Phishing for Faxes

August 17, 2005

Phishing has been around for a while now, I would say everyone has a pretty good grip on how this scam works. If not, you should think about reading our phishing scam article from earlier in the year.

One thing that has been a constant in the phishing game is that the attacks usually attempt to lure you in with a fake email that attempts to pose as a legitimate website in order to capture personal information.

Well we’ve discovered a new species of Phish—the Fax Phish—whose domain isn’t the Internet, but rather your fax line.

The scam uses the guise of Pay Pal. No big surprise—next week it will be Ebay. It seems like these are the two online entities that attackers like to use.

Here’s a run down of how this scam works: first you get a general email supposedly form Pay Pal with the following message”

Dear Paypal Customer,
Unauthorized person tried to reset the password from your paypal account. We would like to ensure that an unauthorized third party did not access your account. Because protecting the security of your account is our primary concern, you have to complete the affidavit form. Click here to download the form. Please send a fax in the next 24 hours to [number removed] with affidavit form completed.

Of course there was no account infiltration, your account with Pay Pal is fine, unless you fill out this affidavit and fax the information back.

In light of all the phishing attempts and identity theft lately, people may actually feel safer faxing information off to a seemingly reputable site in order to take care of an issue than sending it off in an email. The truth is, neither of these are secure practices, and you invite trouble by performing either. Email is not very secure and should not be used to send sensitive data, unless security services are put into affect. Faxing information out to a number based on an email is even worse. It’s easier to fake being a company when you don’t need to create even a bogus website to appear authentic.

As far as staying away from these threats, there’s no guarantee, and remember to use common sense whenever your personal information is being asked for. For instance, if you do get an email and are genuinely concerned about an account or whatever they are using as bait do not reply by fax or email. If this happens to you, open your web browser and navigate to their website (do not link out of the email), this is the only way that you will know that you are at the site you are supposed to. If there is any legitimate issue with your account you should see it at the site or you can usually call customer service or at least send there customer support an email asking if something is wrong with your account.

Stay safe out there,

~ Chad

For the complete report, check this out…

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.