Phishing Goes White Collar

I was reading up on some posts from over at the ISC and I came upon an interesting read. A visitor to their site wrote in and had a pretty surprising phishing scam to tell about. Now, I don’t know that this will impact many of my readers (we’re all poor, here, right?) – but if you’ve ever rented a home to stay at for a summer vacation or similar trip, this may deserve your attention. I’ve also got a story, beneath that, of my recent personal experience dealing with a defenseless family.

The reader wrote in that they were an employee of one such rental firm, that rented out nearly 600 properties – what he experienced, was a client of his writing in and bringing something to his attention. The problem appeared to be a normal renting site, which had a Photo Shopped ‘dream vacation home’ for rent. The contact information was scarce, just a single Yahoo! Mail address. Doesn’t seem very trustworthy to me.

Upon contacting this Yahoo! address, the experienced renter received a reply which told him that the property was in demand, and urged him to quickly send some form of payment, and then his keys would be mailed out. That was it. Cut and dry. “Send me money, and I’ll send you keys.” If you really think this is how business works, you’d best be checking your credit reports right now. Even eBay has at least a few checks and balances in place to try to avoid you getting ripped off.

Last week, at work, I came across a family of distraught computer users. Odd, I thought, I’m always cheery when I’m around a computer (sure). They were using public access computers because they were away from home, on vacation – being as such, they were confused about the state of things with regards to their eBay account. They relieved an email “from eBay” saying their account as in danger… at least, that’s what they thought. Trouble was, the email was in Spanish. But it provided them a link and a log in! So they figured that if they just logged in to their eBay account, they could read the message on the site. But after the log in, they just kept getting error messages saying it couldn’t process their login.

My jaw about hit the floor. This phishing stuff really does work, doesn’t it? IE7, and similar browsers, are going to change the world – with their automatic phishing detection schemes. It’ll be a good thing, too. People are going to need it.

Needless to say, I immediately tried to help the family log in to their eBay account – but their password had been changed. I didn’t ask if they had a PayPal account, and I pray that if they did, their passwords weren’t the same, but I worried it might be. The biggest fright of all was that this family was SELLING THEIR HOUSE on eBay at the time they got locked out. The phisher could just finish the transaction, bank the money, and vanish.

The devastating size of this matter shook me to my most human core. All this was going on to this poor vacationing family in my town with a population under 15,000. I told them to call their bank immediately and talk to the fraud department.

If you get an email, even if you think it’s 100% legitimate, that contains a link to the site they want you to log in at, I encourage you to open a separate web browser and type the address yourself, and log in from that site’s homepage. Always know what site you’re at – and for heaven’s sake, if it’s in a language you don’t know – don’t give it your password! For all you know it could flat out say “I’m going to take this and you will have your first identity theft experience later this month” – and you would be none the wiser. Always know what you’re signing in to, just as you should always read contracts you sign. And never, ever just ‘send money’ without something else in place – use an escrow if you have to.

Peace on ya,
-G