“Phishing” scams

One of the things to watch out for in your e-mail is the notorious “phishing spam”: this is spam that tries to get you to log in to your online bank or similar. The aim is to direct you to a fake web site which will look exactly like your real bank and invite you to type in your security details. Once you type in your details, of course, you’ve given them to the spammer, not the bank, and they will then be used to drain money from your account.

Phishing attempts are pretty easy to detect with a minimum of knowledge. There’s no point in checking who the e-mail seems to be from — it’s perfectly simple to send e-mail that looks like it comes from whoever you choose. Three danger signs to check for:

1. Not addressed to you personally. My bank would always write to “Dear Paul Doherty” or “Dear Mr Doherty”, and would also include my postcode, account number or some other information not given in my e-mail address. Spammers only have your e-mail address, so they invariably write to “Dear Customer” or similar, or to no-one at all.

2. Poor English. Most phishing spammers aren’t English, so they write it with a phrase book, and it usually shows.

3. Link in the e-mail is misleading. You need a little knowledge to check this, but it’s the clincher. The spammer will want to make any link look as if it goes to the bank, but really it must go to an imitation website.

One thing everyone should know is how to check what website a link really goes to, and how to decode a website address.

Different e-mail programs show the real place a link goes to in different ways: find out how yours does it. Mine does it if I just hover the mouse over the link. Check that address carefully — even if it looks like it goes to barclays.co.uk, a common trick is to register a fake website with a similar name: nationvide instead of nationwide, paypa1 instead of paypal, RB0S instead of RBOS.

Mostly, though, spammers just rely on people not being able to work out what website is being referred to. Here’s how to check it: starting from the left and just after http://, scan to the right until you find another slash (/) – stop there. If the bit immediately to the left of that has three letters (typically .com) that and the word immediately before it is the (international) website address. If if has two letters (typically .cn or .ru) that and the two words before it is the (national) website address. (.cn is China and .ru is Russia.) And If there are no words, just numbers, it’s suspicious by definition.

Here’s three recent examples (click to enlarge).

Abbey phishing spam

1. Addressed to generic name.

2. Suspect English (“launch the procedure of the member login update”, “does apologize for any inconvenience caused to you and is very grateful for your help”) and too many exclamation marks.

3. Link is actually to website xml48.com — the “ref” probably identifies the e-mail address that fell for this trick, so that it can be targeted with more attacks, which is why I’ve obscured it.

4. Why would a genuine bank write “If you are not a client of Abbey National Internet Banking please ignore this letter!” – it would know who its customers were.

Paypal Phishing spamp

1. It’s addressed to generic “Dear PayPal user”.

2. The English is OK on this one (but it says “Us” instead of “Contact Us”).

3. The website is — all numbers, no words, very suspicious. (And, if you know, ~engelbert is the directory of a user called Engelbert — probably someone whose account has been hacked by the spammer and used to host the fake site).

4. There is no “To” address.

RBS phishing spam

1. Not addressed to anyone specific.

2. Suspect English (“As of that result”)

3. Website is novacom.zaural.ru — a Russian site.