Saturday, October 11, 2008

As Financial Crisis Spreads, So Does Phishing

As the worldwide financial crisis deepens, typical of any such event, there are those who are going to try to take advantage of it. You'll recall phishing upticks that occurred after events such as Katrina or the Asian tsunami in 2004, for example.

For those unaware of what phishing is, it's the process of attempting to acquire sensitive information such as passwords, credit card numbers and Social Security numbers, by using a faked email or other electronic communication purportedly from some company or government organization.

The FTC has warned about similar attempts to co-opt your financial information, using phishing spam purportedly from financial institutions or government agencies. For example, one such email attempts to get you to run an .EXE, saying it's from the FDIC and that the program is necessary to protect your investments (right).

Secure Computing's October 2008 Spam Trends report (.PDF), one of which was based on the financial crisis (the others were the election and 9/11, as it was September, right?).

Here's the report's take on financial phishing:
With the U.S. financial crisis just gearing up at the end of September, it is our prediction that phishing scams which revolve around collapsed companies or buy-outs will be all the rage in October. Some administrators may feel inclined to warn their users not to believe any “we need to update our records after the buy-out” emails if they begin to appear. Wachovia was #2 on the list of most phished banks in September, but the emails preceded their purchase by Citibank.

Chase, Wachovia, Colonial, and Bank of America were the big 4 for this month and with more buy-outs and mergers on the horizon, October is shaping up to be a busy spam month. We are hopeful that users and administrators take the correct precautions and ignore these types of phishing emails, but with so many banks in the crosshairs of the current financial crisis, we fear that many might fall victim for the first time because the phishing emails talk about real-world events. Our continued advice to everyone: Just Say No to emails from any bank.
Want some practice detecting phishing? Earlier I wrote about a Carnegie-Mellon University "game" that teaches you how to detect it. It's actually pretty good; I would highly recommend it.

No comments: