Friday 27 February 2009

You have to admire scammers

Of course I think scammers are scumbags but I do have a slight, grudging admiration for some of them. They are, at least, very good at what they do.

A few months ago we investigated an SMS lottery scam. One of our team received an SMS saying that she had won a Toyota Landcruiser. Of course this is nonsense but we phoned the number and recorded our conversations with the scammer. He was extremely friendly and persuasive. If he hadn’t been a despicable scam artist he would have made a despicably good car salesman or indeed a good salesman for anything else he tried to sell.

We’ve put the recordings online so you don’t have to make the calls yourself. Take a look at our web site.

But the fact remains that these scams are just unbelievable. I’m sorry for saying it again but you can’t win a lottery that you haven’t entered. You can’t win a car in a competition you haven’t entered. The relatives of dead Nigerians are never going to contact you and offer you a share of their ill-gotten inheritance. None of these things will ever happen.

However there are some scams that are much more persuasive. These are the so-called “phishing” scams. These are emails that attempt to seduce you into disclosing your personal banking details. Superficially these sound unlikely to work. Who would be so foolish as to respond to an email and give away their credit card details?

Well, this week I got one myself and it was very impressive. I knew what it was immediately but it was nevertheless very persuasive. It pretended to be from Amazon, the online store that started by selling books but that now sells everything except the kitchen sink.

Let me explain why it was so persuasive. I first received one of these emails about a week ago. It started with the usual phishing approach. It suggested that Amazon are very concerned about online security (yes, they are) and that “In order to maintain the integrity of our system, we require a brief validation of your account details.” It explained what this would help “prevent or detect fraud or abuses of our website”.

At the end of the email was a link I could click on that would help me do this.

Now I knew that this was a phishing attack. I knew this because reputable companies like Amazon NEVER send such emails. Reputable companies that use web sites to do their business never email you for such things. They might invite you to visit their web site, but they will never place a link to it in an email.

What these scammers had cleverly done was manipulate my emotional connection with Amazon. I like Amazon, I’ve used them for years and I trust them. If I hadn’t known better I might have trusted an email that appeared to be from them.

A few days later I visited the Amazon web site and I bought something. By pure coincidence just an hour later I received another phishing email that appeared to be from Amazon.

So what did I do? I went exploring the world of phishing. Do not do this at home. I did this very carefully using a highly secure computer with a range of built-in security mechanisms (yes, I use an Apple).

In fact, the link in the email connected not to Amazon but to a web site based in Spain. I was lucky enough to be using software that automatically warned me that the site was untrustworthy but not everyone will see such a warning.

What I saw was remarkable. In front of me was a perfect replica of the Amazon web page where you confirm your account details. It looked just like the real thing, the colour scheme, the typeface, the content were all just like the real thing. All the links actually connected to the genuine Amazon web site. All except one. The button to change or confirm my credit card details went to a web site hosted in Germany. This next fake web page asked me to enter all my credit card details, including all the confirmation items like the expiry date and that additional 3-digit security code.

I know for sure that within moments of entering my details my credit card would either have been used or my details traded with other scammers. Either way a crook will have stolen my money.

The thing that surprised me was how professionally it had been done. I could really understand see how someone could fall for this.

However, there is a simple way of not falling for these “phishing” attacks.

Never click on a link in an email unless you know the person who sent it to you. No bank, no online store will ever email you and ask you to visit their web site by clicking on a link. Any emails you get from a company, whether you’ve used them before or not, that ask you to click on a link should be deleted. If you want to visit their web site go to your browser and type in their web address yourself. At least then you know where you’re going.

And finally, that same lesson again. Be skeptical. Just because something is said in an email doesn’t make it true.

No comments: