal email, but phishing continues to be a huge area of fraud on the internet. If you follow #1 you will never be the victim of phishing.

5 Responses to “Gone Phishing – Protecting yourself and identifying phishing attempts.”

  1. george June 2, 2006 at 1:39 am

    Excellent articles on this page (and site) of yours!

    Although my email provided above is NOT valid (no contact is necessary or desired) it is provided as invalid to prevent spam.

    I wrote two recent articles, both similar and on the topic related to Paypal and spam. Any ecommerce site that uses the paypal “add to cart” buttons are required to have their email address in that html coding. Such can be harvested by bots, thus, Paypal’s means of identifying an e-commerce site merely enhances the chance that more spam will come to that email address. Paypal should identify a site by an Account Number, or by the site domain name, not by an email address.

    If you include this information, please reference my main site at http://www.riverpages.com/ and a person should click on the “If it doesn’t fit…” button then the “Paypal spam risk” button. (Second article is at the bottom of the first article.)

    Apparently an issue that Paypal has probably known about since at least 2003, and recently brought to their attention by myself as a programmer, Paypal does nothing to correct the problem. I believe there could be issues of liability posed against Paypal and possibly a class action could be brought against them.

    How many people have been harmed by this stupid requirement of Paypal’s to identify a site by their email address?

    Ignorance and complicity. Additionally, any terms in their contract which would tend to nulify any California No-Spam Laws or other protective laws would not be valid.

  2. jestep June 2, 2006 at 8:08 am

    George,

    Thanks for the comment and letting me know about this.

    I personally haven’t used the paypal ‘add to cart’ buttons much, but I do see how paypal is making a huge mistake by having the email address in the button. Judging by the quantity of website’s using paypal as their shopping cart, I would think it is safe to say that millions of email addresses get spam because of paypal. It is completely irresponsible of paypal to have the email so available, especially without better informing their customers. I will definitely post a blog on the subject in the next week.

    Thanks
    Jamie

  3. george June 2, 2006 at 2:16 pm

    (again, my email given here is not valid to prevent spam or harvesting)

    Yes, multi-millions of sites! And to me (luckily I don’t use Paypal) just as a programmer I consider it Gross Negligence on their part. It might be that they might have in their “terms” something that says “not liable” or “no responsibility” or other clause(s) that might waive rights. But in my opinion at least they might be chargeable under (Malicious) Mischief laws of states. What they have effectively done is not any different than someone posting another person’s telephone number to phone solicitors or akin to posting a person’s credit card in plain view.

    The issue/problem “can” be fixed, and I would venture a guess that it could be done in just a few days. Scenario. Whatever their data base is….. simply get it to reformat or add a new field for account number (could be binary or string). For 10 million who knows how long that would take to run, but programs are very fast. Next would be to assign each account a unique alpha numeric account number, maybe that could be done at the first part. Strictly numeric has limitations, such as 1 to 10,000, but alpha numeric such as A0001 to Z0001 and a0001 to z0001 and so on gives a lot more numbers if you catch on to that aspect. They already use a lookup program to find the account by email so they could “add” code within it to find the account by the new field (thus easy transgression from old to new). And they can easily change their formatting of any display windows for either buyers or for people managing their accounts to show the new field.

    Very simplified. If they add account numbers, change their look up code to “include” the new account number field, and set their pages to display the account number, then the “final fix” by the ecommerce sites can be done by programmers of those sites as soon as they can do it. No interruption of service either.

    It would be interesting to hear a VALID and justified reason why it has not been done.

    Just alike the thoughts that myself and others have with regards to A/V programs where I have often wondered if any A/V program manufacturers might have on “hidden payroll” people making up new trojans etc….. one might wonder about why Paypal has not fixed this problem that can only result in spam. Are they willingly supportive of spammers? One can only try to second guess their reasons.

    Nevertheless, the matter does touch on privacy, security, and has a great effect on spam, thus any spam laws come into play along with rulings pertaining to complicity, negligence, and harm (as aforementioned, many states have laws against mischief that causes harm).

    Glad that you’ll be doing a follow up on this. As a programmer and having spotted this issue on a site I’ve been working on, I feel strongly about the matter and so I am pushing it as much as I can to get it fixed. Most definitely is not right.

    Thanks for whatever help you can give on this.

    george
    (ps you can post this or keep it quiet, your choice)

  4. Hollie Noorda May 19, 2010 at 5:01 pm

    I usually submit my phishing scams to Phishtrackers(dot)com many seem to get listed in google so others find out about the fraud.

  5. phishing report May 25, 2010 at 1:36 am

    Recently I published my personal e-mail address on a discussion board and began to receive numerous phishing emails I report them to the phishtrackers website this can help other people identify the scams.