The Phish Are Still Biting

The general public will always find ways to thwart the most well thought out and diligent attempts by software design and security professionals to protect them.

Why do these people never get caught and charged.If I were to set up a site doing things that was illegal, I would be traced and charged and my site shut down. Seems no one cares about these frauds.It is all up to the computer owner.

Only yesterday did I also receive an email claiming to be from Paypal telling me that there was a problem with my account and to log on to the web site contained in the body of the email to rectify matters.

I deleted it and then ran both of my malware programs to ensure that nothing nasty had been left behind. My computer was clean and had not been infected. David Guillaume

Why are Financial Institutions held accountable for PROMOTING phishing attacks?
Fidelity Investments emails account holders with numerous invitations to webinars, etc, that can ONLY be accessed by clicking a link in the email and logging in. The same offering is NOT available if the account holder uses his stored link to sign in.
At least two regional banks with whom I have accounts do the same thing. They are training their customers to become victims.

Hello Bob ,What do you think about pinger free text? and how
does it work.thank you Evelyn

EDITOR'S NOTE: See http://askbobrankin.com/send_free_text_messages_with_or_without_a_phone.html

Bob, thanks for a timely article. Just last week my wife received an phish email claiming to be a bank that she has an account with. It claimed that her account was locked and offered her a link to enter her account information "for verification". I'm so glad she called me into the offie to see this. This was the most authentic looking phish email that I've ever seen and I've been around for quite a while. Even the links had the banks name included which added reality to the scam.

Remember: NO financial institution will EVER ask for your account information on-line.

When in doubt always open a browser window and go directly to the institutions web site to verify the status of your account and check for messages.

As a side note: I have to agree with Wilson who wrote, "why do these people never get caught and charged. WHY!!!

BTW: I offered to send the email to the banks security department but they weren't interested.

In my address book, I have a "group" list of email abuse reporting addresses.
I forward such emails to all of them, hoping someone will nail the perpetrators.

I got the clear message about Phishing and never have fallen prey. If I can, I report the emails to the Company being exploited. Lately it has been mostly Paypal related, and I have been forwarding them to Paypal.

I am not surprised that they find victims, just not me.

To anybody who gets a phishing email purporting to be from PayPal: PayPal wants you to forward the email with full headers to spoof@paypal.com so that they can investigate it.

Great advice Bob. Its always the same email address of friends who send me those blank messages with just a hyperlink to click on. Initially I used to tell them but I am afraid I've given up now.

The other thing that bugs me are some of the software download sites that I used to trust who hide crapware away and its not always easy to spot it. I try always to go to trusted sites but I find I have to read very carefully what it is I am downloading.

I have never had any website that requires a username and password ever officially ask to have them verified. If you put your cursor on the link, somewhere on the screen the website where you will be going will flash up and it is always something different or something more than the site that it is purporting it will be.

Thank you Bob for another helpful article with intelligent and sensible information and warnings. My wife and I seek to be very careful and never open anything that either looks suspicious or appears to be coming from a sender that we do not know or have never heard of.

A few days ago my wife opened her email programme (Windows Live Mail)and immediately asked me to look at it as her inbox was downloading dozens of emails reporting failure to deliver emails, allegedly sent by her. The addressees were unknown to us and certainly nothing had been sent to any of them from my wife's computer by her or me.

It looked as though someone had used her email address illegally. We deleted all the suspect emails reporting a failure to deliver and I then ran three scans on her computer - Advanced System Care, Malware Bytes and Super Anti Spyware. Between them they identified 75 "Junk File" problems, all of which were removed.

We have received no emails from friends saying that "your address book has been hijacked" or words to that effect and there has been no repeat.

My questions are, was her computer hacked or was it an indication of phishing success. Do we need to change her email address or do anything more than what I have already done? Any thoughts from you or the knowledgeable folks who post on your comments page would be welcomed and appreciated.

To Martin Gouldthorpe

Strongly suggest changing the password on your wife's email account and making sure it is a strong password, i.e., does not contain known dictionary words, does contain alpha upper and lower case, and numeric, and is at least 10 characters in length with no repeating characters.

Because of all the bad email links, I am really paranoid about clicking on any. And that includes YOUR emails. They always say, "click here to read more". I trust that you, Bob, are being vigilant and click the link. But there's no guarantee that your emails and website are invulnerable (from what I hear, NOBODY is). So I may soon stop clicking your links.

I wish retailers that want to send me coupons or better display their wares would include a full link to their site, so that I can eyeball it for legitimacy and copy&paste and open in another tab. Instead, their emails just dsiplay hypertext links and "click heres" -- often their own retailing website isn't even printed in their email!

I don't fill out surveys if I have to click a link to take them, even though I may indeed have useful comments for the sender.

A previous poster was spot-on in saying banks are guilty themselves of fostering dangerous "click on this link" behavior (usually for more information on something, but it's still a link that may have malware). A few months ago, my bank both emailed and texted me Fraud Alerts to review (with links for "yes it was me" and "no this was not me"), and various people I contacted at that bank said either that A) the Alerts were legit or B) the Alerts were bogus.

So, please Bob, start by making your OWN valuable AskBob emails the model of how to communicate links without training readers to always trustingly click on links in emails.

EDITOR'S NOTE: There's a big difference between a link that goes to (for example) your bank which requires a login/password, and a newsletter link that goes to an article page. Email newsletters like this one do not require you to login in order to read the linked content. Apples and Oranges...

To Martin Gouldthorpe: I experienced the same thing with Comcast once. Even though they denied a problem I was able to trace it to them. I checked the headers to all of the messages that I received as you have described and saw that they were all legitimate venders and friends.

My account was not hacked nor was it the result of a phishing expedition. It was a technical problem at my ISP. I no longer use them for my email.

Bob, you recommend to use bookmarks, to be sure.
Please be aware that those bookmarks are not save, they can be changed without being noticed by you.
If you receive a suspicious mail, enter the known address manualy in the address field of your browser, otherwise you may get directly to the phishing address.

:-)

Regards from Germany

One of my jobs entails reviewing the spam folder in the company email account we use. It's amazing how many IDENTICAL emails we get in a row from supposedly different senders... And the ones we get in Chinese makes me wonder what the phisher was thinking...

The words of P.T. Barnum keep coming to mind about "one being born every minute." It's depressing to me to realize just how unaware if not just plain dumb so many people are.

There's an old saying about the more we do to make things idiot proof, someone comes up with better idiots.

Bob, your article says "Malware typically gets installed when a victim opens a file attached to a phishing email or clicks on a link embedded in it. "

Reading YOUR articles involve clicking on a link in your emails. Although YOUR links just go to your website, don't involve logins/passwords, AND you have high security vigilance, you're still encouraging behavior that's becoming risky.

What if someone spoofs your email address and sends out carbon-copy newsletters with malware embedded in the links? [Apples and oranges have many differences, but both can go bad.]

We need an amendment to the Constitution that those who engage in internet thief give up all their rights and are immediately shot.
Classify them as terrorist.