Phishing: Spam that can’t be ignored

Etrade Services.com
Spam that can’t be ignored
By Shaikh Parvez
SEO
August 30 2007,

If you haven’t already heard about phishing, then get ready. Like a lot spam, phishing is a form of unsolicited commercial email. Whereas all spam is not a scam, all attempts at phishing are scams, and the potential losses to corporations and consumers alike is stunning.

Phishing, as the name implies, is when spam is used as means to “fish” for the credentials that are necessary to access and manipulate financial accounts. Invariably, the e-mail will ask the recipient for an account number and the related password using an explanation that their records need updating or a security procedure is being changed that requires confirming an account. Unsuspecting e-mail recipients that supply the information don’t know it, but within hours or even minutes, unauthorized transactions will begin to appear on whatever account was compromised.


If you haven’t already heard about phishing, then get ready. Like a lot spam, phishing is a form of unsolicited commercial email. Whereas all spam is not a scam, all attempts at phishing are scams, and the potential losses to corporations and consumers alike is stunning.

Phishing, as the name implies, is when spam is used as means to “fish” for the credentials that are necessary to access and manipulate financial accounts. Invariably, the e-mail will ask the recipient for an account number and the related password using an explanation that their records need updating or a security procedure is being changed that requires confirming an account. Unsuspecting e-mail recipients that supply the information don’t know it, but within hours or even minutes, unauthorized transactions will begin to appear on whatever account was compromised.

y now, most people know that giving this information away on the Internet is a no-no. With phishing, however, it’s almost impossible to tell that the e-mail is a fraud. Like spam, e-mail from phishers usually contains spoofed FROM or REPLY TO addresses to make the e-mail look as though it came from a legitimate company.

In addition to the spoofed credentials, the e-mail is usually HTML-based. To an undiscerning eye, the e-mail bears the authentic trademarks, logos, graphics, and URLs of the spoofed company. In many cases, the HTML page is coded to retrieve and use the actual graphics of the site being spoofed. Most of the phishing I’ve received pretends to come from PayPal and contains plainly visible URLs that make it look as though clicking on them will take me to PayPal’s domain. Upon quick examination of the HTML tags behind the authentic looking link, the actual URL turns out to be an unrecognizable and cryptic looking IP address rather than an actual page within PayPal’s domain.

PayPal, the payment subsidiary of EBay, is a common target of phishing. If you get one and you’ve never joined PayPal, then you obviously know it’s a fraud. But if you are a PayPal member, as I am, the phisher has at that point broken through the unofficial security-by-obscurity layer that once protected you. It not difficult to see how PayPal members could be victimized by this technique.