Text by Henrylito D. Tacio
“It has come to our attention that your account information needs to be updated as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. If you could please take 5-10 minutes… and update your personal records, you will not run into any future problems with the online service.”
If the receiver fails to update their records: the account will be suspended. If they update it, then their online experience “will not be interrupted and will continue as normal.”
According to the e-mail, the account records must be updated “on or before” a specified date. It also gives a link where the receiver will obtain the update of their records.
Rafael made one of the blunders of his life by clicking the specified link mentioned in the e-mail – despite the fact he had never applied for the account cited, and the deadline was almost two weeks ago.
“Out of sheer curiosity,” he said, “I clicked on the link provided in the e-mail. Whether by coincidence or not, I have been having computer problems since I did that, prompting me to scan my system for viruses, three times over a 24-hour period. According to the scans, my system is clean.”
Rafael could still be considered fortunate. He only had computer glitches after doing so.
The case of Rossana was even more troubling. When she clicked the provided link, a form was displayed and asked for her credit card numbers and password.
At first, she disregarded it. But when she received the “request” two more times, she decided to respond. She filled out the form and, soon, the nightmare started.
Two months after the incident, she received a call from her credit company. Did she transfer her residency? Did she lose her credit card? Did she purchase something astronomical? She answered negatively to all these questions. “What all these inquiries?” she wondered.
A type of fraud
Today, Rossana knows. She had been a victim of phishing, one of the fastest-growing types of fraud. Wikipedia defines it in these words: “A type of social engineering where an attacker sends a fraudulent message designed to trick a human victim into revealing sensitive information to the attacker or to deploy malicious software on the victim’s infrastructure like ransomware.”
“Phishers create and dismantle these phony sites very, very fast, stockpiling credit card numbers, passwords and other personal financial information over the course of just a couple of days, in order to avoid detection,” explains Dan Larkin, a unit chief at the Internet Crime Complaint Center of the Federal Bureau of Investigation in the United States.
The term “phish” was first coined in the mid-1990s by crackers attempting to steal America OnLine (AOL) accounts. An attacker, so goes the story, would pose as an AOL staff member and send an instant message to a potential victim.
The message would ask the victim to reveal their password by asking a user to “verify your account” or to “confirm billing information.” Once the victim gave over the password, the attacker could access the victim’s account and use it for criminal purposes, such as spamming (the act of sending unsolicited electronic messages in bulk).
The term “phishing” is sometimes said to stand for password harvesting fishing, though this is likely a “backronym” – a retroactively coined acronym. Some theories accredit the term “phishing” to originate from the name “Brien Phish,” who was the first to allegedly use psychological techniques to steal credit card numbers in the 1980s. Others believe that “Brien Phish” was not a real person but a fictional character used by scammers to identify each other.
“The con men, or phishers, actually steal two identities: first, they hijack the names, and logos of trusted banks, online retailers, credit card companies, and Internet service providers, among others,” wrote James Malanowski in an article published by Reader’s Digest.
Malanowski, who was himself a victim of phishing, further wrote: “Then, (the phishers) use the fake e-mails and websites to fool people into divulging personal data – credit card numbers, account usernames and passwords, and so on. The phishers use that data to charge good or steal money.”
“The biggest online scam ever” is how Malanowski described phishing.
Today, phishing is becoming a crime epidemic. Millions of computer users – particularly new and inexperienced users – have fallen victim to phishers. It’s estimated that up to one in twenty users who receive a phisher’s e-mail will respond to it, unknowingly providing enough sensitive information to incur tremendous financial losses.
In the Philippines, phishing is the top cybercrime being committed in the country during the pandemic, according to the National Bureau of Investigation NBI-Cyber Crimes Division (NBI-CCD). This was revealed during a webinar titled “Cybercrime in the Time of Corona: PH Cybercrime Trends During the COVID-19 Pandemic.”
The NBI-CCD only had around 30 phishing incidents before the pandemic, but three weeks into the pandemic, the bureau had an additional 70 cases, Senior Agent Francis Señora was quoted by Rappler.
Under Republic Act No. 10175 or the Cybercrime Prevention Act of 2012, phishing and online selling scams are punishable. The Bayanihan to Heal as One Act (RA 11469) penalizes online misinformation.
Some typical signs
From the Internet, this author has learned that there are several ways phishers lure their victims. In any case, here are a few signs typical of a phisher’s e-mail:
· The e-mail specifically states it’s not a scam. It’s kind of like when a cop stops a guy for speeding, and he immediately sputters out, “I didn’t murder anybody! You can’t prove anything!”
· The e-mail requires immediate action of some sort, like the one received by Rafael.
· The e-mail asks you to e-mail back sensitive information, as in the case of Rossana. If your bank actually uses this as a method of verifying account information, you need to switch banks.
· The e-mail contains typos or blatant grammatical mistakes. A typo isn’t a big deal, and a split infinitive isn’t something to get too worried about. But just the same, watch for these: two or more typos/misspellings, run-on sentences, weird capitalization, blatantly bad syntax, and incorrect brand spellings.
· The e-mail is impersonal. Instead of placing your name, the salutation would be: “Dear Valued Customer.”
The Bangko Sentral ng Pilipinas (BSP) also issued an advisory to the public pertaining to phishing scams.
“The message is usually accompanied by a link that, when clicked, leads to a spoofed or fake website which asks you to input your personal and financial information such as user IDs, passwords and account and personal identification numbers,” BSP states.
Generally, phishers may use official-looking logos and other identifying information from financial institutions or other legitimate organizations.
“Phishing may be done in various methods other than e-mail, such as text messages, chat rooms, electronic fake banner advertisements or message boards, fake mailing lists, fake job search sites and job offers, and fake browser toolbars,” BSP says.
What you can do
As a precaution, when you receive an e-mail that you deem coming from phishers, here are some of the things you can do:
· Don’t download any included attachments. Despite what the e-mail says, most legitimate organizations don’t require their customers to download e-mailed programs to maintain accounts.
· Don’t follow any links within the e-mail, especially if the provided link is long and cumbersome. Instead, open a browser window and manually type in the web address of the company and follow links there.
· Contact customer support of the company who supposedly sent you the e-mail via e-mail or phone, and ask them to verify whatever claims are being made in the e-mail (“I’ve received an e-mail telling me my account may be canceled if I don’t confirm my account number. Is this true?”).
· Do NOT respond to the original e-mail. Get the e-mail address from the company’s website after manually typing in the address.
“Phishers are the street muggers of the digital age, using computers instead of weapons to steal financial information and identities from innocent people,” said Tatian Platt, senior vice-president for integrity assurance for America OnLine.
Whatever happened to Rafael? Well, here’s what he said: “While my trouble appears to be minor, I am not taking any chances. I decided to take the troubled system offline and replace it with a new system. Unfortunately, this caused me to lose some data.”