Don’t get caught by phishing schemes! by Linda Gonse, Editor, Orange County IBM PC Users’ Group, California
editor@orcpug.org
In one week, I received three emails appearing to be from well-known companies. But, knowing that phishing scams concentrate on disguising themselves as ISPs, retail, or financial companies, I resisted clicking on any of the links which could lead to a bogus website and possible infection by a keylogger program.
Instead, I suspiciously read the text in one authentic-looking email from PayPal, and studied the full header on the message (see header below).
Email header from spoofed PayPal message
Received: from main2.ezpublishing.com ([72.19.192.71])
by rwcrmxc11.comcast.net (rwcrmxc11) with ESMTP
id <20051024211706r1100p6kqre>; Mon, 24 Oct 2005 21:17:06 +0000
X-Originating-IP: [72.19.192.71]
Received: from main2.ezpublishing.com (localhost [127.0.0.1])
by main2.ezpublishing.com (8.13.1/8.13.1) with ESMTP id j9OLGWBG020266
for <my personal email address>; Mon, 24 Oct 2005 14:16:32 -0700
Received: (from root@localhost)
by main2.ezpublishing.com (8.13.1/8.13.1/Submit) id j9OLGWWB020263
for <my personal email address>; Mon, 24 Oct 2005 14:16:32 -0700
Received: from jamaicans.tv.propagation.net (jamaicans.tv.propagation.net [64.182.1.110])
by main2.ezpublishing.com (8.13.1/8.13.1) with ESMTP id j9OLGVlZ020257
for <editor@orcopug.org>; Mon, 24 Oct 2005 14:16:32 -0700
Received: (from nobody@localhost)
by jamaicans.tv.propagation.net (8.11.6p2/8.11.6) id j9OLH7v15310;
Mon, 24 Oct 2005 16:17:07 -0500
Date: Mon, 24 Oct 2005 16:17:07 -0500
Message-Id: <200510242117.j9OLH7v15310@jamaicans.tv.propagation.net>
To: editor@orcopug.org
Subject: Paypal Security Measures
From: <service@paypal.com>
Reply-To:
MIME-Version: 1.0
Content-Type: text/html
Looking at the header is easy to do in Outlook Express. Just right click on the unopened email file. Then, left click on Properties. Left click on the Details tab, and click on the button Message Source. (At other times, this also allows me to peek inside an email without officially opening it and letting a virus or worm loose on my system.)
Next, I went to PayPal’s site and took a look at their answers about phishing scams.
By then, I was sure that the emails I’d received were fake and intended to phish out my personal information. All the targeted companies provided email addresses to report fake emails to follow up on them, so I forwarded those I’d received and deleted them from my email program.
The top 10 companies targeted as phishing bait are: Citibank, eBay, US Bank, PayPal, Fleet Bank, Lloyds TSB, Barclays, Earthlink/AOL, Halifax, and Westpac.
According to The Washington Post, EarthLink gets around 300 phone calls and spends just under $5,000 per incident. Still, the nation's fourth-largest ISP encounters about 15 new phishing scams a month featuring email that purports to come from its own service.
Phishers now focus almost exclusively on banks and online shopping sites. During the past 10 months, nearly 60 percent of their attacks targeted Citibank or US Bank, according to the Anti-Phishing Working Group, http://www.antiphishing.org/. Earth-Link and America Online are the targets for about 3 percent of the scams.
How can I tell the difference between a real PayPal email and a fake one?
• The term spoofing and phishing have been used to describe the act of collecting personal information using a fake email in order to commit identity theft, credit card, and Internet fraud. If you click on a link included in an email you’re not sure is from PayPal, make sure the address at the top of the browser window you’re brought to reads exactly www.paypal.com.• PayPal emails will address you by first name, last name, or business name, and NOT by Dear PayPal User or Dear PayPal Member.• If you are ever uncertain about the validity of the email or the email links, open a new web browser window and type in www.paypal.com.• If you think you have received a fraudulent email, forward the entire email to spoof@paypal.com and then delete it from your email account.
If you receive a suspicious email from a familiar company, follow PayPal’s guidelines to help you separate fake emails from real ones. (Just substitute the name and web address of another company for PayPal’s.)
Caption for PayPal message screenshot: This email is not from PayPal. Clues are: no personal salutation,European-style date, misspelling (bellow), and instructions urging you to log into your account.
Caption for Wells Fargo message screenshot:
What about this Wells Fargo email — is it real or is it a fake?
Answer Notice the top of the message. It has no personal information (such as your name or account number). Wells Fargo is one word and it is not capitalized.
Now, take a look at the email’s header (condensed due to space limitations). It gives other indications that this email is meant to phish out your personal information. Note the originating domain and the notation it may be forged that was added to the header by our web host’s server.
The Wells Fargo email is fake.
Received: from web1.brainwavebb.com (216-8-70-66.brainwavebb.com [216.8.70.66] (may be forged)) by main2.ezpublishing.com Sun, 23 Oct 2005 10:40:33 -0700 Received: from nobody by web1.brainwavebb.com with local (Exim 4.52) id 1ETjqA-0006yy-11 for editor@ orcopug.org; Sun, 23 Oct 2005 12:41:02 -0500 To: editor@ orcopug.org Subject: Wellsfargo Online Banking From: Reply-To: X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - web1.brainwavebb.com Sender Address Domain - web1.brainwavebb.com
There is no restriction against any non-profit group using this article as long as it is kept in context with proper credit given the author. The Editorial Committee of the Association of Personal Computer User Groups (APCUG), an international organization of which this group is a member, brings this article to you.