Email phishing attacks tarnish the reputations of targeted firms, according to a new UK survey. Two in five UK adults (42 per cent) quizzed feel that their trust in a brand would be "greatly reduced" if they received a phishing email purporting to represent it. Despite this, the majority of respondents to YouGov's online survey …
One to do - NEVER click links in e-mail you're not expecting, always open a browser and type in where you've been told to go and log in normally - if theres nothing to be said there then its a scam. (although that only works if you haven't had a DNS/hosts file attack beforehand)
Secondly, i always forward scam, and spam somtimes e-mails will full headers to email@example.com (where domain.com is where the email was pretending to be from, or in the case of normal spam, the originating ISP for the originating IP in the header)
"Two in five UK adults (42 per cent) quizzed feel that their trust in a brand would be "greatly reduced" if they received a phishing email purporting to represent it."
That must be the 42% who don't actually *have* email and so don't realise that *every* bank on the high street is regularly phished. Either that or these people are banking with someone that they have greatly reduced trust in.
Go ahead and link to the phisher - then put in all sorts of fake data. (Do worry about getting spyware - but if you are 'safe' go ahead.) Let the phishers figure out what is real.... If they get enough fraudulent data they will get mad. (It is a fun hobby!)
Can anybody tell me why a lot of major UK banks still don't have published SPF records? That would make blocking the phishing attempts much easier.
Source of Codes
""If the recipient makes the call, it gets routed to a cheap VoIP answering system, which may have been set-up on a compromised host," explained Neil Cook, UK technology chief at Cloudmark. "The system captures the user ID and pincode to sell on to the highest bidder, who then has full access to your account. All the while the call seems very genuine. The reassurance of speaking to an individual rather than working online will lead to many instances of consumers falling foul to such threats." ®"
The Root Art.
That the reliance on email has led to this state of events. It's amazingly easy to ignore phishing emails, amazingly easy to avoid most spam and scam mails and apparently most people are amazingly stupid and don't do these things.
I wouldn't go so far as to say they deserve to be phished but this is a social phenomena, we have given stupid people advanced technology and then let cleverer people fleece them.
It's a bit like being in Government.
Shirley I'd have thought that a mark of the success of a company would be when people start to receive phishing emails.
The more dodgy trawling - the better the firm.
As usual, blame somebody else
Typical, blame the brand. It's not the user's fault that they are stupid enough to fall for these emails.
My housemate almost did. Apparently he got an email (it even said "don't give information out from emails") saying to verify his details. So he promptly went to the site, luckily for him it had already been taken down, so he called the bank to complain.
I think he felt a bit thick when I said "I can't believe people still fall for these" (this was before I realised he had).
Thank you, thank you, thank you, thank you, thank you, thank you, thank you El Reg for adding a Remember me
"Secondly, i always forward scam, and spam somtimes e-mails will full headers to firstname.lastname@example.org (where domain.com is where the email was pretending to be from, or in the case of normal spam, the originating ISP for the originating IP in the header)"
Who can usually do nothing at all about it, since as you say it was "pretending to be from" them. Even sending them the headers merely means that they are then in the position of having to check that the source is a botnet that they can't do much about.
So all this does is to hassle the innocent, and turn the "abuse@" into a global spam receptacle where the site owner would be unable to find legitimate complaints about their site or services.
Forget Barclays, I'll go with Bonsons Bank who e-mailed me!
I like the idea somebody gets a phishing email "from their bank" Barclays, they immediately distrust the bank ... next, they get a nice e-mail from Bonsons Bank in Nigeria with bad spelling, since they're looking for a new bank, they join up!
Re: Daft survey
"That must be the 42% who don't actually *have* email and so don't realise that *every* bank on the high street is regularly phished."
These are the also the 42% who do not understand banking and finance and are the same people who panicked and withdrew their savings out of the perfectly healthy Northern Rock thus causing an even worse cash-flow crisis for NR. Branson and his mates must be laughing all the way to the bank (literally) for picking up a bargain.
banks - do they care?
I tried some bank domains, the only one with SPF was hsbc.co.uk.
The ones without:
BTW theregister.co.uk and theregister.com are SPFless too.
I would guess the reason for letting abuse@domain know about the emails is so that they can at least try to shut down the actual website the emails are referring people to.
I am surprised how few (if any) of the banks have their website images set so they can only be served from known authorised pages. Sure, changing that would just mean that phishing sites would use copies rather than the real thing (as many do already), but anything to make the scammers' task more complicated has to be a good move, surely?
Even better, don't block the images altogether, but serve alternative versions saying "You're being scammed". Get the logic the right way round, though - even if in some cases it might be hard to tell the difference!
Great idea, but some people (not me, I'm not paranoid) set their browsers not to send the Referer header.
Saying that, anybody who knows how to do that will realise why they're being served the wrong image. In fact they probably won't bank online, or possibly not even have a bank account (they are paranoid after all).
"Saying that, anybody who knows how to do that will realise why they're being served the wrong image. In fact they probably won't bank online, or possibly not even have a bank account (they are paranoid after all)."
You just described my boss. He follows the Scrooge McDuck doctrine: all his money is in his moneybin... oops ... I mean in cash, in home. He does no online transactions, and he *works* maintaining an online banking system. Too bad the über paranoid protection leaves him wide open to old-fashioned stickups, or whoever decides to rob his home will hit the jackpot. Oops!
"Who can usually do nothing at all about it, since as you say it was "pretending to be from" them. Even sending them the headers merely means that they are then in the position of having to check that the source is a botnet that they can't do much about."
Granted they can't stop more ails being sent out, but most of the banks do work hard to get the phishing sites shut down asap. If it's forwarded to them properly they have the address of the scam site, so are able to work on shutting it down. It's in their financial interest after all - they have to refund customers who lose cash when the account's been compromised.
(I know it's ultimately our money that goes, but they want some for their fat cats too.)
"It's in their financial interest after all - they have to refund customers who lose cash when the account's been compromised."
So why don't they set SPF records, which would enable mail admins to block the vast majority of the phishing attempts with a simple lookup? It's very easy: even I can do it. I'm not normally a conspiracy theorist, but there's a hidden agenda here somewhere. Nobody can be that incompetent accidentally.
Its actually a good point, I get fake for almost every bank you can name but I cant remember the last one I got for hsbc.co.uk. SPF isnt always effective because its dependant on mail severs supporting it, however the more servers that actively enforce SPF records the more impact it will have.
contacting the abuse@domain email is important as most of these types of emails come from virus's/trojan's on people's pc's, so while the spam was not intentionally sent by the user's machines, their connections were used and ISP's need to know so they can get in touch with their customers and get it fixed.
@ Neil Hoskins
"It's very easy: even I can do it. I'm not normally a conspiracy theorist, but there's a hidden agenda here somewhere. Nobody can be that incompetent accidentally."
Mmm, maybe. I can say they're not incompetent accidentally, more ignorant/oblivious than a conspiracy.
Marketing departments worry too much that the stuff they send out might not get to it's intended recipients. Honestly, I've actually seen people in marketing shun perfectly good suggestions and upper management side with them although the suggestion is to protect customers. They generally change their minds when they find out the true size of the security hole and have a very good style phishing attack shown to them.
I may even suggest the SPF to the Techdesk at my bank. You never know, sometimes all it takes is a flash of a torch light to set them on the right track.
Why Stop at Distrusting Phishers
At least this should get printed (there is no "anti-government comment" within). Hello nice man from the Daily Mail.
Since my first tentative virtual steps into the Worldly Wise Wibble some 2 decades ago I have taken considerable and increasing umbrage at the amount of "in-thy-face" unsolicited communications taking place. Primarily it is the junkette of the advertising industry - jamming unwanted products into my line of sight; excessively animated banners drawing my attention and triggering migrane headaches; and the army of hideous popups (scroll-overs, expanders and "pretend" browsers) that I am most utterly offended by and I have been making a point recently of avoiding all brands and products that are the subject of these vigorous advertising strategies...
Why? you might ask.
Well, put briefly and in nice simple terms... It's my b****y bandwidth. I want to use it for my entertainment and communications, not to facilitate the very mind set that makes one so numb to webpage content that one becomes more likely to fall for a phishing exercise.
- Crawling from the Wreckage Want a more fuel efficient car? Then redesign it – here's how
- TV Review Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
- Downrange Are you a gun owner? Let us in OR ELSE, say Blighty's top cops
- Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
- Human spaceships dodge ALIEN BODY skimming Mars