Beware! Scams cleverly cloaked in mainstream e-mails
by Alan Zisman (c) 2003 First published in Business in Vancouver , Issue #735 November 25- December 1, 2003 High Tech Office column
When we think of computer security problems, we tend to think of nasty hackers and malicious viruses, or of shortcomings in Windows. Perhaps the biggest danger, however, is what convicted hacker Kevin Mitnick refers to as "social engineering" - our own credibility.
Mitnick used to phone corporate headquarters posing as a technician. He found it easy to convince the people to give him, a stranger, their network IDs and passwords. Similarly, when something appears in our e-mail inbox reading 'Click here,' like Alice seeing a bottle labelled 'Drink me,' we tend to do so.
This makes us easy prey for scams. It's easy to fall for an e-mail message that appears to be from someone else. This summer and fall, many clicked on virus-bearing attachments carried by well-designed messages purporting to be from Microsoft.
Other false e-mail messages try to get users to give confidential credit card or bank account information.
Recently, I received a message claiming to be from "firstname.lastname@example.org," and used that services logo and colour scheme. (PayPal is an online payment service owned by eBay. It's widely used by eBay sellers, letting them get payments without needing to manage their own online credit card systems.)
It claimed "your account has been randomly flagged as part of our routine security measures" and asked me to "click here" to verify my account information. When I point to a link, my e-mail software, Eudora Mail, shows the address the link points to. In this case, the address started out as if it was at www.paypal.com, but then included a numerical Internet address. That's a suspicious sign.
Equally suspicious was a message I received recently claiming to be from TD Canada Trust, again asking me to click on a link and then to enter my access card number and password. Again, the link was a long one, starting off with what appeared to be a legitimate tdcanadatrust.com address, but continuing on to a long address including the country code 'ru' for a Web site registered in Russia.
Instead of clicking, I sent the contents of the suspicious e-mails to PayPal and TD, complete with the full header information and the HTML code. This information gives those companies' security departments what they need to try to track down the source of the e-mails. Most e-mail software includes menu options to display this full text that is normally hidden to improve readability. Both the numeric address used in the PayPal scam and the Russian address used in the TD one can no longer be accessed, so hopefully action was taken, though the scammers have probably simply moved to other Internet accounts.
The real customer service at TD.COM wrote back: "Please be assured that TD Canada Trust has not and will not send e-mail messages to customers requesting confidential banking information..." The same is true for PayPal. Since I'm not a TD customer I don't have an account number to enter. I wonder, though, how many customers of TD or PayPal have been taken in by such official-looking scams? Apparently, TD and PayPal are only two of a growing number of institutions whose customers are being preyed on in this way.
My advice to people receiving unexpected e-mail attachments is to never open them. Even attachments apparently from people you know well may be the result of virus-infections. Always verify that the apparent sender actually intended to send you the attachment. Similarly, be suspicious of any e-mail wanting you to reply with personal or financial information or to go to a Web site to enter such information. If you're unsure, contact the company first.
As I write this, there are reports of a new e-mail purporting to be from PayPal bearing an attachment which pops up a window asking for PayPal account information.