PHISHING: Identity Theft Scam
"Phishing" is the term given to attempts to trick people into giving up personal and valuable information. A common use of stolen personal information is identity theft. According to the Federal Trade Commission, identity theft has topped the list of complaints every year since the year 2000.
An Actual Example
The image below shows a marked up screen shot of an actual message that is an identity theft scam. There are clues that indicate this is not a legitimate message from the Sun Trust Bank (a legitimate company).
The Message Itself
Banks and other companies should not use e-mail for notifying people of important account details. E-mail is not a secure communications channel and should not be trusted with sensitive information. This message doesn't violate that general practice, but embedding an active hyperlink within the message should not be standard practice because they can be manipulated.
The Subject Line
The subject line of the message is an announcement of a flaw in a specific web browser application. Banks don't send these kinds of announcements. If they have a concern about their customers using a specific web browser for sensitive transactions, they can determine when a specific customer is using an unsafe product when they connect to the online banking web site. They can then take a range of specific and targeted actions ranging from simply warning those customers that about the risks to denying them access to the secure part of the site and redirecting them to information explaining the problem.
The Generic Salutation
The salutation in the message body is generic. If the company has your e-mail address on record they certainly have your name and would clearly use that in the salutation to personalize the message.
Hyperlink is to an IP Address and not a Domain Name
This is a little harder to notice, but if you hover over the "sign on" hyperlink the web site address the hyperlink will take you to is displayed. You can see in the illustration below that the web site address is a raw IP address. Using an IP address for a legitimate web server would be very odd for any legitimate company. Companies typically use a domain name (e.g., suntrust.com) instead of a raw IP address (e.g., 82.90.165.65) to get customers to their web sites.
There could be other clues that would alert you. One obvious one is whether or not you are a current or former customer of Sun Trust Bank.
It Gets More Interesting...
Some additional research with this particular message illustrates how far the phisher can go. The screen capture images below illustrate how a clever web page author can manipulate browser elements to deceive users.
Left Pane: Address Overlay Trick as Intended
The URL in the Address field appears to be https://internetbanking.suntrust.com to create an illusion that the user is really at a secure site because HTTPS is a secure web service that encrypts the data while being transmitted from your computer to the server. The https location is actually in a text field that is hovering and displayed above the actual browser window Address field to mask the real URL location. The image in the pane on the right shows what is really going on.
Right Pane: Address Overlay Trick Exposed
With the browser window arranged with the 'Links' toolbar below the 'Address' toolbar so the Address field doesn't align where the web page author expected, the trick is exposed. The real address is displayed in the Address field (http://82.90.165.65/s/login.html) and the deceptive mask text field is displayed separately. As you can see, it is not Sun Trust Bank. Entering information using that page would send your data to the phisher and not the bank.
What to do...
The page at Fight Identity Theft (http://www.fightidentitytheft.com/how-to-report-scams.html) provides some information about how to report a scam.
You can also check with the Federal Trade Commission (http://www.consumer.gov/idtheft/). They have some good tips to avoid falling prey to ID theft.
