Security Alert: Don’t Fall For The New Smart Card Phishing Scam

Send to Kindle

By now, most people know their credit, debit and even in some cases ID cards are going to be replaced by “smart cards”: cards with a tiny processor chip built right in that makes the card’s transactions more secure. Click here to see my post explaining what smart cards are and how they work.

Unfortunately, as they usually do, scammers are seeing this time of consumer confusion about a new technology as a golden opportunity. In this case, it’s an opportunity for identity theft.

 

Smart Cards
Image credit: Bergen Group India

 

The Scam
Savvy thieves know many banks and other financial institutions are in the process of replacing their customers’ credit and debit cards with smart cards, and that most consumers are aware this is happening, too.

The thieves send an official-looking email that appears to have come from a major bank or financial institution. The email reminds the recipient of the coming change and tells the recipient he or she must update his/her account details in order to receive the new smart card(s).

The email supplies a link the recipient is supposed to click to get to the so-called account details update page, where duped consumers will enter their username, password, account number, name, address, phone number and other details, all of which the scammers can use to steal the consumer’s identity.

 

Phishing Dark Waters

 

How To Tell If It’s A Scam
On the Fox 5 NY site, tech security expert Bonnie Smyre warns that these phishing emails look entirely legitimate:

It’s hard to tell that they’re fake. They often fake an email address so it looks like it’s from your bank. They use graphics from your bank. It looks very legit then they ask you, ‘You need to update your information. Your card is on the way, but before it can take effect we need your personal and banking information to be updated’.

But don’t worry: there are several ways to identify fake emails like these. What follows is the relevant excerpt from my post How To Avoid Computer Viruses: Links. The same methods used to spread malware via email are used in phishing scams like this one.

 

Mouse Over It
When you mouse over a link, the full link usually displays at the bottom of the web page, at least briefly.

If the link display zips by too quickly, you can right-click on the link and select “Properties”, “Details”, “Inspect Element”, or something similar on the pop-up menu (varies by browser) to view the full link in a pop-up window.

Get in the habit of ALWAYS mousing over links before clicking on them, because the link can tell you a lot. Hackers know this, so some of them have found ways to hide their links from displaying when you mouse over them. Since in general the only people who hide their links are people who have something to hide, if a given mouse-over doesn’t display the link, that’s a red flag.

If the link does display, here’s what to look for:

 

DMM Guide To Tech Security

 

1. Does it have a “domain” that matches the site you believe you’re going to?
For example, if you’re on www.rottentomatoes.com and believe you’re clicking a link that will take you to a Roger Ebert movie review on www.chicagotribune.com, does the link show the chicagotribune.com “domain” at the start of the link?

Note that sites will often have different sub-sites, or “sub domains” (e.g., maps.google.com, mail.google.com, news.google.com are all sub-domains of google.com) but the sub-domains will always have the main domain in their web address (e.g., google.com).

If the domain isn’t a match for the site you intend to visit, the link may be a nefarious one.

 

2. Does it have a domain that’s a very close match to the domain you’re expecting, but not an exact match?
For example, if you’re expecting to go to a page on Facebook, the main domain should always be Facebook.com. A favorite hacker trick is to start with the correct, trustworthy domain and then alter it slightly or tack on some additional stuff to redirect the user to the hacker’s desired domain.

With the Facebook example, the domains Facebook-com, Facebook.com.cp, Facebook.com.de or Facebook-com.com are all bogus, and highly suspect.

 

3. Does it end with a “file extension” that doesn’t match the type of file or page you’re expecting?
.html, .jpg, .php and .asp are all examples of “file extensions”: they specify a file type (e.g., image, webpage, program, etc.).

Note that legitimate links will not always show a file extension when you mouse over them or check the pop-up details, so a missing file extension isn’t automatically cause for concern. There are far too many types of legitimate file extensions for me to go over all of them here; you probably wouldn’t remember them, anyway. So instead, I’ll just tell you about the ones that are most often employed by hackers to spread viruses and malware:

.js, .php, .exe, .zip, .tar

All of those are file extensions for files that can be, or contain, programs, or mini-programs that are known as “scripts”.  Clicking on a link that ends with one of these extensions usually initiates a download, or starts a program running in your browser. Bear in mind, there are totally legitimate uses of these file types, so the mere fact that a given link ends with one of these extensions doesn’t automatically make it a nefarious link. But if you’re expecting to go to a web page, and you’re not expecting to initiate a download or start a program running on that page, seeing one of these file extensions at the end of the link is highly suspicious.

 

Click here for additional Digital Media Mom posts about past phishing scams. Some include images of actual phishing emails, to illustrate how legitimate they can appear.

 

* * *

The Razer BlackWidow Chroma Clicky Mechanical Gaming Keyboard is designed for the serious online gamer. Features include: Fully programmable keys + 5 additional gaming keys with on-the-fly macro recording
Individually backlit keys with improved lighting – Easy access media keys for convenient volume control and media playback – Mechanical key architecture with distinct tactile feel and faster response – 10 key rollover for extreme anti-ghosting. Rated 4.5/5 stars, currently (as of 1/20/16) priced at $159.99.

Advertisements make it possible for Digital Media Mom to bring you great content for free, so thanks for your support.

 

* * *

Fire Tablet Tip of the Week: Immersion Reading Fans: Easily Find Out Which Of Your Kindle Books Can Be Upgraded With Audible Narration At A Discount

* * *

 

Print Friendly