A mass phishing email scheme aims to steal banking information under the guise of the FDIC, just the most recent in a long line of scams, bilking millions from consumers.
Cyber criminals are using fake messages claiming to be from the Federal Deposit Insurance Corporation (FDIC) to deliver a virus capable of stealing unsuspecting victims' bank passwords and other sensitive personal information, said Gary Warner, the director of research in computer forensics at the University of Alabama at Birmingham (UAB).
Warner said the spam is being delivered with one of two subject lines:
• FDIC has officially named your bank a failed bank
• You need to check your Bank Deposit Insurance Coverage
Warner said that once the message is opened the spam asks users to visit a specific Web site, a link to which is included in the message. Those that follow the link are taken to a page that asks them to click and download a copy of "your personal FDIC insurance file."
"Unfortunately, anyone who clicks that download link will be downloading a version of the Zeus Bot virus, which has the capacity to steal bank passwords and other financial and personal information," Warner said in a statement yesterday.
The FDIC joins a list of prestigious institutions and companies whose brand identity is co-opted by cyber criminals with one objective: steal money. In the last week alone, employees at TopTenREVIEWS have received scam emails from the Internal Revenue Service, Chase Manhattan Bank and Facebook. According to Consumer Reports “State of the Net 2009 report,” one in 90 people lose money to phishing scams, totaling $483 million over the past two years.
Consumers can protect themselves by remembering one simple rule: Legitimate companies will never ask you to download programs or enter your personal information including logins and passwords by e-mail.
It is often difficult to follow the rule when the email is both convincing and frightening. Cyber criminals are experienced professionals: they know how to scare you into action, and it only takes a few responses to make the scheme worthwhile.
Threats like the one contained in the FDIC message and in the common IRS email, informing the recipient unreported income has been found, can prompt a panicked click through. Stop and delete. Institutions and companies do not use email for this purpose, they use regular mail.
Upon close scrutiny, it is possible to identify phishing emails. Here are five things to look for in a suspicious email:
Avoid getting on phishing lists in the first place. One of the easiest ways you can do this is to have an email address that is hard to get. For example: firstname.lastname@example.org should instead be email@example.com.
Fighting phishing scams is an ongoing battle. It’s move and counter move. Security experts develop new techniques to block cyber criminals while criminals design new ways to overcome or circumvent the measures.
Captchas, the often almost indecipherable images made up of letters and numbers, are devices designed to thwart the nonhuman collection of information. Even Google will ask a user to type in the characters in a captcha to prevent bots from crawling their site to gather information meant for humans only. Today bots have been developed that can indeed decipher captchas and invade a protected site, gathering enormous amounts of data in a short period of time, which can then be used in another scam.
Fighting phishing scams is a constant struggle, one that will never be won through automation alone. For the best protection, all users must stop, think and delete.