• Home
• Contact Us
• News, Appeals & Features
• Crimestoppers
• My Local Police
• Community Safety
  • Community Safety Index
  • Personal Security
  • Business & Retail Security
  • Safer Homes
  • Neighbourhood Watch
  • Community Messaging Service
  • Between You & Me
  • Road Safety
  • Vehicle Safety
  • Child Rescue Alert
• Careers
• About Us
• Diversity
• Freedom of Information
• Young Space
• Police Authority

Phishing Fraud

What is Phishing?

Phishing is the act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a website where they are asked to update personal information such as password, national insurance number and bank accounting details. The e-mail may further suggest that the information is necessary to prevent the account from being suspended.
 
With this information the fraudster can do a number of things that include stealing the identity of the person who provided the information in the first place to undertaking attacks on that persons bank account. The e-mail is sent to a large group of people, seeking out account users. The scam relies on the contents of the e-mail request being adhered to by the account users and the details provided.

A growing problem

A recent survey revealed that between January 2004 and June 2004, 1.5 million phishing e-mails were sent out. More than a quarter of a million were sent in the month of June alone. The number of active phishing sites reported in November 2004 was 1518. The average monthly growth in phishing sites from July 2004 to November 2004 is 28%.

It is worthy of note that 5% of recipients respond to spam e-mails. As a result of a response, a new identity is created using the details provided and fraud is committed on the new identity.
 
The use of the phishing medium as a money laundering tool appears to be emerging, where volumes of compromised user data is sold to crime groups who aggregate the stolen funds into centralised false accounts by a principal organiser or "dump leader". The use of false employment websites, encouraging users to sign up and provide their banking facilities to forward money to other accounts for a 20% administration fee has also been revealed.

How the crime is committed

E-mails are created purporting to come from bank security departments were being circulated asking for username and password details in connection with Internet banking. The e-mail invited account holders to click on a link, which leads to a web page. Unsuspecting account holders completed their user name and password on the web page, but unknowingly the account holder had linked into a web server run by a criminal enterprise.
 
Once the user name and password have been obtained the criminal logs into the online banking system of that account and transfers money from that account into another account from which they will be able to obtain the funds.
 
In order to facilitate the transfers a number of people are recruited who have accounts at the same bank as the target account. The recruitment involves advertisements on Internet forums and unsolicited e-mails offering jobs as 'money processors'. Respondents to the advertisements are in receipt of 7% commission of the monies that they handle.
 
Once the stolen funds were received into the money processors bank account, they were given instructions to withdraw the money in cash and then to use money transfer agents and send the money to criminal organisers.

Where is the crime committed and by whom?

The crime, like the suspects and the victims may come from anywhere in the world. Recent intelligence suggests that organised crime in the former Eastern Block is taking the lead on this type of activity.

Who are the victims?

The victims of phishing at present are the banks and financial institutions that are having their customer accounts compromised. It also includes members of Internet auction sites. It is not an unrealistic assumption to consider that members of the public may be liable if they have not conducted sufficient safeguards before entering the phishing website.
 
Statistics show that the target institutions are English speaking with the USA, United Kingdom and Australia being the primary victims.

What do you do if you receive and e-mail from what you think is your bank?

A bank or other financial will not send e-mails to you asking you for detail such as PIN numbers, passwords or other personal data, no matter how genuine the e-mail looks.
 
Do not be tempted to fill out any pages and respond and if you think the e-mail is not genuine forward it on to the bank it purports to come from.

What to do?

Q: I have received an e-mail from my bank informing me that they are upgrading their security software. The e-mail is asking me to forward my user name and password to them, or is asking me to log into a website, via a link, to complete the procedure. What should I do?
 
A: You should never, ever, respond to an unsolicited request from anyone asking you to pass on your security details (whether it be your log in name, password, mothers maiden name or other security identifier). A legitimate organisation, such as a bank, will never ask its customer for these details.
 
If you are ever in doubt as to whether to proceed, it is always safer to say no! Then, telephone your bank on an advertised number and tell them exactly what you have received. The bank will always be happy to receive a call from you where security of your account is concerned.
 
Alternatively, you can report the abuse to the internet service provider (ISP) that the fraudster is using. You can usually do this by sending the scam e-mail you have received to 'abuse@fraudsters.isp.com', where fraudsters.isp.com is the domain name that the fraudster is using. For instance, if the return address of the e-mail you have received is info@address.com, then you should send the message to abuse@address.com.

Remember

• Although the Internet is a useful tool, you must be aware that it also allows bad people to be bad....better!
    
• Know who you are dealing with. If you don't know...don't deal!
    
• Keep your user name/passwords/PIN numbers safe, never tell anyone what they are.
    
• Make sure that your Personal Computer is secure. There are many free software fire walls and malware/spyware sweepers available.
    
• Check your bank statement. If you find any unusual transactions that you cannot recall, speak to your bank immediately. 

Ensure that you are protected by a personal firewall and anti-virus software and keep them regularly updated. Report any suspicious messages you receive as abuse to the senders ISP (Internet Service Provider).
 
Never reply to any e-mail you are unsure of.
 
Send all banking related phishing e-mails to reports@banksafeonline.org.uk, Paypal e-mails to spoof@paypal.co.uk and Ebay e-mails to spoof@ebay.co.uk.

See also:

• Online and Phone Fraud
    
• Identity Theft 

[Back to top of page]