How does a small business fall victim to online fraud?
The most common threat is from Internet banking fraud which can affect any small business or individual that has online banking.
It is worth joining us on a “plain-English” journey of how people are caught.
Firstly, What Is Phishing?
Phishing is so-called after the word fishing - in other words using bait to catch a fish. The most common form of phishing is sending an email purporting to be from a bank, asking the recipient to validate their username and password by going to a site which looks very similar to that of their bank.
In computing, phishing is a criminal act which gathers sensitive information such as user names and passwords, with the intention of transferring funds or gathering information of value.
So We Decided To Take The Bait And Be A Fish
My colleague Dave received this email and decided to take the bait. The first thing to note is that banks never send requests like this. So beware of any request to enter usernames and passwords - even if it looks really genuine.
You will see how scarily easy it is to be taken in.
Here is the initial email he received:
“As you can see it was asking me to follow the link ‘Click Here’ to take me to a website where I can confirm my log-in credentials” said Dave as he began the journey.
“I hovered my mouse over the link to see where it would take me first and it looks remarkably like the correct address which is:”
https://olb2.nationet.com/default2.asp?ID=3b3dc81ddfb6c18b5decbb8b73f842bca5e
“However, there was a very subtle difference in the link. The criminal’s links contained this extra bit: …nationet.com.worlddn.com…”
“So, in the interests of investigative journalism, I clicked the dodgy link to see where it took me.
And this is where I went:”
“Straight away, you can see that the browser I was using flagged it as a dangerous site. But not all browsers, such as Internet Explorer, will automatically recognise the site as suspect.”
“I persevered and continued to the site anyway, which looked like this:”
Now if you are a Nationwide customer, this will look very familiar. And it is worth noting, that regardless of which bank you are with, the criminals will always take you to a site which looks to all intents and purposes like the one you know and trust.
Take a look at the genuine site and see how similar they are:
Anyway, going back to the fake site, Dave entered a random username and password. If this was an unsuspecting user, they may not even notice that they had just given away the key to someone logging onto their bank and emptying the account.
Because the next screen you see is this:
It is in essence a very convincing thank you page, and soon afterwards, the recipient is then re-directed to the genuine page looking like this:
Criminals Have Humour
Most criminal phishing activity is carried out under the guise of a genuine company. And this case was no exception. I traced the originator of the email - who by the way probably don’t know their IT resources are being used by criminals - and it originated from NishiKoi.com.
And if you go to that web-address, here’s what you see:
This is the web-site of a company specialising in fish products!
So the criminals are not only trying to fleece you, but simultaneously playing a wicked joke using a real-world “fish” products company to cover their tracks.
Has anyone else had an experience of phishing?
if you found this interesting, then please share it!
6 responses so far ↓
1 Barbara // Oct 15, 2007 at 8:52 pm
Thank you for the great post. This is indeed a scam that is hitting all around the world.
Our bank has a section on their front page that addresses this issue. They remind all online bankers that they will never email their clients, however, due to many being under time crunches, this information may not get read.
I recently had an instance of an email from “Paypal” with the same scenario. When I clicked on the link, I, too, got the warning. It’s unfortunate that those using some browsers aren’t forewarned.
Thanks for bringing this issue to the forefront, and educating individuals who use internet banking of one of the many scams that’s out there.
2 Ian Denny // Oct 15, 2007 at 9:02 pm
Thanks Barbara,
It is a worry - it can so easily catch someone off-guard.
It was an interesting exercise to go through and particularly the pure cheekiness of using a fish-related company to “piggy-back” the email!
3 CatherineL // Oct 16, 2007 at 9:05 pm
Hi Ian - Brilliant post. There’s far too many of these scams going on. I hope I haven’t been a victim of one, but like Barbara, I’ve had the dodgy paypal emails.
The other day, we received a chase up letter from 02 for someone who had used our address, but a different name. We called 02 and they said they’d already suspected fraud.
We asked how these people get away with opening accounts at a false address. And they said that they get a copy of one of our bills, change the address and photocopy it.
This has scared me, because the chances are, if they did that with 02 they will have done it with other businesses. And I don’t know how else it may affect me, or what to do about it.
You see, when I left Rainbow I found I’d mislaid my shredder. So a lot of things - old bills, even credit cards statement etc, we simply took up to the place that used to rent us skips and they disposed of them.
Any suggestions would be appreciated.
4 Ian Denny // Oct 16, 2007 at 10:23 pm
Cath,
I’m sorry, but this is going to sound really awful following such a worthy comment!
The sad thing is, and despite everything I’ve said, that IT is not the only challenge these days.
The real-world stuff like paper exposes any business - large too. Banks have been caught out chucking stuff in the bin outside their office which is picked up and used by the criminals.
We should all shred sensitive information (or as we do, avoid it being tranferred to paper because of the potential misuse).
But where we can’t avoid it, use a shredding specialist for stuff like paper, hard drives etc.
Some of our clients will remember “Fred the Shred”. He’s a guy with lots of equivalents all over the UK that have the equivalent of a lorry that visits your premises and takes whatever you have and shreds it on their vehicle outside.
While most people shred paper or old hard drives, I know that he can also shred guns and other stuff too!
I suspect I have failed miserably at answering your question, but I hope I have given you food for thought.
The moral is, firstly, don’t print stuff that could be used either against you or one of your clients if discovered.
Secondly, wherever possible, password protect PCs in your office
Lastly (but not leastly because this is a short list, against a far bigger list that I won’t bore you with), shred not just paper, but also the hard drives of any PC that leaves your premises.
If you’re wary by the way of letting a hard drive leave your office and don’t want to pay someone to shred it, consider getting it professionally wiped.
However, that cost money, and while my last tip is environmentally less friendly, a sledgehammer applied with force and repeatedly to the drive is a cheap DIY way to get it cleared.
Even the forensic experts struggle with something smashed to smithereens.
5 Kwik Fix Plumbers - The Blog » People With Big Mouths And Interesting Blog Posts // Oct 18, 2007 at 5:11 pm
[...] And if you’re concerned about online fraud - and who isn’t these days, check out this fascinating post by Ian Denny of Multisolutions:
6 Phishing Emails Regarding PayPal : Blogging Without A Blog // Dec 21, 2007 at 8:00 am
[...] a cyberspace friend, and owner of Multi Solutions, Ltd, , wrote a great post on phishing, titled: Small Business IT Threats - Phishing Fraud Investigated and how one of his colleagues “took the bait”. It’s a great read with an [...]
Leave a Comment