Be vigilant for “update your details” email scams
Categories: Security
Written By: Edward
Many of us know that most of the big banks do not send emails asking us to update our personal details. However, there are still large numbers of people who fall foul to this scam, and the scammers are getting more sophisticated every day.
Here’s how the scam usually operates:
- You receive an email allegedly from your bank (or other institution, e.g. eBay, PayPal, etc)
- The email looks legitimate, right down to the look and feel and email address
- The email asks you to click on a link and confirm your security information
- The link takes you to a page that looks legitimate
- You duly comply and give away all your personal details
- The scammer records this information and can use your account, or use your identity
This process is called “phishing”.
The scammers use clever tricks for the link in the email they send you - the most recent is to exploit a vulnerability on a real page on the original bank or organisations website. This means that even the link in the email looks legitimate at first glance. The vulnerability is quite simple:
Take a look at the Netcraft story that discusses this latest scam technique: Open Redirection Expolit
The Emissary Take Away: Security is a complex area, and any site that records personal information should be vigilant to consider possible exploits. For most small businesses, the effort required by a phisher to detect vulnerabilities in the small business site is too high given the amount of information they would be able to phish as a result. However, as sites grow in visitor numbers and their systems become more sophisticated (and maybe use generic redirector pages - quite common in larger sites), then more emphasis (ie budget) needs to be allocated for the security aspects of the system.
