Webtrends Tracking Code
 
UK Home >  OUT-LAW News >  News Archive >  2004 >  January 2004 >  Phishing attacks at Bank of England and Visa

Phishing attacks at Bank of England and Visa

OUT-LAW News, 06/01/2004

The Bank of England and Visa International were among the brands named in reports of a wave of phishing attacks over the holiday season, where e-mails appearing to come from legitimate businesses are sent in an effort to fish for recipients' financial details.

Research from Tumbleweed Communications showed a 400% increase over the period in reports of e-mail fraud and phishing attacks. Working with the Anti-Phishing Working Group, they found more than 60 unique new e-mail fraud attacks were launched – with on-line financial institutions being the largest target group.

While the Bank of England does not have retail customers, an e-mail purporting to be from an administrator at the bank was sent indiscriminately across the internet, advising recipients to download an attached file as a safeguard against credit card fraud.

The Bank of England advised recipients not to download the file and to delete the e-mail immediately. The National Hi-Tech Crime Unit is now investigating. While some reports claim this to be a phishing scam, the nature of the attachment has not yet been made clear – leaving open the possibility that it is a virus, rather than a phishing scam.

Visa customers were victims of a more conventional phishing attack over the holiday period.

According to reports, spam e-mails advised Visa customers to link to a Visa web site in order to comply with a new security system. However, the site did not belong to Visa, but to fraudsters hoping to obtain customer account details. The site has now been removed.

Such attacks are not new, but still catch people out, relying on their trust in a familiar brand to perpetrate the fraud. Usually the phishers send their e-mail using a related trick, known as spoofing, where the identity of the sender is manipulated.

When offering a link to the site, it is easy to disguise the URL. A common trick in phishing scams is to use the @ symbol in the URL. Most browsers will ignore all characters preceding the @ symbol – so the URL http://www.visa.com@phishingcrook.com may look to the unsuspecting user like a page of Visa's site. But it simply takes visitors to phishingcrook.com. The longer the URL, the easier it is to conceal the true destination address. Similarly, subdomains are used – e.g. http://www.visa.com.phishingcrook.com again takes visitors to a page of the fraudster's site, rather than visa.com.

Meanwhile, another fraudulent e-mail was sent to Malaysian e-mail users, entitled "Urgent message to all citizens of Malaysia". According to CNET News.com, the e-mail warns of five forthcoming terrorist attacks, with details of the times and locations included. Readers are told that further information is available from a web site, but when the link is clicked a virus is downloaded to the computer.

 

OUT-LAW Recommends

Data Protection training
We offer training courses on Data Protection and Freedom of Information laws

Winner at 2008 Webby Awards

OUT-LAW star: link to the home page
Disclaimer | Privacy | Site Map | Accessibility
Disclaimer: This was printed from OUT-LAW.COM, a service of international law firm Pinsent Masons. We hope you find this content useful. However, please note that nothing in this document constitutes specific legal advice. You should consult a suitably qualified lawyer on any specific legal problem or matter. Any questions, please email info@out-law.com.