A mass phishing email scheme aims to steal banking information under the guise of the FDIC, just the most recent in a long line of scams, bilking millions from consumers.
Cyber criminals are using fake messages claiming to be from the Federal Deposit Insurance Corporation (FDIC) to deliver a virus capable of stealing unsuspecting victims' bank passwords and other sensitive personal information, said Gary Warner, the director of research in computer forensics at the University of Alabama at Birmingham (UAB).
Warner said the spam is being delivered with one of two subject lines:
• FDIC has officially named your bank a failed bank
• You need to check your Bank Deposit Insurance Coverage
Warner said that once the message is opened the spam asks users to visit a specific Web site, a link to which is included in the message. Those that follow the link are taken to a page that asks them to click and download a copy of "your personal FDIC insurance file."
"Unfortunately, anyone who clicks that download link will be downloading a version of the Zeus Bot virus, which has the capacity to steal bank passwords and other financial and personal information," Warner said in a statement yesterday.
The FDIC joins a list of prestigious institutions and companies whose brand identity is co-opted by cyber criminals with one objective: steal money. In the last week alone, employees at TopTenREVIEWS have received scam emails from the Internal Revenue Service, Chase Manhattan Bank and Facebook. According to Consumer Reports “State of the Net 2009 report,” one in 90 people lose money to phishing scams, totaling $483 million over the past two years.
Consumers can protect themselves by remembering one simple rule: Legitimate companies will never ask you to download programs or enter your personal information including logins and passwords by e-mail.
It is often difficult to follow the rule when the email is both convincing and frightening. Cyber criminals are experienced professionals: they know how to scare you into action, and it only takes a few responses to make the scheme worthwhile.
Threats like the one contained in the FDIC message and in the common IRS email, informing the recipient unreported income has been found, can prompt a panicked click through. Stop and delete. Institutions and companies do not use email for this purpose, they use regular mail.
Upon close scrutiny, it is possible to identify phishing emails. Here are five things to look for in a suspicious email:
- Cyber criminals often blind carbon copy the entire target list. This is the same trick you might use to make quick work of a mass mailing when you send the email to yourself and bcc all of your recipients, but institutions never do it. Click "reply all" to view a possible list. Also, by hitting "reply all" you can see the true email address, which will be different than the company’s website though the variation may be very slight.
- You can get that same information by setting your email preferences to show "full header" to show the sender’s full email address. Again, it will not match the company’s real website address.
- Any links in the email will not go to a legitimate site. Look carefully and you may detect the variation. Often these illegitimate links will have a series of letters or numbers before the company name.
- Check for the extension on the sender’s email address. Most phishing emails come from overseas. Delete any emails that end in something other than .gov, .edu, .net, .com, or .us, unless you have relatives overseas.
- Watch for .exe files in email attachments. If you see an email with an .exe file attached, delete. An .exe file may contain a virus with the capability to wipe out your entire computer.
Avoid getting on phishing lists in the first place. One of the easiest ways you can do this is to have an email address that is hard to get. For example: email@example.com should instead be firstname.lastname@example.org.
Fighting phishing scams is an ongoing battle. It’s move and counter move. Security experts develop new techniques to block cyber criminals while criminals design new ways to overcome or circumvent the measures.
Captchas, the often almost indecipherable images made up of letters and numbers, are devices designed to thwart the nonhuman collection of information. Even Google will ask a user to type in the characters in a captcha to prevent bots from crawling their site to gather information meant for humans only. Today bots have been developed that can indeed decipher captchas and invade a protected site, gathering enormous amounts of data in a short period of time, which can then be used in another scam.
Fighting phishing scams is a constant struggle, one that will never be won through automation alone. For the best protection, all users must stop, think and delete.