Phishing, pharming and smishing

Not open for further replies.


Staff member
Two words which might be new to you but which you may have run across recently, so here's what they're about.

Phishing is a new type of scam in which you are presented with a message in an email with a link to click, or you may get a popup window. Some of these may simply be spam but scammers know that so they disguise the phishing as a real-looking link or popup. These links may come from something familiar or famous like a bank, the FBI, etc. I even got one from the CIA once. Oh yeah. :rolleyes:

The usual bank scenario is something about the urgent need for you to update your online account. That's kind of hard to do if you've never even heard of the bank before. Even if you do get such a message from a bank where you actually have an account the email you received is NOT from your bank. Real banks don't require you to update anything and even if they did it would be from their webpage not from an email. The email may use the bank logo and look real but that just means the scammer can copy a .jpg or .gif file and paste it into the email.

If you click the link you're going to end up in an evil place you don't want to be. That's because the scammer is going to ask you for all kinds of personal information, maybe your credit card info,address, phone number, social security or other identifying number, and so on. The scammer/criminal (or phisher) then has enough information to possibly access your bank account or maybe enough information to get a real credit card in your name. It happens. Hence the best thing to do with such an email is to delete it. It's not real and the bank isn't going to close your account.

Pharming is an even more evil beast. This is when a scammer/criminal actually hijacks the domain name. This can be done a couple of ways. The first is to create a domain name that looks similar to the one of a real bank, company, or governmental entity. You can go there but it's a danger zone and you really don't want to do that. If in doubt, go to and type in the of the bank, etc that you have. If it's a real bank, etc their domain and their real webpage should be about the first thing you find. If you compare the domain name you find with the one you are given by the scammer and they aren't the same, don't go to the one the scammer sent you! Don't open that webpage. Needless to say, if you do, you're going to give away a lot of personal information and that is not good.

Another method of pharming is to actually click something that installs some form of spyware on your computer. Even if you are trying to go to your real bank website the spyware may redirect you to the fake or spoofed website. And if you type in your real can guess what happens, and it's bad.

It is illegal.
Yes, governments have discovered that this is happening and many have made either phishing or pharming a crime with criminal penalties attached, like fines and prison time. In the US that can be a fine of up to $250,000 and/or up to 5 years in prison. (Probably current law but don't quote me on that). Others governments have done likewise. The problem, as always, is enforcement. The phisher/pharmer has to be in that country, it has to be proved that the phisher/pharmer instigated the attacks etc. In the US, a law has also been passed to criminalize identity theft.

What should I do?
The first thing is really simple: delete that email. Don't even open it especially if you don't know that bank. if you do open it accidently, don't click any links in there.

You can also post the email at AFI in the Phishing section here. That's why we put it there.

Another thing is to contact an admin and let us know the fake domain you have received. We can work on those the try and get them killed. This can prevent someone else from becoming a victim of a phishing/pharming attack. It also makes the scammers angry because it costs them money and time to make those fake websites. That's OK by me.

Garreg Ddu

Staff member
New "Phishing" virus attack from Chinese server

Full details are at of a newly recognised attempt to download a "phishing" trojan by infecting databases on web-site servers with an SQL vulnerability.

The WinZipIces phishing exploit launched by Chinese hackers using an automated script that searches for an unpatched SQL vulnerability on web servers downloads two files onto visitors' computers, JS_DLOADER.AEHM and TROJ_REALPLAY.BR.
The article says that users should check that they have up-to-date firewall and anti-virus protection on their machines.


Staff member
A few friendly suggestions for avoiding unfriendly phishers.

Avoiding phishing scams is tough. Phishers know every trick in the book, and they're dreaming up new ones as we speak. So here are some things to keep in mind while you're online:

Don't believe every warning you read — especially pop-up warnings that appear while you're surfing the Web. Unscrupulous companies use pop-up ads to display false warnings about your computer. Ignore them.

Do NOT click any button in these pop-ups, such as a "Close" or "No" button, or the "Close" box that may appear in the upper-right corner of the pop-up. Doing this might install a virus or other malicious software on your computer. To safely close a pop-up ad, press Ctrl-W (if you're using a Windows computer) or Command-W (on a Mac computer). You may receive an email that claims to be from a computer expert, warning you of a virus. These are usually hoaxes. Do not follow the steps described in any email unless you're sure the threat is real.

Don't be fooled by people pretending to be any reputable firm and offering cash prizes. They would never send you information about a contest you never entered. If you've received a message like "Final Notification: Yahoo! Mail Winner!" or "Your Email Address Has Won $XX million," it's a scam. Don't reply to the email, don't click any links in it, and never divulge any personal information. Instead, click the "Spam" button.
Gone Phishing

Email Fraud. How Not to Get Hooked by a ‘Phishing’ Scam.

Internet scammers casting about for people’s financial information have a new way to lure unsuspecting victims: They go “phishing.”

Phishing is a high-tech scam that uses spam or pop-up messages to deceive you into disclosing your credit card numbers, bank account information, Social Security number, passwords, or other sensitive information.

According to the Federal Trade Commission (FTC), phishers send an email or pop-up message that claims to be from a business or organization that you deal with – for example, your Internet service provider (ISP), bank, online payment service, or even a government agency. The message usually says that you need to “update” or “validate” your account information. It might threaten some dire consequence if you don’t respond. The message directs you to a Web site that looks just like a legitimate organization’s site, but it isn’t. The purpose of the bogus site? To trick you into divulging your personal information so the operators can steal your identity and run up bills or commit crimes in your name.

The FTC, the nation’s consumer protection agency, suggests these tips to help you avoid getting hooked by a phishing scam:

If you get an email or pop-up message that asks for personal or financial information, do not reply or click on the link in the message. Legitimate companies don’t ask for this information via email. If you are concerned about your account, contact the organization in the email using a telephone number you know to be genuine, or open a new Internet browser session and type in the company’s correct Web address. In any case, don’t cut and paste the link in the message.

Don’t email personal or financial information. Email is not a secure method of transmitting personal information. If you initiate a transaction and want to provide your personal or financial information through an organization’s Web site, look for indicators that the site is secure, like a lock icon on the browser’s status bar or a URL for a website that begins “https:” (the “s” stands for “secure”). Unfortunately, no indicator is foolproof; some phishers have forged security icons.

Review credit card and bank account statements as soon as you receive them to determine whether there are any unauthorized charges. If your statement is late by more than a couple of days, call your credit card company or bank to confirm your billing address and account balances.

Use anti-virus software and keep it up to date. Some phishing emails contain software that can harm your computer or track your activities on the Internet without your knowledge. Anti-virus software and a firewall can protect you from inadvertently accepting such unwanted files. Anti-virus software scans incoming communications for troublesome files. Look for anti-virus software that recognizes current viruses as well as older ones; that can effectively reverse the damage; and that updates automatically.

A firewall helps make you invisible on the Internet and blocks all communications from unauthorized sources. It’s especially important to run a firewall if you have a broadband connection. Finally, your operating system (like Windows or Linux) may offer free software “patches” to close holes in the system that hackers or phishers could exploit.

Be cautious about opening any attachment or downloading any files from emails you receive, regardless of who sent them.

Report suspicious activity to the FTC. If you get spam that is phishing for information, forward it to If you believe you’ve been scammed, file your complaint at, and then visit the FTC’s Identity Theft Web site at to learn how to minimize your risk of damage from ID theft. Visit to learn other ways to avoid email scams and deal with deceptive spam.

The FTC works for the consumer to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint or to get free information on consumer issues, visit or call toll-free, 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.
Phishing is getting worse!

As the economy worsens and people are finding it harder to make ends meet phishing is thriving.

There are all types of scams for phishing, good rule of thumb, question, doubt and investigate any requests for card numbers,bank information,S.S numbers etc.

I have posted this link as there is so much information it would take hours to post. Basically it is someone trying to get your personal information by tricking you into believing they are a legitimate business,credit card or maybe a bank.

NEVER,never,never give out any personal information without verifying the source. A bank contacts you via internet, call them to verify if it is a legitimate request. 99.9 times out of a hundred you were going to give out your information.

Be careful out there, it's a jungle!


AARP The Magazine AARP

Stealing your identity with text messages​
By: Sid Kirchheimer | Source: AARP Bulletin Today | April 15, 2009

Thank you for submitting your comment or question to AARP Bulletin Today. Your post is now on its way to the appropriate Bulletin writer. Due to the large volume of communications we receive, we regret that we cannot answer or acknowledge all correspondence. Thanks to a con that has spread like wildfire in recent months, there’s new concern for anyone with a bank account and a telephone number.

The new trickery is called “smishing.” It’s a cousin of “phishing,” an attempt to get personal information via e-mails or other electronic communication. “Smishing” relies on wireless phones for identity theft by using a communications protocol called SMS (short message service), which sends text messages.

Across the country, people have been getting cellphone text messages purporting to be from their banks or credits unions—saying that their ATM cards, credit cards or bank accounts have been closed or frozen. The bogus messages then instruct recipients to call a toll-free number to settle the problem.

Similar prerecorded messages are also sent to traditional telephone “land lines.”

These phony messages purport to be from one of several hundreds banks and are sent to people across the country. When calling the suggested phone number, respondents are instructed—again, usually by prerecorded prompts—to provide their account numbers and other personal information, paving the way for identity theft.

“We had instances where customers fell for it,” says Doug Johnson, senior policy analyst for the American Bankers Association. “I don’t have a number on how many victims, but this scam is prevalent.”

Your protection:

Do not respond if you get a text message or phone call allegedly sent by your bank. Scammers use programs that allow them to send text and prerecorded messages to random phone numbers.

Do not rely on your caller ID. Scammers can use “spoofing” software or voice over Internet protocol (VoIP) telephone numbers to falsely publish the name and phone number of your bank on your caller ID, making these calls appear to be authentic. Instead, telephone your bank or credit card issuer directly—look up the number yourself—if you are worried about your accounts.

If you detect any suspicious activity on any of your accounts, immediately contact your bank or credit card issuer. Then, several weeks later, check your credit history, the only website that under federal law provides all citizens with three free credit reports a year (although credit scores cost extra).


That's kinda scary -

A couple years ago I traveled to a different town and used my debit card to pay for a hotel room. The initial "hold" the hotel put on the room went through, and I did fast checkout thinking everything was ok. When the hotel went to run the charges, the debit card didn't work.

I went to fill up my gas tank to drive home, and the debit card didn't work. I had to call and borrow money from my kid's dad on another debit card to get home.

The company had "frozen" the card since it was unusual charges and had tried to call me at home to verify that the charges were legit. I didn't know until I called the back of the card (at home) to find out what the h*ll was going on.

My mom had this happen to her recently - she tried to buy a computer on line, and the charges wouldn't go through. She is a school teacher and was at work when the cc company called to verify that it was really her trying to make the purchase. So that card was "frozen" until she called the number on the back of the card to find out what was going on. They made her go to her bank with valid ID before they would "unfreeze" the card.

So I know that cc and debit card companies really do CALL people to verify charges and such and really WILL cut off the card if you don't answer the call.

I guess the thing to do if you get such a call is hang up and call the number on the back of your card to be certain it's really them.

Central Scrutinizer

Staff member
I guess the thing to do if you get such a call is hang up and call the number on the back of your card to be certain it's really them.
That sounds like the best advice if you find yourself in this situation.


Super Moderator
HSBC on Phishing


Phishing scams
An increasingly prevalent scam currently being employed by unscrupulous individuals is phishing.

Phishing involves an email message being sent out to as many Internet email addresses that the fraudster can obtain, claiming to come from a legitimate organisation such as a bank, online payment service, online retailer or similar. The email requests the recipient to update or to verify their personal and financial information, including date of birth, login information, account details, credit card numbers, PIN numbers, etc. Some of the email messages include a threat that failure to update or validate will result in, for example, the account being frozen. The objective is to induce unsuspecting recipients, who happen to be customers of the legitimate organisation being imitated, to respond to the email and to provide the information being requested.

The email will contain a link that takes you to a spoof web site that looks identical, or at least very similar, to the organisation’s genuine site. In some cases, when the link in the email is clicked, the genuine site is accessed, but is overlaid with a smaller window with the spoof site, making it more believable. Clicking on a link may also download malicious software, known as “spyware” onto your PC which will record your use of the Internet and forward this information, and possibly a log of your keystrokes, to the fraudster. The fraudsters will use this financial information to compromise bank accounts, credit cards, etc.

To avoid getting phished you should never respond to email messages that request personal or financial information and never click on a link in such an email. Reputable organisations do not send unsolicited email messages asking their customers to update or verify their personal and security details. If you are in doubt about the legitimacy of the email, or if you think that you have been a victim of a phishing scam, you should contact the organisation in question immediately. You should, however, be careful to use the normal method you use to contact the organisation in question, rather than use any suggestions included in, or by responding to, the email.

Back to top

Phishing mules
Once the fraudsters have collected financial information of individuals via phishing, they are then in a position to abuse this information and steal money out of the compromised accounts. In order to cover their tracks, however, they recruit unsuspecting individuals to act as go-betweens by placing a variety of tempting job adverts on the Internet promising the chance to earn money quickly without expending much effort. These recruits are known as mules.

The bank accounts of the mules will be used to accept transfers of money from the compromised accounts. The mules will be asked to withdraw the money from their accounts in the form of cash and forward it, minus their commission, to the fraudsters using an international money transfer agency. The fraudsters can therefore maintain their anonymity, but there is a trail to the phishing mules, which can be followed by the authorities.

Be very careful about job offers which involve the acceptance and release of funds to a bank account in return for commission. Mules recruited by phishing fraudsters are money laundering and are likely to face criminal prosecution.


General Reading

Email "Spamming" and Email "Spoofing"

Email Spamming refers to sending email to thousands of email addresses, similar to a chain letter. Spamming is often done deliberately to use network resources. Email spamming may be combined with email spoofing, so that it is very difficult to determine the actual originating email address of the sender. Some email systems, including our Microsoft Exchange, have the ability to block incoming mail from a specific address. However, because these individuals change their email address frequently, it is difficult to prevent some spam from reaching your email inbox.

Email Spoofing refers to email that appears to have been originated from one source when it was actually sent from another source. Individuals, who are sending "junk" email or "SPAM", typically want the email to appear to be from an email address that may not exist. This way the email cannot be traced back to the originator.

Malicious Spoofing

There are many possible reasons why people send out emails spoofing the return address: sometimes it is simply to cause confusion, but more often it is to discredit the person whose email address has been spoofed: using their name to send a vile or insulting message.

Dealing with a Spoofed Email

There is really no way to prevent e-mail spoofing. If you get a message that is outrageously insulting, asks for something highly confidential, or just plain doesn't make any sense, then you may want to find out if it is really from the person it says it's from. You can look at the Internet Headers information to see where the email actually originated.

Remember that although your email address may have been spoofed this does not mean that the spoofer has gained access to your mailbox.

Displaying Internet Headers Information

An email collects information from each of the computers it passes through on the way to the recipient, and this is stored in the email's Internet Headers.

1. With the Outlook Inbox displayed, right-click on the message and click on the Options command to display the Message Options dialog box.

Internet Headers are best read from the bottom up, as they are added to as the email passes through the system.

2. Scroll to the bottom of the information in the Internet Headers box, then scroll slowly upwards to read the information about the email’s origin. The most important information follows the “Return-path:†and the “Reply-to:†fields. If these are different, the email is not who it says it’s from.

Virus spoofing

Email-distributed viruses that use spoofing, such the Klez or Sobig virus, take a random name from somewhere on the infected person’s hard disk and mail themselves out as if they were from that randomly chosen address. Recipients of these viruses are therefore misled as to the address from which they were sent, and may end up complaining to, or alerting the wrong person. As a result, users of uninfected computers may be wrongly informed that they have, and have been distributing a virus.

If you receive an alert that you’re sending infected emails, first run a virus scan using a program such as Norton Anti-Virus from Symatec . If you are uninfected, then you may want to reply to the infection alert with this information:

“Your virus may have appeared to have been sent by me, but I have scanned my system and I am not infected. A number of email-distributed viruses fake, or spoof, the ‘From' address using a random address taken from the Outlook contacts list or from Web files stored on the hard drive.â€

But keep in mind that a virus alert message is quite often auto generated and sent via an anti-virus server and so replying to the original email may not elicit a response.

Alternatively, if you receive an email-distributed virus, look at the Internet Headers information to see where the email actually originated from, before firing off a complaint or virus alert to the person you assume sent it.
Last edited:
Not open for further replies.