Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Well Do Businesses Respond to Phishing Reports?

Posted by Cliff on from the is-abuse@-worth-anything dept.

FuzzyDaddy asks: "When I receive a phishing email, which I find has some new or interesting technique, I will usually forward it to the appropriate abuse department. I recently got one concerning 'my' paypal account (surprising, since I don't have one), which I forwarded to abuse@paypal.com. I received an automated reply telling me to 'please direct all customer service inquires through our website.' I didn't have time to do that, so I let it go. Is paypal being irresponsible, here? Have others on Slashdot been satisfied with their attempts to report Phishing?"

7 of 90 comments (clear)

  1. Wrong address. by DrEldarion · · Score: 4, Informative

    Paypal does have an e-mail address to forward them to, it's just not "abuse". Forward the e-mails to spoof@paypal.com. They actually do take these pretty seriously.

    What I like to do until the site gets taken down is to fill out their form with bogus information, then after submitting it, hit the refresh button. It'll ask me if I want to submit the form again, and I'll say "yes". I'll just sit there for a while hitting F5 and enter just to fill their results with bogus crap.

    I know a lot of people actually fall for them. I always tell them that the surefire way to tell if it's a spoof is to put a fake username/password in when prompted. Not only do they then get fake information, but if it gets accepted, you know that the site is fake. I've gotten my whole family to start doing this after my sister fell for one.

    1. Re:Wrong address. by TFGeditor · · Score: 4, Informative

      Ditto for eBay--spoof@ebay.com.

      Always include original full headers.

      You might also want to submit phishing scams to reportphishing@antiphishing.org.

      --
      Ignorance is curable, stupid is forever.
  2. Our reports aren't very important by Nuclear+Elephant · · Score: 5, Interesting

    Our reports aren't very important, as most institutions pay fraud takedown companies to monitor the net for phishing attacks using their name, and outsource the legal aspect of it all together. A company like Paypal wouldn't directly address phishing attacks, instead they would pay a very large sum of money to someone else to make it go away.

    With that said, those hosting the phishing sites have been very responsive. I came across a paypal phish on poly.edu's network, emailed abuse, and it was gone when I checked an hour or so later, along with an email response in my inbox. Problem is that the burden of enforcement is more on the company being phished than the source of the attack.

  3. Paypal security center - "Alert us to fraud" by arb · · Score: 5, Informative

    Fake Email/Website (Spoof, Phishing)

    Paypal, eBay, Amazon, etc all have pretty good security centres. I am surprised that abuse@paypal.com gave that automated reply, but if you visit their website the security centre is prett yeasy to find. You might not get a personalised response to your report because they get so darn many reports, but they do follow through on all reports.

  4. Someday, take a look at those phishing websites by destuxor · · Score: 4, Interesting

    Once I looked at the website scamming PayPal (it was somewhere in South America) to see if I could get anything out of the server stats (http://example.com/server-stats) and other such Apache functions. To my horror, the Perl script that would accept input from the "verification" web page had several hundred hits. Either people are submitting bogus information, or hundreds of individuals are being fooled by these scams.

  5. Re:Bank of America by Harker · · Score: 4, Interesting

    I actually did fill out their form for one I received. I'm not too terribly worried about spam from someone like them. Perhaps I'm naive, but I don't believe they will continue if I request them to stop sending it.

    Anyway, I got a reply, from a real person, telling me they needed my account number in order to proceed. I told them I didn't have one, and that I only forwarded the information to them so they could stop possible fraud. They replied that they still needed my account number to proceed.

    My final response to them was not very kind, and I never heard back from them again. I'm certain the profanity in it caused them to dump my 'case' right there. Too bad for their customers. Luckily, I won't ever be one.

    H.

    --
    When VCR's are outlawed, only outlaws will have VCR's.
  6. Yes, there are things they can do! by WoodstockJeff · · Score: 4, Interesting
    Do you believe there is anything that a company that is the target of a phishing attack can do?

    The first thing they could do is to publish SPF records for their domains. And not the ones that end in "~all" ("and accept any other IP, in case we forgot one") like AOL, HOTMAIL, and many other sources whose domains are faked constantly use. The ability to tell your users "Hey, this didn't come from who it is claiming to have come from" is a start. But PayPal, eBay, and most banks I've seen scammed have no inkling of how a simple change to their DNS would protect them and their customers.

    The second thing would be to tell their web servers to not serve images up that have the wrong referrer. Hey, referrer checking isn't 100%, but any time you have an image request from a victim of one of these scam mails, it would be a lot better if that picture had "THIS IS A FRAUD MESSAGE" overlayed on it. It would force the scammers to go back to hosting the pictures on the scam site, which is a harder to do than simply uploading a single script to a slightly-insecure website in Brazil or Ohio. And the emails are as legitimate looking as they are because they use the scammed bank's own graphics, from their own servers!