Malware

Why do people still fall for Phishing scams?


After being bombarded with phishing e-mails this week I have had to ask myself who on earth would fall for them!

Google mail are usually very good at filtering out both spam and phishing mail; it's very rare that I'll actually see one in my inbox. This week however I must have received at least 5-6 obvious phishing emails every day and they have all been impersonating the Bank of America. I don't hold an account with the Bank of America--even if I did, would I not be suspicious of receiving the same two e-mails over and over again? Surely even to the most non-technical user that would be a tell tale sign that all is not well? I frequently receive letters from my bank warning me about phishing scams and how to avoid them so even users who are not ‘in the know' should know that it exists and poses a threat.

The emails I received this week were not well presented -- with the link to an anonymous IP address being plainly visible (that's right they didn't even bother to cloak the URL!). The message put across in the e-mail was totally inconsistent; the subject was ‘Unauthorised activity' while the content of the email told me that due to the pending introduction of smartcards, I needed to update my account information. Curiosity finally got the better of me and I had to follow one of the links to see what the next stage of the scam looked like (of course, I removed my e-mail address from the URL variables to make sure I didn't let them know that my address is valid); first of all, Internet Explorer blocked the site, plainly telling me that the site was a scam, next the front page which emulated a logon window simply continued to the next step despite me putting in ‘goaway' and ‘youidiots' as my username and password. The next page was the money maker; they asked for everything: name, address, phone numbers, e-mail address, account number, sort code, visa number, expiry, security code, mother's maiden name, first pet, first school, and so on. As well as asking for bank and credit card details, they wanted anything that could be used to verify my identity over the phone.

I just wonder who on earth would fall for this type of scam? I don't personally know of anybody who's been taken in by one of these scams, do you? Phishing scams cost businesses billions of dollars every year so people must still be falling for them. Judging by the responses to these crank calls, the general public are on top of telephone fraud, I wonder why the same doesn't apply to online fraud as well.

14 comments
federico.maggi
federico.maggi

VoIP is playing a fundamental role as the technology enabling phone phishing attacks: bad guys do not even care of hiding the number! By the way, it seems that a new resource is coming up to collect evidence about this new way of scamming: on http://phonephishing.info everyone can report phone scams, anonymously.

david.g.white
david.g.white

Why do people but lottery tickets ? They think they might be the lucky one! I know of one case where a person committed suicide after falling (??200k) for a Nigeria type scam.

w2ktechman
w2ktechman

Why? In my opinion it is due to neglegent thought processes. There are several kinds of scams like this, and people fall for them because 1. They are ignorant and think that they are not at risk. 2. because of the thought that they may become rich or making decent money. 3. Curious and Ignorant.

LocoLobo
LocoLobo

I've been getting phone calls that are phishing attempts as well. They are angling toward confirming your credit card or account number. When asked for a call back number they give up if you are firm.

fastball.dallas
fastball.dallas

I have no doubt that you and readers of these type's of postings are smarter than the average human. You cite a very poorly executed version of phishing, there are many out there that are very well done, and very targeted as well. There is much study in this area, one of the best pieces I have read was a study done by Harvard and UC Berkely. http://people.seas.harvard.edu/~rachna/papers/why_phishing_works.pdf

ackray
ackray

Two of my wife's friends fell for a false escrow scam when buying a new car. By the time I was told to take a look it was to late. The 'company' had a well done web site with a good bit of information. It was only the fact that payment was to be sent via Western Union that marked it as a scam in my mind. Google then showed the listed street address being for a different business.

malcolmlambe
malcolmlambe

Yes it's unbelievable that people still fall for this but they do. Along with the Nigerian scams in all their different guises. And then you have the poor lovesick saps that send thousands to the scammers for "a plane ticket so I can come and see you"...and then do it again after being told the money was spent on a "sick mother" "dying child" - whatever. I shake my head.

dogknees
dogknees

Who was it that said "you'll never go broke betting on peoples stupidity"?

Big Ole Jack
Big Ole Jack

Because they're f*****g morons and won't ever learn from past mistakes, even after being warned on numerous occasions about the dangers.

DanLM
DanLM

And, I know. It was a waste of my time, but I went to Bank of America's web site and reported the emails. Even went to the trouble of saving the email to a file, and opening it in EditPad to cut and paste everything. I know, it was a waste of time. But, after a point. I get irritated and want to do something. Which brings up another subject. Bank of America's abuse page is a pain in the a$$ to find. I had to jump through hoops to finally find it. Dan

Neon Samurai
Neon Samurai

Luckily, we cut off most cold calls right quick unless one of us are in the mood to let someone drone on for a half hour (I get conversation while I vaccume and I get to waste a half hour of someone's cold call centre). The latest we've got hit with is the age old door to door though. We have one "representative" that comes around to our door every three months or so trying to sell us utilities through a flat rate third party distributor. By intent or luck, the person speaks just enough english to ask for your bill to confirm if you're already signed up. Each visit we tell her repeatedly in increasingly less polite ways that we are not interested and that she should not come back. The last time she wasted only five minutes of my time and left while "no" was still being expressed politely but she'll be back. If one does signup with them, signing a preliminary contract is almost the only way to get them to leave if you let them in the door (that happened only once), there is the next step of the gambit. They'll take your signature and a copy of your bill with them stating that someone will call to "confirm" within the week. The small print on the signed document states that you may cancel at any time within three weeks; the confirmation call does not actually come in until three days before the cancelation date. That alone was enough to call and cancel the application in processing; a process that takes you through three layers of call centre staff. Oh they are some slimey though. If you get around the pushy door to door sales staff and application, there's also the mail to contend with. This month we recieved a cheque for 100$ out of the blue but what they print in ver small font is that you agree to signup by default if the cheque is cashed. Now, how many people miss that and run too the bank thinking they just scored a free 100$ of spending money? Bah.. Universal Energy is slimey, slimey, slimey.

LocoLobo
LocoLobo

What if someone steals your mail and cashes it? Now your signed up and don't even know it!