Phishing attacks that insert viruses and other malware, steal account numbers and otherwise try to cause users financial harm are on the rise, says Brian Yoder, vice president of engineering for CyberDefender, whose business is providing internet security to consumers and small businesses.
Yoder says the attackers used to be pimply faced 14-year-olds trying to prove how smart they were, but today's phisherman is a full-fledged crook, probably based in an Eastern European country and expert at avoiding or paying off law enforcement.
As anybody who spends more than a few minutes online knows, these guys send out millions of phishing e-mails a day. If only 1% of the people who receive them respond and get taken for even a few bucks, these crooks do well.
The most successful cyber-bums are specialists, Yoder says. Some of them buy and sell credit card numbers – $20 a number in bundles of 1,000. Others sell ever-changing encryption software to move malware and other attacks around the Internet. Some specialize in dirty web hosting where most of their clients are spammers and phishers.
Many of their favorite scams are nothing new and lots of them are laughably inept. But some of the attacks are slick enough that someone who isn't paying attention could get caught.
Here are the most frequent scamming targets – eBay is No. 1. And below are some classic schemes that just keeping on working for the crooks who rely on them:
- Money from Nigeria (or Cleveland): Unless you really do have an aunt in Nigeria, chances are the attorney trying to reach you and give you millions is a crook. "Nigeria is a lawless place and these Nigerians are seriously bad people," Yoder says. They are members of organized crime groups that have been running these scams for years, and even though the whole concept has become a joke, they still keep making money.
- Stuck in a foreign country and needing help. These crooks break into your Facebook or Twitter account, impersonate a friend of yours and ask for money. Yoder says, "It's very convincing."
- Orders to update your bank, Paypal or eBay account. Look hard at the address this kind of appeal is coming from. The first thing to the right of www. should be the name of the legitimate financial company you do business with. If it's not, hit delete as quickly as possible. "Particularly indicative of evil is a numerical address," Yoder says.
- Requests to change your password: Whether they come from Facebook, MySpace, a bank or even your company's IT department, be suspicious.
- Requests to open an attachment. Even if it is someone you know, this could be trouble, especially if the attachment ends in .exe or .pif