Phishing lures
Check this list to see if you've been targeted for a scam by recent e-mails that appear to be from a bank or another online merchant.
Test your ability to spot a fake e-mail.
Send an e-mail to be checked for fraud. (Important: Read the privacy notice.)
Educate yourself about phishing.
File a report with the Internet Crime Complaint Center.
Read the Justice Department's report on phishing (PDF download).
Check this list to see if you've been targeted for a scam by recent e-mails that appear to be from a bank or another online merchant. This list was compiled by the Anti-Phishing Working Group.
Company: Paypal
Date: 5/10/2005
Subject line: "Update Account"
Sender: Unauthorized Account Access [Routing Code: "code" here>]
Information request: Getting victim's credit card information, bank account information, various other personal information.
Visible link: "https://www.paypal.com/us/cgi-bin/webscr? cmd=_login-run"
Actual link: "http://218.246.224.203/icons/.cgi-bin/paypal/cgi-bin/webscrcmd_login.php"
Phish Website IP: "218.246.224.203"
Company: South Trust
Date: 5/9/2005
Subject line: "Update Account"
Sender: onlinebanking@southtrust.com
Information request: Getting victim's credit card information, bank account number.
Visible link: "https://southtrustonlinebanking.com/retail/"
Actual link: "http://itcare.co.kr/data/.SouthTrust/index.html"
Phish Website IP: "61.75.15.77"
Company: eBay
Date: 5/3/2005
Subject line: "Update Account"
Sender: suspension@ebay-bilIing.com
Information request:Getting victim's eBay login information (username/password).
Visible link: "Click here to update your account"
Actual link: "http://verify-cgi2.reset.at/?eBayISAPI.dll&VerifyRegistrationShow&accounts&signin=eBayDLLpsy&12453574=&1012&=&=57734"
Phish Website IP: "64.235.234.138"
Company: Paypal
Date: 4/29/2005
Subject line: "Update Account"
Sender: service@paypal.com
Information request: Getting victim's credit card information, other personal information.
Visible link: "Please click here to update your billing records."
Actual link: "http://review-data.org/go.html"
Phish Website IP: "83.16.123.18"
Company: Marshall & Ilsley Bank
Date: 4/27/2005
Subject line: "Security Update!"
Sender: service@mibank.com
Information request: Getting victim'sMarshall & Ilsley Bank debit card information, SSN, name, email address.
Visible link: "https://login.personal.marshall&ilsley.com/logon/logon.asp?dd=1"
Actual link: "http://www.marata.com.br/site/flash/cib.ibanking-services.com/cih/index.php"
Phish Website: "hijacked"
Company: Citizens Bank
Date: 4/25/2005
Subject line: "Citizens Bank Instant 5 USD reward survey'"
Sender: Personal Banking
Information request: Getting victim's Citizens Bank debit card information.
Visible link: "http://www.citizensbankonline.com/logon/securesurvey.asp"
Actual link: "http://211.250.204.133/docs/zens/Citizens%20Bank%20Online%20-%20$%205,00%20Giveaway%20Survey.htm"
Phish Website IP: "211.250.204.133"
Company: Ameritrade
Date: 4/22/2005
Subject line: "Ameritrade Online Application"
Sender: Starting
Information request: Getting victim's ameritrade.com login information (username/password).
Visible link: "www.ameritrading.net"
Actual link: "http://www.ameritrading.net/apps/LogIn/"
Phish Website IP: "198.170.241.25"
Company: Regions Bank
Date: 4/21/2005
Subject line: "Notification about your Regions online account"
Sender: Regions Bank
Information request: Getting victim's regions.com login information (username/password) or SSN.
Visible link: "https://secure.regionset.com/EBanking/logon/"
Actual link: "http://www.profusenet.net/checksession.php"
Phish Website IP: "68.142.234.44
"
Company: Barclays
Date: 4/20/2005
Subject line: "Barclays Verification Service"
Sender: Barclays Verification Team
Information request: Getting victim's Barclays account information.
Visible link: "HTML form in the e-mail"
Actual link: "http://personalhsbc.co.uk:54867"
Phish Website IP: "202.60.230.77"
Company: Bank Of America
Date: 4/19/2005
Subject line: "Online Banking Alert (Change of Email Address)"
Sender: Online Banking Notices <5thvtc@alert.bankofamerca.com>
Information request:Getting victim's Bank Of America username/password, ATM card information.
Visible link: "Sign in to Online Banking"
Actual link: "http://www.bankofamerica.com/nationsfunds/nf2/leaving.cfm?destination=http://www.bankofamerica.com/nationsfunds/nf2/leaving.cfm?destination=
%22%3e%3c%53...(etc.)"
Phish Website IP: "216.119.179.191"
Company: eBay
Date: 4/18/2005
Subject line: "eBay Verify Accounts"
Sender: Bay Security
Information request: Getting victim's eBay and Paypal username/password, credit card information, bank account information, etc.
Visible link: "http://www.ebay.com/aw-cgi/eBayISAPI.dll?VerifyRegistrationShow"
Actual link: "http://www.security-validation-your-account.com/signin.ebay/signin.ebay.com/acounts/memb/avncenter/dll87443/BayISAPI.dll/sign_in.htm"
Phish Website IP: "62.141.48.5
"
Company: Associated Bank
Date: 4/14/2005
Subject line: "Online Alert: online account is blocked"
Sender: message452@associatedbank.com
Information request: Getting victim's paypal username(email)/passwordGetting victim's Associated Bank site username/password, credit cad information.
Visible link: "Sign on to Limited Banking Account"
Actual link: "http://202.3.144.4/SITE/index.php"
Phish Website IP: "202.3.144.4
"
Company: Union Planters bank
Date: 4/11/2005
Subject line: "Customer Alerting Service - Account is on hold"
Sender: Union Planters Customer Support
Information request: Getting victim's Union Planters username/password, credit cad information.
Visible link: "http://www.unionplantersonlinebank.com/upib/index.html?=update"
Actual link: "http://www.unionplantersonlinebank.com/upib/index.html?=update"
Phish Website IP: "61.55.138.122br />
Company: Comcast
Date: 4/7/2005
Subject line: "ATTENTION: Comcast account reactivation !!! ID:
Sender: SebastianMareygrossness@comcast-support.biz
Information request: Getting victim's Comcast username/password, credit cad information, address.
Visible link: "To update your account click here"
Actual link: "http://comcast-database.biz/"
Phish Website IP: "66.113.136.225"
Company: Paypal
Date: 4/1/2005
Subject line: "WARNING!!! Yout PayPal account will be suspended!!!"
Sender: unknown
Information request:Getting victim's paypal username(email)/password.
Visible link: "Click here to confirm your account"
Actual link: "http://www.paypal-cgi.us/webscr.php?cmd=LogIn"
Phish Website IP: "68.142.234.44"
Company: Huntington Bank
Date: 3/30/2005
Subject line: "Huntington Bank EmaiI - [recipient address] - Verification"
Information request:Getting victim's credit card information
Visible link: "https://onlinebanking.huntington.com/index.asp?confirm=yes"
Actual link: "http://dllconf.com:280"
Phish Website IP: "218.94.38.126"
Company: Charter One Bank
Date: 3/24/2005
Subject line: "Charter One - Client's Details Confirmation"
Sender: "Staff_ID9955@banksecurity.com"
Information request:Getting victim's credit card information , Charter One username/password.
Visible link: "Click Here"
Actual link: "http://www.lbgirls.net/galleries/001/galler.htm"
Phish Website: "http://67.18.75.101/buttcam/resources/logon/SecurityMeasures.php"
Company: Pulse EFT
Date: 3/21/2005
Subject line: "Confirmation- PULSE debit card electronic fund transfer," followed by the recipient's email address "
Sender: "PULSE EFT Association
Information request:Getting victim's Pulse FFT debit card information Pulse FFT username/password.
Visible link: "http://www.pulse-eft.com.fd-asp.us\/login/?...(truncated)"
Actual link: "http://www.pulse-eft.com.fd-asp.us\/login/?...(truncated, same as visible link)"
Phish Website IP: "64.91.236.66"
Company: KeyBank
Date: 3/17/2005
Subject line: "KeyBank Customer Confirm Your Identity"
Sender: "Key Team
Information request: Getting victim's KeyBank username/password, ATM/Debit card information.
Visible link: "http://accounts.keybank.com/ConfirmHelp?start=yes"
Actual link: "http://218.55.77.130/accounts2.keybank.com/ib2/Controllerrequester=signon&CookieID=11985569885&pageType...(truncated)"
Phish Website IP: "218.55.77.130"
Company: Bank of Oklahoma
Date: 3/16/2005
Subject line: "Update your Online Banking Records"
Sender: "Bank of Oklahoma Security Service
Information request: Getting victim's credit card and other personal information.
Visible link: "https://onlinebanking.bankofoklahoma.com/OnlineBanking/login.aspx?ReturnUrl=%2fOnlineBanking%2fDefault.aspx"
Actual link: "http://www.zglobia.com/OKLAHOMA/index.php"
Phish Website IP: "217.76.130.42"
Company: AOL
Date: 3/9/2005
Subject line: "Credit Card Declined Notice"
Sender: customersupport@aol.com
Information request:Getting victim's credit card and bank account information, AOL username/password, personal information. See e-mail.
Visible link: "Immediately by clicking here"
Actual link: "http://mansmedia3.com/aol-startpage/index.php"
Company: eBay
Date: 3/7/2005
Subject line: "eBay: Account Violate User Agreement"
Sender: eBay@ebay.com
Information request: Getting victim's eBay and Paypal username/password, credit card and bank account information, personal information. See e-mail.
Visible link: "click here"
Actual link: "http://218.154.123.224/signin.ebay.com/ws/eBayISAPI..." (truncated)
Company: e-Bullion
Date: 3/1/2005
Subject line: "e-Bullion accounts investigations"
Sender: security@e-bullion.com
Information request: Getting victim's e-Bullion username/password. See e-mail.
Visible link: "click here"
Actual link: "http://e-bullion.safeedible.net/"
Company: Washington Mutual Bank
Date: 2/24/2005
Subject line: "Unauthorized Access To Your Washington Mutual Account"
Sender: Washington Mutual
Information request: "Getting victim's credit/debit card information, personal information. See e-mail."
Actual link: "http://login.personal.wamuin.com/logon/logon2.asp/login.php"
Company: SouthTrust Bank
Date: 2/22/2005
Subject line: "Notification From Southtrust Online Banking"
Sender: "Southtrust Bank "
Information request: Getting victim's credit/debit card information.
Visible link: "http://www.southstrustonlinebank.com/index.html?=verify "
Actual link: "http://www.southstrustonlinebank.com/index.html?=verify"
Phish Website IP: "219.153.9.16"
Company: Huntington Bank
Date: 2/18/2005
Subject line: "Unauthorized Access:NA (Routing Code: C840-L001-Q-T-S111)"
Sender: Huntington Bank Security Update Notification
Information request: Getting victim's credit/debit card information, SSN, personal information.
Visible link: "https://onlinebanking.huntington.com/login.asp"
Actual link: "http://210.95.56.101/Get%20Home%20Page%20Servlet/onlinebanking.huntington.com/security/index.htm"
Phish Website IP: "210.95.56.101"
Company: Paypal
Date: 2/17/2005
Subject line: "Unauthorized Access:NA (Routing Code: C840-L001-Q-T-S111)"
Sender: support@paypal.com or service@paypal.com
Information request: "Getting victim's credit/debit card information, bank account information, personal information."
Visible link: "https://www.paypal.com/cgi-bin/webscr?cmd=_login-run"
Actual link: "http://tigermail.co.kr/%20/cgi-bin/webscrcmd_login.php"
Redirects to: "http://tigermail.co.kr"
Company: MSN
Date: 2/15/2005
Subject line: "Subjects vary widely within the spam wave "
Sender: various addressesat "msn.net" or "msn-network.com"
Information request: "During one of our regular automated verification procedures we've encountered a some problem caused by the fact that we could not verify the info that you provided during registration. We urgently ask you to submit your information so that we could fully verify your identity, Otherwise your access to MSN services for your account will be deactivated until you pass verification process."
Visible link: an "Apply here" link
Actual link: various domains. The names are constructed upon a "word-slash-msn.com," or "msn-slash-word.com" scheme, i.e. "explore-msn.com" or "msn-site.com"
Company: Keybank
Date: 2/8/2005
Subject line: "Huntington - Urgent Security Notification"
Sender: accounts@keybank.com
Information request: "Enter the information requested to activate your card in order to complete your transaction. It only takes a moment, and then your card will have password protection whenever you shop online."
Visible link: "Apply now" image
Actual link: "http://www.securesmartpassword.com/ssl/smart_key/
smart_key_login.htm"
Redirects to: "https://s.p3.hostingprod.com/@www.securesmartpassword.com/ssl/smart_key
/smart_key_login.htm"
Company: Huntington Bank
Date: 2/2/2005
Subject line: "SECURE YOUR ACCOUNT NOW"
Sender: accounts@keybank.com
Information request: "Huntington security systems require that you test your browser now to see if meets the requirements to Huntington Online Banking. Pleas follow this link in order to verify security update installation."
Visible link: https://onlinebanking.huntington.com/security/login.jsp
Actual link: "http://203.109.100.33/.../onlinebanking.huntington.com/login.html"
Company: Amazon.com
Date: 1/31/2005
Subject line: "Account Verification Notice"
Sender: service@amazon.com
Information request: "During our regular update and verification of the accounts, we couldn't verify your account information...Please update and verify your information below."
Visible link: "Sign in using our secure server" button
Actual link: "http://www.amazon-department.com/exec/obidos/flex-sign-in/ref-ya_hp_pi_5/1-click-settings/104-0220521-9331958"
Redirects to: 68.142.234.35
Company: MSN
Date: 1/27/2005
Subject line: "Banking Online customer Report"
Sender: MSNSuspending Updating
Information request: "During one of our regular automated verification procedures we've encountered a some problem caused by the fact that we could not verify the info that you provided to us. Please, give us the following information so that we could fully verify your identity. Otherwise your access to MSN services will be closed."
Visible link: "http://www.msnassistance.com/index.php"
Actual link: "http://www.msnassistance.com/index.php"
Company: M&I Marshall & Ilsley Bank
Date: 1/25/2005
Subject line: "Banking Online customer Report"
Sender: M&I Marshall Rewiew Account Service
Information request: "Please verify your account parity to given email."
Visible link: "Login to Online Account link"
Actual link: http://www.payterm.com/alert.html
Redirects to: http://168.188.99.111/cib/login.jsp
Company: Washington Mutual Bank
Date: 1/21/2005
Subject line: "Re-Submit: wamu.com Urgent requirementvu', the last 2 letters are randomized"
Sender: wamu-Notification-Urgelqht@wamu.com
Information request: "Please verify your account parity to given email."
Visible link: "https://login.personal.wamu.com/verification.asp?d=1"
Actual link: http://200.101.59.26/webmail/w/index.html
Company: TCF Bank
Date: 1/19/2005
Subject line: "TCF express checking card alert"
Sender: support-auto32@tcfexpress.com
Information request: "Please verify your account parity to given email."
Visible link: "http://tcf-online.com/index.php?ZHWY=760984570583562..."
Actual link: http://tcf-online.com/index.php?ZHWY=760984570583562...
Company: PayPal
Date: 1/14/2005
Subject line: "New email address added to your account"
Sender: aw-service@paypal.com
Information request: "You have added laptopseller@yahoo.com as a new email address for your PayPal account. If you did not authorize this change or if you need assistance with your account, please contact PayPal customer service..."
Visible link: "https://www.paypal.com/row/wf/f=ap_email"
Actual link: http://www.fast-email-address.us/phpss/
Company: Citizens Bank
Date: 1/12/2005
Subject line: "Important Online Banking Alert"
Sender: Citizens Bank
Information request: "your account information needs to be confirmed due to inactive customers, fraud and spoof reports. If you could please take 5-10 minutes out of your online experience and renew your records you will not run into any future problems with the online service. However, failure to confirm your records may result in your account suspension."
Visible link: "a 'Click here' type link "
Actual link: http://219.137.205.143/CitizensBank/OnlineBanking/index.html
Company: eBay
Date: 1/11/2005
Subject line: "Account Verification "
Sender: aw-confirm@ebay.com
Information request: "Five password bruteforcing attems were performed on your eBay account. You must register and ID Verify certificate in order to remain in the eBay Community."
Visible link: "a 'Click here' type link "
Actual link: http://www.lemondedegaetane.com/aw-cgi/ws2/SignIn.html
Company: AOL
Date: 1/10/2005
Subject line: "'You've Got (2) Pictures@AOL.com'"
Sender: Mcs39@aol.com
Information request: "Another AOL member has sent you (2) picures! Enter here to view your photo album"
Visible link: "http://search.aol.com/aolcom/redir?src=websearch&requestId=e244a572381a910e&clickedItemRank=3&userQuery=pictures&clickedItemURN=http://akfhdkfadsdfa.info/signin"
Actual link: http://akfhdkfadsdfa.info/signin
Company: KeyBank
Date: 1/07/2005
Subject line: "Keybank Internet Banking Account Suspension Notice!"
Sender: clientdepartment@keybank.com
Information request: "We recently noticed one or more attempts to log in to your KeyBank account from a foreign IP address and we have reasons to believe that your account was hijacked by a third party without your authorization. If you recently accessed your account while traveling, the unusual log in attempts may have initiated by you. However if you are the rightful holder of the account, click on the link below and submit, as we try to verify your account."
Visible link: "https://accounts2.keybank.com/ib2/Controller?requester=signon"
Actual link: http://key.accountaxservices.com/ib2/SecureReauthController1.php
Company: AOL
Date: 12/23/2004
Subject line: "Verify your account"
Sender: Aol Billing Department
Information request: "...It has come to our attention that your billing informations are out of order. If you could please take 5-10 minutes out of your online experience and update your personal records so you will not run into any future problems with the online service..."
Visible link: "http://billing.Aol.com/"
Actual link: http://64.23.10.36/AOL/
Company: U.S. Bank
Date: 12/22/2004
Subject line: "Update or verify your account informations"
Sender: customer-service@mail.hotmail.com
Information request: "Recently there have been a large number of identity theft attempts targeting US Bank Customers.
In order to safeguard your account, we require that you confirm your banking details"
Visible link: "https://www.usbank.com/internetBanking/RequestRouter?requestCmdId=upt"
Actual link: http://210.104.211.21/.ft./.1./
Company: Visa
Date: 12/21/2004
Subject line: "Update or verify your account informations"
Sender: Visa Service Department
Information request: "To ensure your Visa card's security, it is important that you protect your Visa card online with a personal password. Please take a moment, and activate for Verified by Visa now"
Visible link: "Activate Now for Verified by Visa' link in the bottom of the email"
Actual link: http://usa.visa.com/track/dyredir.jsp?rDirl=http://200.251.251.10/.verified/
Company: eBay
Date: 12/04/2004
Subject line: "Update or verify your account informations"
Sender: eBay
Information request: "we have detected a slight error in your billing information... This might be due to either of the following reasons... Please update and verify your information by clicking the link below..."
Visible link: "http://cgi1.ebay.com/aw-cgi/ebayISAPI.dll?UPdate"
Actual link: http://67.18.151.194/~haibace/cgi-bin/ebay-update-account-details-info-ebay-update-account-details-info-ebay-update-account-details-info-ebay-update-account-details-info-ebay-update-account-details-info-ebay-update-account-details-info/eBay/signin.html
Company: AOL
Date: 12/03/2004
Subject line: "Notice : Your account will be suspended !"
Sender: AOL
Information request: "...your AOL? account information needs to be updated...If you could please take 5-10 minutes out of your online experience and update your personal records you will not run into any future problems with the online service"
Visible link: "http://update.AOL.com"
Actual link: http://olyscos.com/shop/prodspics/aolcomsupport.htm
Company: EarthLink
Date: 12/02/2004
Subject line: "Earthlink payment is cancelled"
Sender: support@earthlink.com
Information request: "Your automatic payment was declined by your bank or credit card company. You can update your billing information or make a one-time credit card payment by answering to this email by pressing REPLY or mailing your billing details..."
Visible link: "invoice-apply@earthling.net"
Actual link: invoice-apply@earthling.net
Company: Suntrust
Date: 11/30/2004
Subject line: "Security Alert on Microsoft Internet Explorer"
Sender: support@suntrust.com
Information request: "SunTrust security systems require that you test your browser now to see if it meets the requirements for SunTrust Internet Banking.
Please sign on to Internet Banking in order to verify security update installation."
Visible link: "Sign on"
Actual link: http://82.90.165.65/s/login.html
Company: Washington Mutual
Date: 11/29/2004
Subject line: "WARNING: CONFIRM YOUR ONLINE BANKING ACCOUNT"
Sender: Washington Mutual Security Department
Information request: "We recently have determined that different computers have logged onto your Online Banking account, and multiple password failures were present before the logons.We now need you to re-confirm your account information to us. If this is not completed by December 5, 2004, we will be forced to suspend your account indefinitely, as it may have been used for fraudulent purposes."
Visible link: "Click here to verify your account"
Actual link: http://218.62.80.234/openwebmail/wamusk/index.php?MfcISAPICommand=SignInFPP&UsingSSL=1&email=&userid=