Tuesday, June 26, 2007

419 Phishing -- the scams that hurt the internet -- how they work

Arthur (Goldstuck, I presume?) commented on my post, 'Gone Phishing', pointing out that technically, what I received is the standard '419' scam, and that phishing is a lot more sophisticated.

It's worth looking at this in a little detail.

The '419' works like this... I receive an email, seemingly targeted at me, mentioning some vast amount of money that has been erroneously left in someone's bank account. For some reason, normally to do with the tragic death of the bank account holder, that money has to be disposed of by a certain date, or else it gets redistributed to someone in power.

The person sending the email is empowered through some technicality to involve me in the transaction, and for simply receiving and forwarding the money, I'll get a percentage of the money.

Phishing is different. I get an email from a banking (or other) institution, informing me most sincerely and convincingly that there's been some sort of security breach on my online account (whether or not I hold one), and that I must go to the institution's site and redo all of my security settings.

When I follow the link to the site, I'm asked for all sorts of interesting and useful information. Such as my ID number. My bank account number. My 'old' password. The size of my underpants.

And like the dutiful idiot I am, I supply all of these details, convinced that my bank would never bend me over a barrel and slather my nether regions in KY Jelly, ready to take one for the team.

Fourteen seconds later, my cellphone beeps, telling me that everything I've earned in my entire life has now been transfered to an account in the Bahamas. Clever me.

Now how do I equate the two scams?

Firstly, out of sheer laziness. But secondly, cos they're both con-based. Both scams rely on the naivete of the user for the hook to sink.

The 419 uses pure greed as its lure. And the phishing scam uses fear.

With the 419, my brain sees sums like £30 000 000, and 10%. And my brain short circuits. And I think, 'Hell! Ten perCENT? They outta their cotton picking minds??? I'm gonna take the WHOLE LOT!!!' And so, I'm already plumped to be reeled in as they make their strange and quaintly illiterate requests for information and cash and bank account details and ID numbers.

Phishing uses the fear that someone might be in the position to scam me. 'Someone' has breached the bank's security. And this 'someone' has the power to strip my account of all my earnings and my entire overdraft. And if I act FAST, I'll be able to thwart the scammer! And so I play right into their hands and hand it all to them on a plate.

Both are very clever. And both operate on a subtle level.

The crazy broken English of the 419 scam is deliberate, I would say. They make themselves SOUND as though they're thicker than two scoops of soft-serve in Iceland. And that's all in the service of activating our greed. They WANT us to think, 'Oh, jeez! This chump can't even speak English! I'm a phenominally gifted person in the brains department! Surely one such as I can outwit this scumbag? How stupid can he think I am???'

If that happens, we don't stand a chance.

We must resist. We must say, 'If I were to run a scam like this, how would I want my 'opponent' to feel about me?' The correct answer is: 'I'd want my opponent to think that my brains are runnier than a Mumbai sewer.'

The subtlety of phishing scams is that they make me feel that they're deeply concerned about the safety of my money. I respond to their concern by thinking, 'Well, they MENTION things like fraud and theft and stuff like that, so that means they're obviously NOT fraudsters themselves. I mean, what kinda fraudster would actually MENTION their fraud in the fraud setup? No way. This MUST be legit.' And then we're dead. Bye bye money.

So. Let's resist this crud. If you get a phishing or scamming attack, here's what Arthur suggests you do...

When I get these, I take great delight in c&p'ing the e-mails header record, and then forwarding the e-mail with the header to the relevant ISP and/or e-mail service. When that's the likes of Yahoo or Hotmail, I usually end up by getting an e-mail saying that the user's address has been canned. And at the very least, they'd have to find another e-mail address. It takes me all of 30 seconds. I also do it for the "lottery winner" scams.

I'd like to think that the reason I get far fewer of these than I used to, is because of these services of mine to the online fraternity. But it's probably because of better ISP filters.
If you're a Gmail user like me, you MIGHT know that they've got a 'Report Phishing' button in the 'Reply' dropdown menu. Click it, and it asks you to confirm that you're reporting a phishing attack. (I kinda wish Gmail would wake up to the Web2.0 potential of this tool. If they 'rewarded' their users by revealing how accurate their phishing reporting activities were, so many more people would be aware of the crime. I'd LOVE to know how accurate my efforts have been.)

Another thing to do, especially with standard Banking phishing attacks, is, in Arthur's words, to 'forward the e-mail and header to the "real" supplier'.

The thing NOT to do is reply or respond in ANY way. Your email header contains a heck of a lot more information than you'd like these crazed lunatics to know. They can deduce all sorts of stuff about you if you respond. So don't do it.

Now. I'm off to Columbia, where someone's widow is offering me free sex and eighteen billion Deutsche marks. What's that in Zim dollars?

No comments:

Post a Comment

Thanks for your comment!