Friday, 12 August 2011

UK Post Office Online Reward Program Phishing Scam

Outline
Email purporting to be from Post Office United Kingdom claims that the recipient has received a cash reward via the Post Office United Kingdom Online Reward program. The recipient is instructed to follow a link in the message and enter his or her "bonus code" on a website form in order to claim the reward.

Brief Analysis
The email is not from the UK Post Office and the claim that the recipient is eligible to receive a cash reward is untrue. The email is a phishing scam designed to steal personal and financial information from recipients via a bogus website.


 Detailed analysis and references below example.

Scroll down to submit comments
Last updated: 15th February 2011
First published: 15th February 2011
Article written by Tasawer Abbas


Example Subject: E-mail Bonus #152040

Greetings from Post Office United Kingdom


Welcome to the Post Office United Kingdom Online Reward program, the first and largest loyalty program in the world!


We are proud to inform you that today, The UK Post Office rewarded you. Please take the 4 steps survey. For your effort you will be rewarded you with ?


Your bonus code is P742UK2910


Please track your Bonus Code in to:


[Link removed]


and follow the reward steps.


Thank you very much for your help and your patient and hope you will enjoy the UK Post Office reward program in the future.


Sincerely,
Sandra [Removed]


UK Post Office Reward Department



Detailed Analysis
According to this email, which claims to be from the United Kingdom Post Office, the recipient has been selected to receive a cash reward as part of the "Post Office United Kingdom Online Reward program". To claim the reward, the recipient is instructed to click a link in the email and enter personal and financial information, along with his or her "bonus code" into a website form.


However, the message is not from the UK Post Office and the promised reward does not exist. Those who fall for the ruse and follow the link will be taken to a fraudulent website designed to steal both their personal information and their credit card details. The link in the email is disguised to resemble a genuine UK Post Office web address. The bogus website includes graphics, formatting and secondary links designed to make it resemble the genuine UK Post Office website.


If a victim clicks on the link in the scam email, he or she will be first asked to provide name, contact and other personal details via a form on the bogus website as shown in the following screenshot:


Once the user has filled in this form and clicked the "Submit" button, he or she will then be taken to a second page that asks him or her to enter the "Bonus Code" included in the scam email:


Next, the victim will be taken to a third page that reloads the personal information submitted in the first form but also requests credit card details including the user's credit card account password:


After the "Submit" button on the final form is clicked, the bogus website will display a brief "Thank-you" message before redirecting the user to the genuine UK Post Office website. Because the scam sequence eventually takes the victim to the genuine post office website, he or she may not initially realize that skulduggery is afoot. Meanwhile, all information submitted on the bogus website will be sent to Internet criminals who can use it to commit credit card fraud and identity theft.


One quick giveaway that the bogus website is not what it claims to be is the fact that the form asking for personal and financial details is not on a secure (https) server. No legitimate organization would ever ask for such sensitive information via an unsecure webpage.


This phishing scam is quite similar to a recent spate of survey phishing scams that promise recipients substantial fees for participating in brief online surveys. As in this case the purpose of these survey scams is to trick people into handing over their credit card details and other personal information. Internet users should be very cautious of any unsolicited email that claims that they can receive a cash payment or reward simply by filling in a short survey or providing their personal information. If you receive such an email, do not follow any links in the message or open any attachment that it may contain. Do not provide any information to the senders of the message either via a website form or by replying to the email. 

No comments:

Post a Comment