A member of community message has contacted the Police today regarding a phishing fraud.

Whilst online on Friday evening, an e-mail was received from Ebay saying that their account had been suspended. Ebay had noticed a third party had been trying to log into the account. The e-mail asked for card details to be entered on the link. On Saturday, the bank contacted the person saying that a company had tried to make five withdrawals on their card. The hackers had also changed the ‘clicksafe’ password.

Today, another e-mail has appeared from someone purporting to be Barclays Bank, saying that the account details needed to be updated. The person does not have a Barclays bank account!

Please be extra vigilant. The information and advice below has been copied from our website: www.derbyshire.police.uk

Phishing Fraud

What is Phishing?

Phishing is the act of sending an e-mail to a user falsely claiming to b! e an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a website where they are asked to update personal information such as password, national insurance number and bank accounting details. The e-mail may further suggest that the information is necessary to prevent the account from being suspended.

With this information the fraudster can do a number of things that include stealing the identity of the person who provided the information in the first place to undertaking attacks on that persons bank account. The e-mail is sent to a large group of people, seeking out account users. The scam relies on the contents of the e-mail request being adhered to by the account users and the details provided.

A growing problem

A recent survey revealed that between January 2004 and June 2004, 1.5 million phishing e-mails were sent! out. More than a quarter of a million were sent in the month of June alone. The number of active phishing sites reported in November 2004 was 1518. The average monthly growth in phishing sites from July 2004 to November 2004 is 28%.

It is worthy of note that 5% of recipients respond to spam e-mails. As a result of a response, a new identity is created using the details provided and fraud is committed on the new identity.

The use of the phishing medium as a money laundering tool appears to be emerging, where volumes of compromised user data is sold to crime groups who aggregate the stolen funds into centralised false accounts by a principal organiser or “dump leader”. The use of false employment websites, encouraging users to sign up and provide their banking facilities to forward money to other accounts for a 20% administration fee has also been revealed.

How the crime is committed

E-mails are created purporting to come from bank security departments were being circulated asking for username and pa! ssword details in connection with Internet banking. The e-mail invited account holders to click on a link, which leads to a web page. Unsuspecting account holders completed their user name and password on the web page, but unknowingly the account holder had linked into a web server run by a criminal enterprise.

Once the user name and password have been obtained the criminal logs into the online banking system of that account and transfers money from that account into another account from which they will be able to obtain the funds.

In order to facilitate the transfers a number of people are recruited who have accounts at the same bank as the target account. The recruitment involves advertisements on Internet forums and unsolicited e-mails offering jobs as ‘money processors’. Respondents to the advertisements are in receipt of 7% commission of the monies that they handle.

Once the stolen funds were received into the money processors bank a! ccount, they were given instructions to withdraw the money in cash and then to use money transfer agents and send the money to criminal organisers.

Where is the crime committed and by whom?

The crime, like the suspects and the victims may come from anywhere in the world. Recent intelligence suggests that organised crime in the former Eastern Block is taking the lead on this type of activity.

Who are the victims?

The victims of phishing at present are the banks and financial institutions that are having their customer accounts compromised. It also includes members of Internet auction sites. It is not an unrealistic assumption to consider that members of the public may be liable if they have not conducted sufficient safeguards before entering the phishing website.

Statistics show that the target institutions are English speaking with the USA, United Kingdom and Australia being the primary victims.

What do you do if you receive and e-mail from what you think is your bank?
A bank or other financial will not send e-mails to you asking you for detail such as PIN numbers, passwords or other personal data, no matter how genuine the e-mail looks.

Do not be tempted to fill out any pages and respond and if you think the e-mail is not genuine forward it on to the bank it purports to come from.

What to do?

Q: I have received an e-mail from my bank informing me that they are upgrading their security software. The e-mail is asking me to forward my user name and password to them, or is asking me to log into a website, via a link, to complete the procedure. What should I do?

A: You should never, ever, respond to an unsolicited request from anyone asking you to pass on your security details (whether it be your log in name, password, mothers maiden name or other security identifier). A legitimate organisation, such as a bank, will never ask its customer for these details.

If you are ever in doubt ! as to whether to proceed, it is always safer to say no! Then, telephon e your bank on an advertised number and tell them exactly what you have received. The bank will always be happy to receive a call from you where security of your account is concerned.

Alternatively, you can report the abuse to the internet service provider (ISP) that the fraudster is using. You can usually do this by sending the scam e-mail you have received to ‘abuse@fraudsters.isp.com’, where fraudsters.isp.com is the domain name that the fraudster is using. For instance, if the return address of the e-mail you have received is info@address.com, then you should send the message to abuse@address.com.

Remember

Although the Internet is a useful tool, you must be aware that it also allows bad people to be bad….better!

Know who you are dealing with. If you don’t know…don’t deal!

Keep your user name/passwords/PIN numbers safe, never tell anyone what they are.

Make sure that your Personal Computer is ! secure. There are many free software fire walls and malware/spyware sweepers available.

Check your bank statement. If you find any unusual transactions that you cannot recall, speak to your bank immediately.

Ensure that you are protected by a personal firewall and anti-virus software and keep them regularly updated. Report any suspicious messages you receive as abuse to the senders ISP (Internet Service Provider).

Never reply to any e-mail you are unsure of.

Send all banking related phishing e-mails to reports@banksafeonline.org.uk, Paypal e-mails to spoof@paypal.co.uk and Ebay e-mails to spoof@ebay.co.uk.

Online & Phone Fraud

On the phone

You’re at home and the telephone rings. The voice on the other end claims to be a fraud investigator from your credit card company and he tells you there has been suspicious activity on your credit card.

But first, he needs to confirm some! details as a security check. You’re worried about your account and yo u’re keen to help so you give him you’re card details and he promises to get back to you.

It sounds plausible, but you’ve just been had. And that fraudster is off spending on your credit card.

So how can you avoid being scammed over the phone?

Never reveal any details of accounts or personal information. Remember, if the caller is genuine then they will have access to all the relevant details. Let them give you the security details so that you can confirm them. Do not supply further security information unless you are satisfied as to whom you are in contact with.

If you are concerned about the source of the call then ask the caller for a main switchboard number through which you can be routed back to them. Alternatively, take their details and then make your own enquiries via a published card supplier contact e.g. on the reverse of your card.

Online

You have finally found a buyer for that item you advertised! on an online auction.

The cheque arrives, but it’s for a lot more than the agreed price. Your buyer gives you an explanation and asks you to return the balance as a cash transfer and deliver the item at the same time. You send off the goods and do the transfer without waiting for the cheque to clear and then you find out that the cheque was stolen or counterfeit. Now they’ve got your goods and your cash.

Our advice is:

Be sure of whom you are dealing with.

Don’t release funds until cheques have cleared.

Be very wary of cheques made out in excess of the asking price.

If you’re thinking of buying on an online auction, make sure that the address and postcode provided by the supplier is valid. If you’ve got doubts, don’t send any money.

If you do fall victim to fraud on an online auction, contact your nearest police station.