Double Checking A Phishing Scam

By | May 23, 2004

Sometimes the usual checks to see whether an email is a phishing scam or not don’t work.

Here’s an example. This morning I received a quite credible looking PayPal email. Of course it had all the hallmarks of a phishing scam too, but then again I’ve received some genuine emails I thought were phishers, so you can never be 100% sure.

The best test — viewing the email in non-HTML format, so the links show up for what they really are — didn’t work particularly well this time: The URL was http://www.updatesecuritycheck.com, which doesn’t sound like PayPal, but then sounds official enough to possibly lure some folk.

So I checked the registrant of the website in question, usually a surefire way to know whether it’s dodgy. It was under the name of someone in the UK, with an address and telephone number that all looked kosher (right postcode, all that sort of thing). Hard to imagine that someone in the wilds of Devon would be administering PayPal accounts, but who knows? If the website was fraudulent, the thinking goes, why would someone go to such trouble to register a full name and address?

So I checked to see whether the person existed. He does. I contacted him, not via the email address given, but by hunting down a working email address via Google. Needless to say he’s not part of the scam and is suitably outraged that his name has been used. (Of course all this raises the possibility he has become the victim of broader ID and financial theft.) The page on the scam site itself no longer exists, as far as I can see, but the home page is a boilerplate PayPal copy.

The lesson: Sometimes it’s not enough to check whether the URL looks and feels kosher. Neither it is sufficient to see whether the website itself has been registered by someone who looks kosher. Clearly scammers are going to greater lengths to register proper sounding website names, and to register them under real names and addresses — which they’ve probably found in phone books and on the Internet.