How do Phishing Schemes Work?

Posted By BrokenClaw on February 7, 2008

The most infamous phishing scheme is known as the Nigerian Letter scam. In this scam, the emailer pretends to be some high ranking official in a foreign country, notably Nigeria, who needs someone’s help in moving an extraordinary amount of cash, often in the millions of dollars, out of the country. The email preys upon greed by promising a financial windfall. The letter, of course, is a complete scam, intended only to get you to give them your bank account information.

Anyone who responds is immediately at risk for entrapment into financial ruin. There are real cases of people losing tens of thousands of dollars by responding to the Nigerian Letter scam. There have even been people who have been lured into traveling to Nigeria, where the results have been even more catastrophic. This scam has been around for many years, but, remarkably, it still finds victims.

On a smaller scale, the same principle of the Nigerian letter scam is used for online transaction fraud. For example, a person agrees to purchase something you offered for sale online. They send you a check, but, oops, the amount is well above your agreed price. So they ask you to refund them the difference. Of course, their check turns out to be bogus.

What makes phishing schemes so dangerous is the fact that they can look so real. It’s quite simple to use graphics and designs which mimic an existing company. For example, they can copy your bank’s logo into an email message to make it look real. These bogus email messages typically ask you to click on a link so you can “confirm your password” or other authentication. Of course, the link takes you to another spoofed webpage where they can collect your login name and password. The truth is, no website, especially not a financial institution, will ever ask you to enter your password in an email. Ever.

Some phishing schemes are related to current events and disaster relief. For example, after a major disaster like Hurricane Katrina or the California wildfires, phishers will send out emails claiming to represent legitimate charity organizations. In many cases it’s difficult to distinguish the fake charities from real charities. The best advice is, if you wish to donate, use the central repository which is advertised in the major media, such as the American Red Cross, by going directly to their website yourself, and do not respond to email solicitations.

Another type of phishing scheme is known as spear phishing. In this scenario, the scammer targets employees of businesses and government agencies, in an attempt to obtain large lists of personal information. In other words, rather than going after individuals, the spear phisher tries to make a big strike all at once. By spoofing their identity and email address, they pretend to be a superior administrator or officer to convince the employee to remove some level of security from the company’s records. As you can imagine, a successful spear phishing campaign, for example at an insurance company, can gain the scammer all the information they need for massive identity theft.

Phishing schemes have taken on all sorts of variations. Another one uses instant messaging from social networks like Facebook and Twitter, to try to get you to call a phone number to “confirm your password” to a financial institution. Another development in the phishing pond preys upon newly married couples. The scammers scour the web for online wedding gift registries. Then a year or so later, they send a phishing email to the same couple regarding a baby registry from the same website. The link, of course, is spoofed, with the intention of getting the login name and password to a lucrative merchant site.


Comments are not allowed.

Switch to our mobile site