Maybe you think you can spot scam emails by the broken English, the pleas to wire money via Western Union and the references to Nigerian princes. Think again. The latest phishing attacks are so well-crafted, they look exactly like emails you might receive from major banks like Wells Fargo and Bank of America, says Ondrej Krehel, information security officer at , Credit.com’s sister company.
“It’s very sophisticated,” Krehel says. “Hackers are creating these pages to look exactly like professionally crafted bank pages. So it does have the look and feel and touch of your bank’s website.”
One recent email was noteworthy simply because it managed to sneak past Identity Theft 911′s multiple firewalls and land in Krehel’s inbox. It appeared to come from Bank of America, even using a real no-reply email address from the bank itself as the sender, as opposed to an obvious fake like Hotmail or Yahoo.com.
Once opened, the email doesn’t deploy any malware to steal users’ passwords or snoop their computers (such malicious code would have been blocked by Krehel’s firewall). Instead, it informs the user that there’s been a serious problem with her account, and she needs to complete and return the attached form.
“The text of the email is very well crafted,” Krehel says. “It looks like something Bank of America would actually send you.”
The scammers didn’t even include any malware in the attachment, since that also would sound alarms within users’ anti-spyware programs. Instead, the attachment looks just like a page created by Bank of America itself.
The real Bank of America logo appears across the top of the file—clicking on it takes the user to the bank’s actual site. The color scheme, with red and grey horizontal ribbons, and numbers in blue circles, precisely mimics the look of all the bank’s other communications. Even the mix of methods to input information, with drag-down boxes, checkboxes and places to type in text, are crafted exactly like the real thing.
The hackers are so good, in fact, that they customize the attachments to different banks. Another attachment Krehel received a few months ago had the exact same level of detail, only it spoofed the look and feel of Wells Fargo’s website.
“This is about collecting users’ data, and not triggering any antivirus” software, Krehel says. “So it’s the user driving the action.”
The attachment asks users to input all the information about their accounts, including their passwords, PINs, birthdates, Social Security numbers, driver’s license numbers, and the maiden and middle name of their mothers, plus six different security challenge questions, such as “Your first pet’s name.”
This, actually, is one clue to figuring out that it’s a scam, Krehel says. Banks may occasionally ask customers to verify information about a certain transaction. If you’ve never been to Hong Kong but suddenly your credit card goes on a shopping spree there, you might get a phone call from Bank of America, or an email asking you to call the bank. But banks never, ever, ask customers to confirm the security details of their accounts via email.
“If they have a problem with the account itself, they’ll probably shut down the account entirely and call the person, or email them and ask them to call a secure number,” Krehel says.
Second, the sheer number of security questions should raise alarm bells in the user’s mind, Krehel says. The one purporting to be from Bank of America even asked for the user’s email password and their father’s middle name, information that Bank of America itself does not need to know.
“It’s just overkill, the number of questions asked in one email,” says Krehel.
The takeaway: Phishing scammers are getting a lot more sophisticated. Here are some tips to avoid getting scammed:
Contributing writer for Credit.com, Chris graduated with honors from the Columbia University Graduate School of Journalism, and has reported for a number of publications including The New York Times, TIME magazine and Popular Mechanics. Reach Chris via email at .
This article originally appeared on .