Christian Credit Union
Personal BankingBusiness BankingFinancial PlanningInsurance PlanningNext Steps for Young AdultsYouth Banking Program

Fraud Prevention

Plenty of Phish in the Sea

February 10, 2012

We have seen several instances of phishing recently, and are asking members to be vigilant in exercising appropriate caution when using the Internet and email.

Ensuring that all members understand this threat has never been more important. Employees and consumers in general need to be able to identify phishing attacks to avoid Internet fraud and identity theft.
 
Phishing is an attack used by the computer hacking and fraud community to lure people to websites that pose as legitimate sites. They do this by creating emails that look like they are being sent by a legitimate company. However, when you click on a link in the email, it takes you to a mock-up of the legitimate company’s website where you are asked for your log-in credentials and potentially credit card or other information. In-session phishing can also manifest itself as a pop-up in a web browser that will attempt to lure you to input information such as security credentials for your financial institution accounts, credit card information or other valuable information. They may even attempt to sell bogus merchandise. When you supply this information, it is harvested by the hackers/fraudsters. Once obtained, they sell the information or use it to commit fraud or other illegal acts.
 

Take Action

The simplest way to protect yourself and your business from phishers is to avoid clicking on any unexpected link in an e-mail message. Do not reply to emails soliciting personal information. Do not enter any information into pop-ups that automatically appear in your browser. Having safely ignored the suspicious email or pop-up, report it.

A significant portion of on-line fraud goes unreported. Some people are too embarrassed to admit they’ve been taken in. Others simply don’t know what to do.

If you spot something suspicious, go to the company’s web site, the one that looks like www.companyname.com. Most sites have an option on their home page labeled “Contact Us” or something similar. Use that to report the phishing attempt. If you have gone so far as to provide sensitive personal information before realizing you may be a phishing victim, report the matter to your local police and keep a copy of the police report. You may need that documentation to resolve any fraudulent transactions.

You can also go online to www.antifraudcentre-centreantifraude.ca, the Canadian Anti-Fraud Centre or you can call toll-free to the Canadian Anti-Fraud Centre at 1-888-495-8501.

The following information provides a much more in-depth discussion on how to spot phishing attempts. Please take the time to review as anyone can be targeted and it is everyone’s responsibility to recognize the threat and take the appropriate action.

Phishing Methodology

How can one tell a legitimate email message or pop-up from a phishing e-mail or pop-up? Here are some things to look for:

Warning Sign #1: In-session Phishing Pop-ups

A pop-up appears that is from a company that you have open in another tab in your browser
You may have several tabs or windows open with several different websites; for example, PayPal, Google, Amazon and eBay. Suddenly a pop-up box opens, that looks like it is from PayPal, and it asks you, "for verification purposes," to enter your password and your credit card information. It may not have been from PayPal at all, and you just gave the fraudsters your information.

A login form or site’s form appears not to be working
You may have several tabs or windows open with several different websites; for example, PayPal, Google, Amazon and eBay. You encounter a login form on one of the sites; nothing unusual there. You type in your username and password, but nothing happens. You re-enter the information, however there still is no response. You may just assume that the website has temporarily stopped working, so you close the window and carry on elsewhere. But what may have happened is that everything you typed into the form was harvested by the fraudsters.

Steps to take to combat in-session phishing pop-ups

  1. Always be suspicious of pop-ups that suddenly appear on your desktop where you did not request the action especially if they are requesting sign on credentials, credit card information or other personal information including cell phone numbers. Do not enter any information into the form and immediately close the window where the form was displayed.

  2. Always log out of banking and other sensitive online applications and accounts before navigating to other websites

Warning Sign #2: Badly Written E-mail

Read the message closely. A professional company such as eBay or Amazon will not issue any communication containing basic grammatical and spelling errors. A high proportion of phishing emails contain such fundamental errors. For example:

Warning Sign #3: Hidden Addresses & Sources

Phishing attacks redirect you somewhere other than where they claim to be going. Check to see if the link in the email is legitimate by resting or hovering over the link. The output will be displayed differently in different browsers but should be the same web address as the displayed link and be the web address of the company allegedly sending the email. (See below) If it is not, again this likely is a phishing email.

Example of the kind of phrase you might see in an e-mail message that directs you to a phishing Web site:

"Click the link below to gain access to your account."

Notice in the following example that resting or “hovering” (but not clicking) the mouse pointer on the link reveals the real web address, as shown in the graphic below. The string of cryptic numbers is a generic Internet Protocol address and looks nothing like the company’s web address, which is a suspicious sign.

Example of a masked web address

Con artists also use web addresses that resemble the name of a well-known company but are slightly altered by adding, omitting or transposing letters. For example, the address "www.microsoft.com" could appear instead as:

www.micosoft.com www
mircosoft.com
www.verify-microsoft.com

This is called typo-squatting or cybersquatting.

Warning sign #4: Threatening Legal Sounding Messages

Consider the source. From a customer service perspective, no reputable company would send their customers a threatening email. If you receive a threatening email, it almost certainly isn’t legitimate. If you think it may be, phone or email the legitimate company. Under no circumstances should you respond directly with email to the message you just received.

Warning sign #5: Soliciting Personal Information by email

Financial institutions and reputable online retailers do not send emails asking for personal information. Any email that claims to be from a reputable source, but asks for such data, is most likely a phishing expedition. See the example below:

  1. This sender sounds official, but how can you be sure? Emails can appear to be sent from any address, so it is easy to fake something that looks official.
  2. Notice the sense of urgency expressed in the subject. Apparently, it’s a final reminder. Do you remember receiving any previous emails on this subject?
  3. This is rather generically and impersonally addressed for such an important subject. Why didn’t they explicitly address you by name?
  4. The statement about not logging in for a while could be true, lending to the legitimate appearance of the email. Do not be fooled by this tactic.
  5. “We must to suspend your online account” – notice the grammatical error here
  6. Facilty – spelling mistake. They likely mean facility. The same mistake is made throughout the email.
  7. Request for sensitive information. Reputable banks or financial institutions will never request sensitive information by email.
  8. Threat of account suspension adds weight to the sense of urgency and importance.
  9. The URL in the email appears legitimate, but when you hover over it, you see that the actual hyperlink ends in ‘royaibank.com’ not ‘royalbank.com’ as stated
  10. Another grammatical error. Likely they meant to say ‘inconvenience’ rather than ‘convenience’.
  11. Stating that the email has come from the security team is yet another tactic to appear legitimate.

To see more Phishing examples, please go to www.google.com and search for “Phishing Examples” or “In-Session Phishing.


‹ Go Back | Share Post


News & Events

Closed Canada Day Long Weekend!
Christian Credit Union will be closed Saturday, July 1 and Monday, July 3 to celebrate Canada Day. Have a great weekend!...

Read More ›

In the Community

Calvary Grace Church
Calvary Grace Church is a thriving congregation that had been renting a Lutheran church for several years when they were presented with the opportunity to...

Read More ›

Financial Planning

Your Finances and Retirement
The retirement stage is upon us faster than most expect. There is no doubt it’s an exciting time however many people underestimate the major day...

Read More ›