Don't Get Lured by Phishing Scams Avoid becoming a victim and reassure potential funders By: Frith Gowan December 9, 2005 Published on TechSoup.org [http://www.techsoup.org/learningcenter/internet/page4777.cfm] Copyright © 2005 CompuMentor. This work is published under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 License. [http://creativecommons.org/licenses/by-nc-nd/3.0/] The message was familiar enough: "Together, we can save a life." The Red Cross needs your donation, it read, to help people hurt by Hurricane Katrina. The graphics, too, appeared legitimate: you recognized the organization's logo, and the entire email message looked similar to the announcements you'd seen online, in newspapers, and on TV. The process was much like any online donation system: There was a donation link, which led to a Red Cross page that asked you how much you wanted to give, collected your credit card information, and thanked you for your donation. But it was all a scam. The graphics were swiped from the real Red Cross site, the language was copied from legitimate messages that had been circulating around the Internet, and — for the coup de grâce — the email link took you to a server in Korea, where criminals waited to receive your credit card information — now stolen and ready to be sold on the black market along with hundreds of other people's information. It's called phishing, and as scammers exploit weaknesses in the Internet to fish for credit card data and other sensitive information by impersonating legitimate businesses and organizations, you can count yourself lucky — and increasingly, in the minority — if you haven't found yourself the target of such a scam. Taking the Bait According to a June 2005 report by research firm Gartner, 73 million Americans received an average of 50 phishing emails in the previous year, an increase of 28 percent over the year before. Of these targets, 1.2 million reported losing money to the scams, for a total loss of nearly $929 million. And the trend isn't showing any signs of slowing. The Anti-Phishing Working Group [http://www.antiphishing.org/] received reports of 5,259 unique Web sites set up by phishers in September 2005 alone, nearly ten times as many as in September 2004. Once criminals gain access to their victims' banking or credit accounts, they can withdraw money, make purchases, create duplicate ATM cards, and even lock users out of their own accounts by changing passwords. They can open new accounts in their victims' names with bogus mailing adresses so their victims remain unawares while their good credit rating suffers, and they can even pass on worms and viruses that propagate their scams even further. Something Smells Phishy in Your Inbox While phishing scams are constantly evolving, most share common traits that make them easy to identify. Here are some common ploys to look out for whenever you get email messages that ask you for information: * Sense of Urgency To tempt you to respond, phishing scams usually have a sense of urgency — an important account has been suspended, someone tried to access a bank account — and immediate action is required. * Lacks personal information Since the message has been sent to a large number of recipients, it typically doesn't include any personal information about you, but it asks for plenty of information, such as your bank account number, PIN, and social security number. However, some scams do guess at your name by extrapolating it from your email address. * Deceptive Subject Scammers craft subject lines that are designed to catch your attention: "Important notice about your account" or "Maybe you can save one life." Often, subject lines have words purposefully misspelled to escape spam filters that would otherwise prevent the messages from reaching your inbox. * Fake Sender Address It's not hard for someone to make a message look like it came from someone at a legitimate company: all they need to do is forge the sender's address. Thus, it looks like you received an important message from support@citibank.com, but even if there is a real support@citibank.com, the email didn't originate there. Many email clients include an option to display "raw" or "complete" message header information. By studying this information closely, you may discover that a message was sent from a server other than the one that supposedly sent it. * Professional-Looking Content Phishers often copy graphics, logos, and language directly from a real organization's Web site. Often, they'll include links to privacy policies and other pages on the legitimate site. * Hidden Links Using HTML, scammers can hide the addresses of their servers behind a link that looks like it's going to a legitimate server. That is, while the visible link name looks real, the HTML code actually sends you to a phisher's Web site. Other times, links are hidden behind images. To find out if a message you've received is hiding links behind HTML, choose to "show source" in your email client in order to see the offending code. * Sneaky URLs Some criminals will register domain names that are very similar to legitimate domain names in order to trick the unsuspecting. Other times, they'll use sub-domains of a domain they control, such as http://citibank.criminalsite.com, where they own the criminalsite.com domain, and the "citibank" part just refers to a subdomain that they can name however they wish. Often, they use a string of numbers, called IP addresses, instead of a domain name. * Fake Security Logos Phishers make use of fake security logos in email and on their Web sites to fool you into thinking you're on an authentic site. You might see, for example, a Verisign "Secure Site" logo, which is supposed to indicate that the Verisign company assures that the site is who it says it is and uses appropriate encryption technology, but it's nothing more than a meaningless graphic. * Redirects to Real Site In some scams, such as many of the recent Red Cross fakes, phishers direct you to their servers, where they ask you to enter credit card information. After you enter the information, they take you back to the real Red Cross site, so you think you just made a genuine donation to the Red Cross. * Pharming Sometimes malicious hackers attack DNS servers, which route information across the Internet by turning URLs into numerical codes servers can understand. By programming these servers with incorrect information linking domain name URLs to the wrong numerical code, traffic to a real site can be diverted to a fake site that's designed to look like the real one. Because the URL appears correct in the address bar, users can't tell they're on the wrong site. * Corruption of Hosts File Scammers often send out malware in the form of email attachments. Some programs rewrite users' hosts files so that when a user types in a URL, they're sent to the wrong site without even realizing it. * Forms Web sites and even some email messages can contain forms that ask you to enter your personal information. While the forms may look just like a real login screen, code in the form actually sends the information directly to a server or a database that the criminal can access. * Fake Address Bar To foil more sharp-eyed viewers, phishers will sometimes send you to a Web page that will load without an address bar, much like most pop-up windows. However, using JavaScript or Active-X code, they construct a fake address bar that displays a legitimate URL. Sometimes phishers will simply cover the real URL with a text object containing what they want you to think is the real Web address. * Pop-Up Windows Using this trick, the scammer's email message contains code that sends you to a legitimate organization's site that they've hacked, and once you're there, a pop-up with no address bar. Users assume the pop-up is associated with the authentic page (especially if it includes graphics that are the same as ones on the real site). The pop-up will ask you for your login information, which will then be sent directly to the scammer. * Encoded JavaScript Some criminals send hapless surfers to sites that exploit holes in Web browsers to install software on their machines. (Visit Microsoft's site to find a patch for recent problems.[http://www.microsoft.com/technet/security/bulletin/MS05-001.mspx]) This software may log your keystrokes as your go about your business, sending information about your passwords and private data to a remote server where the hacker can pick it up. (Read "Removing Spyware, Viruses, and Other Malware from Windows" if you're afraid you may have been vicitimized by these programs.) * Spear Phishing Similar to targeted marketing pitches, "spear phishing" describes sending messages that are specifically relevant to smaller groups of people. For example, faculty and students at the University of Kentucky received messages about their accounts that appeared to come from a source within the university. It's becoming increasingly common for people within a company to receive messages that appear to come from executives or IT personnel. Avoiding Lures Nasty as all these phishing tactics are, you can avoid getting hooked by following some basic rules and using your common sense. * First and foremost, when in the least bit of doubt, don't follow links from email and don't download attachments. Better yet, don't even open these messages, and make sure your email client isn't set to automatically load graphics. Be extremely wary about requests for personal information. * If you think a message from your bank, credit card, or other financial institution might be legitimate, call the company and check. Don't rely on the phone number in the message, however, as that could be part of the scam. Look up the phone number from a recent statement, on your credit card itself, in a phone book, or from another verifiable source. * Use email spam filters and antivirus software. A personal firewall can keep you safe from many hacking attempts. Always keep browsers and operating systems updated with the lastest security patches. (Find resources on our special Anti-Spam page.[http://www.techsoup.org/spam/]) * Consider installing software to keep you protected from known fraudsters and to help identify the real domains behind the sites you visit. The NetcraftAnti-Phishing Toolbar,[http://toolbar.netcraft.com/] the Earthlink Toolbar,[http://www.earthlink.net/earthlinktoolbar] and SpoofStick [http://www.spoofstick.com/] all offer some protection for Internet Explorer and Firefox users on Windows. Another, FraudEliminator,[http://www.fraudeliminator.com/download.php] works only with the Firefox browser on Windows. * While there's no surefire way to tell whether an email was sent by a phisher, checking the "Received" line can provide a clue. For instance, if the line says something like, "Received: from pohnpei-pm01-s06.telecom.fm by mail.compumentor.org," but the message was supposed to be from Washington Mutual, you may be looking at a phishing scam. * Some email clients are getting into the act with features to help protect users from scams. Microsoft Outlook [http://www.microsoft.com/athome/security/email/outlook_sp2_filters.mspx] offers some limited protection. Thunderbird [https://bugzilla.mozilla.org/attachment.cgi?id=171937] has a feature that provides warning messages when an email is suspect. * Check your credit report regularly — or immediately if you suspect you've been the victim of fraud. (Go to www.annualcreditreport.com [http://www.annualcreditreport.com/] for information on how you can order a free annual credit report.) Always check your bank and credit card statements carefully each month. For more information about staying safe, read the APWG's "How to Avoid Phishing Scams" [http://www.antiphishing.org/consumer_recs.html] and "Internet Fraud Preventive Measures" [http://www.ifccfbi.gov/strategy/frauh3ips.asp] from the U.S. government's Internet Fraud Complaint Center. If you think you've given out personal information to a fraudster, read "What to Do If You've Given Out Your Personal Financial Information." [http://www.antiphishing.org/consumer_recs2.htm] The Not-So-Long Arm of the Law Although most phishing scams are illegal under existing wire fraud and identity theft laws, these laws don't kick in unless someone is actually defrauded. Federal legislation has been proposed that would make it a crime to create email or Web sites that aim to defraud. Of course, any such law wouldn't be enforceable outside the United States. And given the fly-by-night nature of most operators, enforcement within the country is difficult enough. Some states — including California, Texas, New Mexico, and Arizona — have passed laws that specifically target phishing. In California's Anti-Phishing Act, for example, scam victims may seek to recover the amount they lost or $500,000, whichever is greater. While the laws can not do much to eliminate the problem, they may help publicize the issue enough to make people aware and prevent them from being defrauded in the first place. Even if your personal legal remedies are few, you can report phishing emails and spoofed Web sites to the following groups, which will work to shut down the fraudsters and prosecute them: * Anti-Phishing Working Group [http://www.antiphishing.org/] * FTC's Spam Page [http://www.ftc.gov/spam/] * Internet Fraud Complaint Center, a joint FBI and National White Collar Crime Center Web site [http://www.ic3.gov/] You can also forward the email to the "abuse" email address or other contact at the organization that is being spoofed. Whenever you forward phishing messages, be sure to include the entire contents of the message, including the complete message header information. Making Sure Your NPO 's Messages Look Legit Fortunately, more and more people are becoming familiar with phishing scams and how to avoid them. But with that Internet savvy comes some paranoia that can hurt legitimate organizations. According to the recent Gartner report, more than 80 percent of U.S. online consumers claimed fears about scams and attacks made them mistrust email from individuals and companies they don't know personally. And out of these people, more than 85 percent delete suspect email without even opening it. Keep in mind that your nonprofit isn't likely to be the target of a spoof. Phishers pick popular targets that many of their victims are likely to have a relationship with — after all, that message supposedly from Citibank saying there's a problem with your account isn't likely to have an effect unless you have a Citibank account. "The number of people who have an online relationship with any nonprofit pales in comparison with the number of people who have a relationship with PayPal, a bank, or eBay," says Rick Christ, senior consultant at NPAdvisors.com [http://www.ifccfbi.gov/index.asp]. The problem is that the proliferation of scams erodes the level of confidence people have in email, particularly solicitations for donations or information. "It makes people less comfortable, particularly in their new relationships," says Christ. "And that's a problem for nonprofits because they don't have enough existing relationships with people. On the other hand, it doesn't mean nonprofits should back down in using the Internet to create relationships. It probably means they need to work harder. They can't sit back in a corner and wait for the Internet to be safe." So how do you make sure your organization's legitimate messages look legit, reassure skittish donors, and prevent attacks against your organization just in case? While you can't eliminate all threats or include any magic words in your fundraising messages, follow these tips to improve your ops. * NPAdvisors suggests that organizations wary of getting spoofed register domain names that are very similar to theirs. In a recent scam, criminals in France registered www.unitedways.org and solicited donations, pretending to be The United Way (www.unitedway.org)[http://www.unitedways.org/]. "Had the United Way registered 'uniteways.org'[http://www.unitedway.org/] this scam wouldn't have worked," NPAdvisors wrote in "First Nonprofit Phishing Scam: How to Fight Back." [http://www.npadvisors.com/NewContent/100445.asp] * Send email only to people who have opted in to receive communications from your nonprofit, or with whom your nonprofit already has a relationship. Try to build a relationship and establish trust with your donors before you ask them for money. Building trust takes time and effort, so put as much care into your email messages as you would into any other type of campaign. * Put your contact information — including your organization's phone number, mailing address, and main Web site address — in your message. * Be careful about using e-newsletter services that alter URLs for tracking purposes, as the strange-looking URLs might make recipients suspicious. Make sure your legitimate Web address is visible somewhere in the message, and remind recipients that they can always type the URL directly into their browsers instead of clicking email links. * Do not include attachments in your emails. * Tell recipients to look for the security certificate and the "https" in the domain name when they come to any forms asking for sensitive information. * Always include a link to a written policy protecting personal information. Visit TechSoup's HSC Workbook to get a sample copy of an online privacy policy.[http://www.npadvisors.com/NewContent/100445.asp] * Consider including a paragraph or two about safe donations, or linking to a third-party site that includes tips, such as Charity Navigator's donation tips.[http://www.charitynavigator.org/index.cfm/bay/content.view/catid/68/cpid/313.htm] * Madeline Stanionis, the president of Donordigital,[http://www.donordigital.com/] a fundraising and marketing company that works with nonprofits, adds that organizations should make sure any fundraising campaigns are highly visible on their Web sites. * Stanionis also suggests offering a print-and-mail option for any email or online donation programs. "This, in addition to a multitude of other practices that consistently reassure folks that you are operating a solid program," she adds. A Barrier to Online Fundraising Success? In a climate of consumer fear, nonprofits need to work hard to develop the trust of their potential funders by making sure their messages don't look like phishing scams. This will also ensure that nonprofits' messages are read. After all, phishing, Christ emphasizes, should not deter nonprofits from competing online. "I think phishing is easy to toss out as an excuse," he says, "but nonprofits really need to be clear with their donors — offering lots of information online validating who they are and how efficient they are with the donor's money." By continually providing this information, communicating with your donors — and potential donors — regularly, and communicating in a way that establishes trust, you can help ensure that phishing fears don't scare away your donors. Resources Find more information at the following sites. * FraudWatch International [http://www.fraudwatchinternational.com/] * The Anti-Phishing Working Group [http://www.antiphishing.org/] * Internet Fraud Complain Center [http://www.ifccfbi.gov/index.asp] * eConsumer.gov for cross-border e-commerce complaints [https://www.econsumer.gov/] * FTC's How Not to Get Hooked by a "Phishing" Scam [http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt127.htm]