Zyra.info //// Zyra's website //// More about Bank Hoaxes //// Beware of Scams //// Examples of Phishing attack spam messages //// Site Index


Well Done to Glyn at 2nd to Nunn for having explained this scam so well. This 2nd to Nunn newsletter is well worth reading and could help you to avoid getting caught out by the scam where criminals use dodgy e-mails (see bank hoaxes) to hack into your computer and steal your personal details.

----- Original Message -----
From: Glyn
To: Folk on 2nd to Nunn's Newsletter list
Sent: Wednesday, June 16, 2004 6:45 PM
Subject: 2ndtonunn Newsletter

And now for some a new word to add to our dictionary!! This is covering some old territory I know, but always worth the effort if it stops you getting caught!!


According to several sources, the fastest-growing cyber-threat this year is an activity called phishing. In a nutshell, phishing is an attempt to trick you into giving up personal information, which is then used for identity theft or other financial crimes. Here's how it works:

You receive an e-mail that appears to be from a financial institution, your Internet Service Provider (ISP), a major retailer or some other agency that you do business with and are likely to trust. This e-mail tells you there is some problem with your account, and you must log in and verify or re-enter certain information, like your credit card number, passwords or social security number. The e-mail even contains a convenient link that takes you right to the originator's web site, or so it seems. The industry group that tracks these crimes says that 15 out of the top 20 phishing scams pose as a bank or other financial institution. Earthlink, AOL, Ebay and PayPal are other popular targets.

Quite often, the e-mail will contain obvious spelling or grammatical errors, usually because the criminal has a native language other than English, - but not always. Some of these phishing letters and web sites appear amazingly authentic. The e-mail address appears correct (it's spoofed, of course) and the browser shows the correct address for the originator it is supposed to be. It's actually a graphic that is positioned on top of your browser's real address bar, but you wouldn't know that to look at it. No matter how authentic it may appear, if you respond and give the crooks the information they seek, their next step is to clean out your bank account, run up your credit cards or open new credit with your stolen identity. It will be an unpleasant mess, any way you look at it.

So, how can you protect yourself against this? First of all, do not under any circumstances click the link provided in the e-mail, and do not reply to the e-mail either. You can be sure that no legitimate institution will ever ask to you to respond to an email (or a phone call) and give personal information that they are already supposed to have. It just isn't done. However, if you feel the need to confirm this, you can contact the agency by typing their address into your browser, not by clicking a link, or you can call them. But don't use a phone number that's provided in the e-mail.

This all might seem like just common sense, but one thing that makes phishing work is that it almost always starts out with alarming news. Your account will be closed, or someone has already stolen your identity or opened a fraudulent account in your name. Whatever the story, it's something that's upsetting that needs to be handled right away. It's easier to do the wrong thing when you are a slightly rattled and in a hurry, and the e-mail method makes it even more convenient.

There is a variation of this that targets online businesses using greed instead of fear. The e-mail claims to have deposited a large (but believable) amount into your PayPal account for whatever goods or services you are selling, and they just need you to log into PayPal to confirm receipt, using the handy link. Of course, once they have your login info that PayPal account will be cleaned out faster than you can say “What happened?”

If it's any consolation, these financial firms and other businesses being mimicked by the phishers are even more concerned than you and I, because they usually wind up holding the empty bag at the end of the day. A number of them have formed an organization to combat the menace and keep the public informed. It's called the APWG, for Anti-Phishing Working Group. Earthlink is one of the members, and they are offering a free browser toolbar that alerts you before you connect to a known phishing website. It's available to everyone, Earthlink customer or not. You can access the APWG website and download their toolbar here:


There are a couple of close cousins to phishing that we might as well mention while we are on the subject. One of them is an email announcing a Microsoft patch or update that you can get by clicking the link. Just be aware that Microsoft does not announce their patches this way, and it is pretty sure that if you click on that link, something nasty will happen!!.

The other one is the old Nigerian scam, where an email claims that the sender has come into millions of dollars in some questionable way that makes it difficult for them to get it out of their country. If you help them get it into the country, they will give you a healthy percentage of it, definitely enough for you to quit your day job. They just need your bank account information to transfer the money, or they need a cash advance from you to bribe the appropriate officials. It's not going happen. There may very well be individuals in Nigeria coming into large sums of money in questionable ways, but I am quite sure they do not announce that fact to strangers over the Internet.

With a little bit of caution and common sense you should be OK, but there is another small step you can take to help bring these cyber-crooks to justice. If you get a suspicious e-mail that looks like a phishing expedition, forward it to the company or agency it is pretending to be from, or send it to APWG, or both. Everyone who might have been scammed but weren't will owe you a debt of gratitude - or more!!

If you'd like to sign up to the 2nd to Nunn newsletter, visit 2nd to Nunn Computers. Also see Zyra's Circular newsletters, which are a bit more crazy (see example). Also see Bank Hoaxes , Nigeria Scams, Antivirus measures, and other helpful pages around here.

Not to be confused with: Fishing

2nd to Nunn Newsletter reproduced with permission of 2nd to Nunn. Links (apart from antiphishing.org) have been retro-fitted within artistic licence.