Defending The Kingdom

A few days ago, I got a fraudulent email purporting to be from PayPal, which was surprisingly convincing.

The email’s most credible feature was its timing, which coincided with a recent PayPal transaction of mine.

Close…

Here’s why I was almost caught out:

1. The message was addressed to me, Ian Saxon, not “Valued Customer”
2. The email appeared to come from a legitimate PayPal email address (service@paypal.com)
3. The contents were mostly well written. I noticed only four spelling and grammatical mistakes.
4. I used PayPal recently, making it plausible that the company would want to check that the transaction was legitimate

…But not quite

The email was certainly not legitimate. Here’s how I knew:

1. There were spelling and grammatical errors. Don’t kid yourself – the real PayPal has proof readers
2. The email asks me to send photocopies of sensitive stuff (passport, drivers licence, bank statement)
3. I was asked to respond to security@paypalfraudchecking.com, which doesn’t have the usual @paypal.com suffix
4. A quick Google search of a section of text in the email yielded warnings of PayPal scams

The most convincing of the evidence against the veracity of the email was #4. Take a look at the results:

To get this, I simply highlighted a portion of the email message (“PayPal is constantly working to ensure security by regularly screening the”), pasted it into Google’s search bar, and hit Search. It works just as well with or without quotes. As you can see, every result was a warning about this scam.

Late last year, Consumer Reports determined by survey that one in 81 Americans got phished in 2007. The average phishing victim lost $200.

What does this mean for you?

People who assess risk often talk about “expected costs”, which they calculate by multiplying the probability of an event by its cost. The expected cost, then, of getting phished in a given year is 1/81*200 = $2.50.

How can we make sense of the $2.50 figure? One way to think about it is this: it is the amount you would have to pay an insurance company each year for them to be willing to pay out your losses to phishing, should they occur. If the insurance company covered all Americans at this rate, they would break even on their costs.

Seen this way, the threat of phishing isn’t that great. The danger of identity theft when phishers get your bank account information is perhaps greater, but the actual monetary loss, at least on average, is minimal.

I changed my banking passwords today, something I do about every three months. After doing so, I received emails from each bank informing me that my passwords had been changed – and advising me that I ought to get in touch with them if I had not done the changing. Here’s the email I got from RBC:

What they get right

They get a couple things right. First, sending an email to me when my password is changed is a great idea. If someone else had changed my password, I would learn about it quickly. (What would happen, though, if that person changed the email address on file at the same time? No problem: when an email address change is made, a notification is sent to the old email address.)

Second, they assure me in the email that “RBC will never ask you to provide, confirm or verify confidential information like your online banking ID, password, account numbers, balances or PIN through regular email.” That’s super. If I ever get an email asking me to confirm confidential information, I’ll know it’s fake.

What they get wrong

I do have one minor complaint. It would be better if my bank refrained from including phone numbers and clickable links in the email. I could imagine a scenario where a phisher sends an email identical to this one, except that the links and phone numbers direct the user to a phishing source. Once the user is on the phisher’s website or is talking to a phisher, he might forget all about the promise in the email to never ask about confidential information.

On the other hand, if banking customers get used to the idea that legitimate banks never send emails with links or phone numbers inside them, phishers would have trouble indeed getting people to contact them.

Edited to Add (2 Mar 2008): Note that my bank included my name in the email, something many banks do. So if you ever receive an email from what is ostensibly your bank that lacks your full name (“Dear Customer” or the like), be wary.

The Canada Revenue Agency is warning taxpayers to watch out for phishing scams this tax season. They have a good description of how these scams work:

1. You receive an unsolicited e-mail or phone call promising you a significant amount of money, in the form of a lottery or sweepstakes jackpot, or a tax refund.
2. To receive the promised money, you are asked to provide either an upfront deposit or confidential banking information, such as credit card or bank account numbers and passwords.
3. You are then told that someone will get back to you with the promised payout, which doesn’t happen.
4. When you try to recover the money, you find that the individual who contacted you has disappeared or never gives you a straight answer.

Good to know, particularly if you recognize what is happening at stage 1.

In May 2007, I commented on the Consumer Reports 2006 State of the Net assessment. Here are the results of the 2007 State of the Net report:

Spam

Your chances: 1 in 2

Viruses

Your chances: 1 in 5, with a typical cost of $100.

Spyware

Your chances: 1 in 11, with a typical cost of $100.

Phishing

Your chances of losing money from an account: 1 in 81, with a typical cost of $200.

Encouragingly, the odds of getting nicked by each one of these threats fell since 2006, except in the case of phishing (formerly 1 in 115, meaning phishing attacks are becoming cleverer and more widespread). The cost for each malady stayed roughly the same, with phishing the exception once again. Last year, phishing victims typically lost $850, so the number has fallen considerably.