Before adding and sharing your Fraud Alert please check to see if a similar alert has already been posted, thank you:

Phishing Is the Internet’s Most Successful Con

Post a Fraud Alert:

Computer security often focuses on malware: software that attacks faults in your computer to take control of it and give that control to someone else. Malware is often sophisticated software that can quietly take over a computer without being detected—from there, it can do anything, from copying every keystroke you type, to watching every page you open, to turning your camera and microphone on and recording you, to encrypting your hard drive and ransoming your computer’s contents back to you. But novel malware is difficult to write, and can take many paid hours for some of the most talented programmers, in addition to finding or buying a security flaw that allows you to get your malware onto someone’s computer undetected. It’s painfully expensive, and often ends up leaving a trail back to the authors.

Phishing doesn’t attack computers. It attacks the people using computers.

Setting up a phishing website is something a summer intern can do in a couple of weeks, and it works. If you were to try to create a phishing version of this article, you could start by saving the complete webpage from your browser—that would get you the picture, text, and code that makes the page you’re reading now. If this article contained an account login, you could put it on a server you control, and maybe register another domain, something like If you enticed someone to try to use their username and password on, you would then have that information.

This kind of phishing started out mainly as a money-stealing scheme, delivered en masse. “Phishing has changed a lot. A decade or so ago it was a mass phenomenon of people looking for passwords to bank accounts, PayPal, eBay … anything they thought would be easily monetizable,” says Cormac Herley, a principal researcher at Microsoft Research. “I think that threat has largely been beaten back: Spam filters have become better at detecting it, browsers have warning mechanisms built in, banks have become good at detecting fraud.”

But that’s the untargeted stuff. Enticing someone to click on a phishing link, in an email or elsewhere, is where a targeted attack, also known as spear-phishing, comes in: learning about someone’s life and habits to know just what email would get them unthinkingly to click. A reality built for one person, or one cohort of people. The con is on, the set is built, and the actors are hired to make the sting, all from a web browser.

In early 2016 a phishing email requesting an urgent payment as part of what’s known as a “fake president” scam landed on the Austrian aviation-parts maker FACC’s email servers. The “fake president” is generally an urgent message from an authority figure that needs Accounts Payable to send money to a foreign account at once. In the case of FACC, a dubious wire transfer followed the email, and the company lost more than 40 million euros and fired its CEO.

John Podesta, the chairman of the Hillary Clinton campaign, was famously spear-phished in 2016 by an email saying someone in Ukraine was attempting to log into his Gmail account. When he clicked the link and entered his username and password (instead of using the Google domain passed along by his own help-desk person), his account was actually captured. His emails, along with Democratic National Committee emails harvested the same way, were later leaked online, creating chaos in the run-up to the 2016 election. Most recently, Microsoft found and shut down six domains it believed were created by a group known as the Main Intelligence Directorate of the Russian army, or GRU, targeting conservative think tanks (the International Republican Institute and the Hudson Institute) and the U.S. Senate. It’s not clear what exactly these phishing sites looked like, or how they worked. As far as Microsoft knows, no one was compromised by these sites, but they also don’t know how many more are out there, waiting for just the right spear-phishing email or bogus phone call to get someone to click the link.

Article source: