Comments on: Should I bother to FWD phishing attempts

Question: Should I bother to FWD phishing attempts

trharlan — Mon, 06 Jun 2005 12:37:46 -0800

Someone tries to phish me every day. Until recently, I have dutifully FWDed these attempts to spoof@whatever.com. As phishing has become even more ubiquitous, it occurs to me that there's no way that the target companies can possibly wade through it all. Should I bother FWDing the attempts?

By: achmorrison

achmorrison — Mon, 06 Jun 2005 13:32:49 -0800

If you think that forwarding the phishing attempts has any benefit to the other company (ebay, or a bank or paypal or whatever) then I would say to forward only the first one of a kind that you get.

I personally do not forward anything, and I get upwards of 20/day.

By: shepd

shepd — Mon, 06 Jun 2005 14:06:23 -0800

Waste of time.

US DOJ/FBI/whoever ignores everything, even if it is within their jurisdiction.

I've tried this and followed up on them. Worst response time was from the FDIC. That took them over 8 months.

Capital one takes about 1 or 2 months.

Most other companies take 3 - 4 weeks.

This is from time of notice to time I get a reply. When I get the reply that it is being investigated, I check if the site is still up. Invariably, it is. Most remain up forever (like the FDIC insured bank scam one, I think it's still up, and I'm pretty sure the ISP was in the USA).

My favourite was someone trying to buy products from my website with several phished credit card numbers. Being a good citizen I tried to report them all. That took 2 or 3 days to get to someone who understood what I wanted. While they understood what I wanted to do, I was told that the credit card company simply doesn't know what to do, and they would be basically taking down the info and throwing it away. Nobody even knew how to contact the credit card holder. Pathetic.

Overall, what's the point if nobody is going to do anything about it? I just ignore it and feel good that the increased insurance rates for this shitty companies will eventually punish them for not hiring an investigations department.

By: mischief

mischief — Mon, 06 Jun 2005 14:13:28 -0800

"someone trying to buy products from my website with several phished credit card numbers"

How did you know they were phished?

By: shepd

shepd — Mon, 06 Jun 2005 14:38:36 -0800

mischief, the cards had generally correct info for the person holding them in the USA, but the package was going to Indonesia. Oh... and when one of them was auto declined, the guy sent us fresh credit card numbers by email. Four of them IIRC.

Indonesia + declined card + 4 new ones = alarm bells.

I found out what banks the cards belonged to and they were all over different corners of the USA. Definitely different people. And that's pretty much as far as I got. The cardholder's banks were really indifferent about hearing about fraud reports. It was a wasted effort. Oh well!

The phishing part is just assumed, but being that these weren't just card numbers, but he had the CCV + Expiry I doubt they were autogenerated.

(Actually, this happens often enough we just refuse to do business with countries like Indonesia except by wire transfer with 45 day hold time).

By: mischief

mischief — Mon, 06 Jun 2005 14:49:00 -0800

"when one of them was auto declined"

Wouldn't that indicate that the card servicer was already aware of it?

] Not trying to be a smartass (for once), just curious. [

By: thanotopsis

thanotopsis — Mon, 06 Jun 2005 15:50:25 -0800

Forwarding them to the spoofed companies doesn't seem to do anything, as those companies are either technically unable to deal with it, or unwilling to on a cost/benefit basis.

However, ISPs take these things seriously. Too many ISPs have been burned in lawsuits that name them culpable for hosting scams and fraud and not doing anything about it when they were initially informed. If the ISP that's directly hosting the site doesn't do anything about it, go upstream. Keep going until you get one that actually responds.

I've been a charter member of the MMF HoH for nearly 10 years now. This kind of stuff was once our bread and butter over there.

By: SlyBevel

SlyBevel — Mon, 06 Jun 2005 16:07:01 -0800

According to the latest Cringely, the most socially responsible option is to go to the phishing site and enter lots of fake info.

If enough people do this, then Phishers have an extremely difficult time sorting the good info from the bad and it's no longer financially rewarding.

Funny, I just read that today. Your timing is stellar.

By: shepd

shepd — Mon, 06 Jun 2005 22:37:23 -0800

Wouldn't that indicate that the card servicer was already aware of it?

Yes. I assume it was an old card that they guy had abused long enough for the unlucky owner to have received a large enough bill to cause him to shut down the account. With the difficulty I went through I doubt it was the credit card company choosing to turn the card off first. :-)

By: FakeOutdoorsman

FakeOutdoorsman — Fri, 10 Jun 2005 22:02:55 -0800

If you use the wonderful Firefox browser or the not so secure Microsoft Internet Explorer you can download the Netcraft toolbar, which is a a giant neighbourhood watch scheme, and designed to detect and report phishing sites. The first person to report a new phishing site to Netcraft will receive a free gift, which is probably a mug or something.