Truth 3 Phishing via snail mail
When you think of phishing, you probably think of the annoying emails you receive that request you to change your password on your PayPal account. They’re annoying, and fortunately, they’re starting to get easier to detect. However, what happens when the same tactics are used via the U.S. Mail? What if you received a letter from your bank that required you to fill out a form to validate your information and mail it back? It’s easy to believe that you would be suspicious, but when I started actually testing people, I was surprised to see just how quick people were to give their confidential information.
You open your mailbox, and there’s an envelope from your bank. Inside is a letter along with a separate questionnaire and a return envelope. The letter reads something to the effect of this.
Dear Jim,
Recently, several new federal regulations were released that require us to research and validate all customer account information. This effort is driven by the need for tighter security in the financial sector. Often times, errors caused by typos and other computer-related inconsistencies can cause accounts to contain inaccurate information. When left unchecked, numerous issues can arise, including the inadvertent bypass of certain state and federal taxes.
At ACME Bank, it is important to us that all our customers’ data is 100% accurate, and to help ensure that we maintain this level, we are requiring all customers to take a moment to complete and return the included informational form.
This form will be used by ACME Bank service representatives to cross-reference against your existing account. If any discrepancies are discovered, you will be contacted, and changes will be made if necessary.
For your convenience, a special Web site has been set up to also allow for online filing. Simply visit http://www. acmebankupdates.com and select the option Account Verification located on the right side of the Web page.
After reading the letter, you look at the form that has been included. It has a place for you to fill in all the information required by the financial institution. This includes your name, address, phone number, social security number, driver’s license number, and mother’s maiden name. You take a few moments to complete the form and stick it in the return envelope. You drop it with your outgoing mail, and you don’t give it another thought.
You might also be more technical, so instead of using the included form, you go to the Web site mentioned in the letter. The same information is required, so you complete it and submit the form.
That’s what makes being an identity thief so easy. People never know they are under attack because the attack blends in with day-to-day life.
During the past two years, I have run this attack numerous times and have always had success. From financial institutions to health care organizations, it is always the same. People fill out the information and send it back. There are cases where I get back only 10% of the forms sent out, but even more often I get back every single one. When I talk to the victims about it afterward, they generally come to the same conclusion. They get mail from that particular organization all the time, so this piece didn’t seem like anything out of the ordinary. That’s what makes being an identity thief so easy. People never know they are under attack because the attack blends in with day-to-day life.
Credit card applications by mail
Okay, you get it now. If a letter comes in the mail from your bank and it’s asking for confidential information, you should probably ignore it. But what about that preapproved credit card application you received last week? Sorry, but I have had just as much success attacking unsuspecting individuals using credit card offers as I have with letters from the bank. It’s actually pretty simple. There is not a week that goes by where I don’t receive at least one preapproved credit card application in the mail. Some of them offer to give me free luggage if I sign up; others offer a great interest rate for the first 90 days. The one thing that every application seems to have in common is that I have never heard of the company that is offering them. Sure, it’s a Visa or MasterCard, but what organization is actually sending out the card? The truth is, most people never pay attention.
I have sent out hundreds of these fake preapproved applications. I generally choose fake names for my credit card companies that sound similar to something people may have already heard of. In reality, I could just as easily use real company names, as no one would ever know the difference. Of course, I always offer low interest rates and, more importantly, a gift for signing up. On one of my attacks, I offered the Nintendo Wii, and over 50% of the recipients signed up. Of course, to sign up, the victims were required to submit their name, address, social security number, driver’s license number, mother’s maiden name, and email address. That is everything an identity thief would need to start a new life.
…name, address, social security number, driver’s license number, mother’s maiden name, and email address. That is everything an identity thief would need to start a new life.
It is difficult to tell a real credit card application from a fake. Therefore, I suggest you always err on the side of caution and never fill one out no matter how good the offer and how great the free gift. If you are looking for a credit card, talk to your friends and family members. Find out what cards they use and which cards have the best interest rates, and then call the 800 number located on the back of their credit cards. This will guarantee that you are truly getting involved with a real organization and not some guy sitting in his basement printing up credit card applications for kicks.