Let's Build a Responsible Cyber Society



How to Recognize a Phishing Mail

Phishing has been a constant source of concern for Netizens. In India, due to the weak security systems adopted by Banks, Phishing has become a most convenient form of robbing innocent citizens of their money in the Bank.

There is a reasonable suspicion that many employees (particularly the contract employees involved in marketing) of Banks are involved in the Phishing racket and facilitate phishing frauds.

One way by which Phishing is aided and abetted is by opening accounts for Phishing mules ignoring the KYC norms or trying to follow the KYC instructions in letter but not in spirit.

Second method which is suspected to be used by rogue Bank employees is to access the passwords internally but still simply drop a phishing mail to the target account. Then the fraudsters use the acquired password with or without the customer answering the Phishing mail. When the customer later complains, he will be questioned..

"Have you received a mail asking for password?"..

An honest customer has to answer.. "Yes".

Immediately the Bank will say... "You violated our condition on Internet Banking and hence you alone are responsible".

This explains why may Phishing incidents happen even when the customer does not answer the Phishing mail.

Since a similar situation may be simulated with the use of some Trojans,  it is impossible except in rare circumstances with forensic help to prove the innocence of the customer. Banks take advantage of the inability of the customer to defend himself to escape liability.

It is therefore essential that Netizens should train themselves about Phishing and be able to recognize a Phishing mail. This is ofcourse easier said than done since fraudsters keep using different methods to hoodwink Netizens and even experts some time fall prey to such e-mails.

While Phishers may use multiple strategies to obtain the password, here is an example of how Phishers may first try to acquire your e-mail password. This may also be the first step to acquire the Banking password since the Phisher may just go to the Bank website and ask for change of password. The request may then be routed through the e-mail with a link to the password change page. In mobile Banking situations, the PIN may be mailed to the e-mail address. Getting control of the e-mail is therefore getting half the key to enter your Bank account.


The mail appears normal except that the "To" field does not contain the name of the recipient. This is the first check the recipient should run. Some times this field may show "Undisclosed recipients". There are exceptional cases of "Targeted Phishing" where the recipient's correct e-mail address is displayed and one has to then look at other indicators.

The second and more reliable indiator is the link to which you are invited to click. In the above mail the link as shown in the e-mail is http://tataindicombroadband.in/MyAccount/Welcome.do?method=showWelcome .

Though the link appears genuine, if the mouse curser is moved to the http link provided in the mail, one would see in the bottom of the window the real link to which you would be taken to.

The link available in the mail points to http://www.isarfloesser.de/images/phocagallery/thumbs/tataindicombroadband.htm Obviously one can see that this URL does not appear to have any connection with Tata Indicom.

If we click on the link, the Netizen would reach the following page which looks similar to the Tata Indicom site except for the URL being different. (In some Phishing cases, URL is also made to look similar to the real URL by inserting an image)

One can see that this page has the user name and password and if this is entered, then it will reach the hands of the fraudsters.

Once the password is entered, and "continue" button is pressed, the next screen will again show the same looking page this time from the genuine site as shown below.

The user would naturally assume that there was some error and re enter the information once again, go to his genuine account panel and would never doubt that his password has already been picked by deceit by the Phisher.

The next check is to check the header information in the mail. The process of opening the header may vary with the e-mail client one uses. In Google or Yahoo it may be available under "Show Details" etc and the user has to find out how to open the header.

The header information of the above e-mail looked like this-


If you could read the meaning into the header, one can recognize that the mail originated from an IP address

This IP address is actually registered to a Customer by name LeslieJosephDds, 268, Bush St, San Fransisco, through the service provider ATT Internet services. (See details)

The domain name isarfloesser.de itself is registered in the name of Franz Bernack with address Domberg 16, 85354, Freising, Germany. (See details)

In case Tata Indicom is aware of the existence of this e-mail, it is duty bound to take reasonable steps as an "Intermediary" to initiate action against the person who pima facie appears to have sent the mail as well as the domain name owner of the domain http://www.isarfloesser.de/images/phocagallery/thumbs/tataindicombroadband.htm

This is being provided for the general information of Netizens.

In my next article, I will also provide a suggestion on what can the Netizen do in case he gets such an e-mail.


Sept 29 2010



Comments are Welcome at naavi@vsnl.com