Monday, May 16, 2005

The Iterative Phishing Scam

(Picture credit Microsoft Corporation)
Excel-web sharing of spreadsheetsThe crooks known as phishers have a brand new scam, according to

...the phishing e-mails arrive at bank customers' in-boxes featuring accurate account information, including the customer's name, e-mail address and full account number. The messages are crafted to appear as if they have been sent by the banks in order to verify other account information, such as an ATM personal-identification number or a credit card CVD code, a series of digits printed on the back of most cards as an extra form of identification.

This is an especially dangerous scam because it leverages real consumer data that the bad guys may have already collected through other means. Consider the ChoicePoint debacle, for example, or any one of another recent mass-disclosures of consumer data.

One hypothetical scenario: a bogus merchant who has already collected consumer data from ChoicePoint is now mass-mailing these phishing messages. The intent would be to collect even more data from victims. This time, perhaps they'll get an ATM PIN to augment the bank account number they've already stolen.

Just a reminder: if you're interested in seeing how to detect phishing and fight back against the phishers themselves, check out this previous blog entry.

In the mean time, I'd double-check every email from a supposed financial institution by voice-calling the firm. New phishing attack uses real ID hooks

No comments: