Phishing and fraud: the make-believe industry


Bianca Dima

Bitdefender, Romania

Alin Damian

Bitdefender, Romania
Editor: Helen Martin


The digitization of shopping and banking, the increasing use of social media, and the popularity of the Internet have made users more vulnerable to phishing, identity theft and other forms of online fraud. Bianca Dima and Alin Damian outline some subtle differences between two of the fastest growing online traps, phishing and fraud, and highlight some of the mechanisms that fool people into placing their sensitive data and money into the hands of the attackers.

The digitization of shopping and banking, the increasing use of social media, and the popularity of the Internet have made users more vulnerable to phishing, identity theft and other forms of online fraud. In 2012, phishing caused losses of $1.5 billion globally, according to security firm RSA [1], and the number of attacks launched under this umbrella last year was 59% higher than in the previous year.

Cybercriminals’ earnings are likely to be a lot higher, as these figures were determined based only on registered incidents. Statistics from the Internet Crime Complaint Center [2] reveal that the most common complaints refer to police impersonation scams, identity theft and advance fee fraud.

The majority of e-threats are commercially driven, but differences exist between the targets and methods used to trick unwary users. Phishing, for instance, may have immediate, direct monetization objectives, but the initial goal of other fraudulent schemes, such as employment scams, may be identity theft or the recruitment of money mules.

This paper aims to outline some subtle differences between two of the fastest growing online traps, phishing and fraud, and to shed light on the mechanisms that fool people into placing their sensitive data and money into the hands of the attackers.

1. Phishing

1.1 Definition

Phishing is a money-making social engineering scam whereby users have their personal details stolen through fake websites that mimic the websites of real organizations. Hundreds of fake websites are created and thousands of users are tricked every day.

Credit card details, social security numbers, usernames and passwords are among the many details mined through phishing attacks. Relying on finely tuned persuasive techniques and heavily exploiting the psychological triggers of online behaviour, phishing has been around for over 16 years, and is likely to remain a top threat for the foreseeable future.

1.2 How do they do it?

Scammers create a sense of urgency by warning users that they will have their accounts suspended or lose their money or personal data, or by making an incredible sounding offer that is set to expire within a short period (e.g. 24 hours).

The sense of urgency encourages victims to respond to the bait, in doing so delivering their sensitive details to the criminals’ databases.

According to McGrath and Gupta’s study on the modi operandi of phishing [3], a phishing domain is live on average for three days, 31 minutes and eight seconds. Though phishing attack numbers continue to climb, the median attack duration (uptime) decreased in 2012 from 15.3 hours per attack to 11.72 hours per attack [4]. The RSA H1 2012 report [5] concluded that ‘Had attack medians remained the same, the monetary losses to phishing in H1 2012 would have exceeded US$897 million.’

1.3 Industries at gunpoint

Financial institutions, payment and retail services are the industries that are most commonly targeted by phishers. According to Bitdefender, some of the most well known brands used for phishing purposes include PayPal, Visa, Citibank, Bank of America, AOL, Wells Fargo and MasterCard – but cybercriminals also keep popular social networks and gaming platforms at gunpoint. The list of affected companies grows continuously, taking in countless brands and industries.

Most phishing web pages are placed under hacked URLs and are spread rapidly through spam, social media scams and poisoned web searches. In addition, highly targeted attacks such as spear phishing or whaling are directed at specific organizations and individuals.

More than half of the respondents of a Proofpoint survey [6] in June 2012 believed that, in the past year, their organization had been targeted by a spear phishing attack designed specifically to trick its employees.

The US is still the country that hosts the greatest number of phishing URLs, which can be explained by the fact that it hosts most of the world’s websites and domains. According to the Bitdefender GeoIP analysis, the UK, Brazil, Canada and Germany are also the source of a significant number of phishing sites.

1.4 Phishing arsenal

Cybercriminals employ an extensive range of techniques to acquire sensitive information. In addition to typosquatting and manipulating subdomains, phishers also use link descriptions that suggest a trustworthy destination: in more complex attacks, the descriptive text is displayed when users hover the cursor over a link in the browser. An alternative trick uses JavaScript commands, which enable phishers to place an image of a genuine URL over the address bar, thus obscuring the phishing URL, or to open a new address bar containing a legitimate URL, once again obscuring the real phishing address.

Another tactic exploits vulnerable servers that host several websites. By adding a phishing page to each of the domains on the server, hundreds of phishing URLs can be created at different online locations and the scam will spread more efficiently.

Users may also be brought to phony websites through ‘tabnabbing’, a computer exploit and phishing technique which silently redirects them to the phishing location after manipulating multiple browser tabs.

2. Fraud

In the past couple of years, an increasing number of fraudulent websites have appeared impersonating hotels, banks, law firms, shops, online casinos, rental and escrow firms. Categories of scams include advance fee fraud, employment scams, conference fraud, money loan, pay per click, piracy, lottery and pet scams.

These types of fraud tend to be more targeted than (classic) phishing and the attackers make their money from small, gradual attacks. The average term for the registration of a fraudulent domain is one year.

2.1 Fake banks

Fake banks reign supreme in the online fraud category. Many of the websites are made to look very realistic, with logos and banners that are identical to those of their genuine counterparts, as well as very similar names and URLs.

Some of the recent fake bank URLs we have seen include,, and

While carefully orchestrated bank phishing requires the exact design of a genuine website to be copied, fake bank sites tend to focus on copying logos and banners, giving a twist to the look and feel of authentic sites. Fake banks may be used to bolster the claims of a scammer who is usually engaged in other fraud such as a standard advance fee fraud. The financial brands that fake websites are currently most commonly based around are HSBC, Santander, Wells Fargo and Sun Trust.

A fake bank site.

Figure 1. A fake bank site.

2.2 Fake law firms

Some scammers register websites for fake legal firms – claiming to specialize in particular areas of practice such as petroleum and gas, banking, finance or taxation. They then attract users with links spread through targeted attacks. Commonly, fake law firms contact victims with demands for payment of fines, debt collection, cease-and-desist notices and so on.

Fake law firm claiming its ‘sole mission is the total satisfaction of [its] clients’.

Figure 2. Fake law firm claiming its ‘sole mission is the total satisfaction of [its] clients’.

2.3 Fake hotels

Fraudsters also set up fake hotel websites. One of the most common ways in which these are used is in job scams – through the ‘careers’ section of the site, innocent users are tempted with the prospect of job vacancies. Fake hotel sites are often used to recruit money mules via this method: victims unwittingly transfer illegally gained money on behalf of the scammers to make it untraceable, or become accomplices for a percentage of the revenues.

Other ways in which fake hotel sites are used to generate income for the scammers include asking victims to make an advance payment for the booking of a (non-existent) room.

Many fake websites are even better crafted than some legitimate ones, but an attentive eye will catch clues as to their lack of authenticity. For instance, one fake hotel site listed a phone number that was located in the US, while the address took users to a park in Montréal, Canada (see Figure 3).

Fake hotel site: the address given for the hotel was in Montréal, Canada, the map shows Central Park in New York, and the phone number is a US number.

Figure 3. Fake hotel site: the address given for the hotel was in Montréal, Canada, the map shows Central Park in New York, and the phone number is a US number.

2.4 Lottery scams

Lottery scams are among the most common scams on the Internet, targeting users who are apparently unaware that they first have to play the lottery in order to win it.

Fraudsters inform victims that they have won a lottery or sweepstake, but in order to receive the lump sum payout, they must first pay some taxes and processing fees. Lottery scams tend to be more effective when promoted through fake websites rather than widespread spam campaigns.

2.5 Russian oil scams

This fraud targets people looking for investment opportunities. Some Russian oil scams use fake banks to issue bogus cheques and facilitate advance fee payments which the scammers claim are customary in Russia. Criminals may also set up fake law firms, shipping companies and even government websites to give the process a more legitimate feel. The purpose is to fool the victim into paying advance fees for (non-existent) oil or other commodities.

2.6 Rental scams

Fake property rental sites are used by scammers to lure users searching for accommodation. Fake listings are posted to various property search sites, which link to fake sites that are made to look genuine by including property descriptions, photographs and addresses. The scammers make their money by insisting that the prospective tenants make a payment (often via money transfer) and/or submit their personal details, either as a reservation fee for the property or as an upfront payment of housing expenses.

Rental fraud site.

Figure 4. Rental fraud site.

2.7 Fake shops

As sales figures for online shopping continue to rise, users should be aware of an increasing number of fake stores. Fraudsters attract victims by offering low prices, incredible offers that will expire within a short time frame, or claiming to have goods in stock that are in short supply elsewhere.

2.8 Escrow scams

Internet escrow services are used as an intermediary between buyers and sellers when they don’t know (or trust) each other. With the growing popularity of these services, scammers are setting up an increasing number of fake escrow websites to deliver ‘secure’ transactions.

The scammer poses as the recipient of money/seller of goods and then requests the use of an escrow service to complete the transaction – which is, in fact, the scammer’s own service. The victim sends money to the escrow service, at which point the scammer closes the site down, pocketing the money.

Genuine escrow sites are specifically set up to handle users’ money, so the involvement of third parties such as MoneyGram or Western Union should be a warning sign.

Fake escrow service.

Figure 5. Fake escrow service.

Another sign to look out for is a secure server connection (SSL) – legitimate escrow websites will use secure connections to protect their customers, so it is wise to check for https:// in the browser address bar. (However, fraudulent websites have been known to ‘borrow’ the logo of SSL verification services such as VeriSign, so users should always check that the site is listed by the relevant authentication company.)

2.9 Advance fee fraud

Advance fee fraud (also known as ‘foreign money transfer scams’ or ‘419 fraud’) is a method used by scammers to make quick money and sometimes to steal users’ identities. It involves the victim paying an initial sum of money (sometimes in several instalments), on the understanding that not only will it be refunded, but that they will receive a share of a much larger sum once the initial transfer (usually to a foreign country) has been made. Western Union and MoneyGram are the two most popular money transfer services used by scammers wanting to obscure their trail.

Victims may be duped into parting with their money after receiving a ‘business proposal’, usually describing some urgent need to transfer a large sum of money out of the country, and requesting assistance in doing so.

2.10 Pet scams

Buying or adopting pets online has become a risky business, as scammers have infiltrated legitimate services. They advertise animals (often particularly popular breeds, at very competitive prices) via various online services and usually claim that the animal has to be shipped to the recipient, requiring various fees to be paid up front. Of course, in reality the animals do not exist.

2.11 Loan scams

Loan scammers trick victims with the lure of very low interest rates. They entice them to fake websites, then request advance fees for setting the loan up, citing reasons such as insurance, deposits, certificates or registration.

2.12 Employment scams

In employment scams, scammers posing as recruitment agencies or employers offer attractive job opportunities but require the applicant (victim) to make advance payments for things such as work visas, travel expenses, finder’s fees and so on. Names, addresses, banking information and other personal details obtained throughout the ‘recruitment’ process may also be used for identity theft.

2.13 Warez and piracy

Fake warez and piracy websites usually appear in search results when users are looking for pirated software or ‘original’ software for a lower price than is available on the legitimate market. The sites usually take the users through several loops to reach a download link – which is fake. Either the promised software doesn’t exist, or it has malicious components. Users risk having their money and credit card details stolen, and may end up with malware on their devices as well.

2.14 Pay-per-click fraud

In pay-per-click advertising, publishers display clickable links in exchange for a fee for each time someone clicks on the link, taking them through to the advertiser’s website.

Fake pay-per-click companies target advertisers seeking to increase the volume of visitors to their website. Victims are asked to pay a fee and hand over their details in advance. Fake hits are then created either manually or by automated means.

2.15 Conference scams

Fake conference websites are set up to collect fees and personal details from potential conference participants.

Targeted emails are sent inviting the recipient to the fictitious conference and including a link to the fake conference website. Typically, participants are asked to provide their personal details and to make an upfront payment, either as a conference registration fee, for the reservation of hotel accommodation, or even for assistance with visa application processing and travel booking.

The scammers go to considerable lengths to make the fake websites look authentic, and target their scams carefully – examples of conferences scams seen recently include conferences on climate change, human rights issues and biochemistry, NGO workshops and many more.

3. Phishing and fraud: differences

Phishing and fraud may be driven by the same money making goals, but subtle differences between their mechanisms justify separate classification and blacklisting processes.

1UptimeShort period of timeLonger period of time
2DomainHijackedSpecially designed
3PromotionSpam widespread campaignsSocial media targeted campaigns

Table 1. Differences between phishing and fraud.

3.1 Uptime

One important distinction focuses on the median attack duration (uptime). The average length of time that a phishing attack is online is shorter than the uptime of a targeted fraud or fake website created from scratch.

This may be due to the fact that organizations and hosting companies have become better at detecting phished URLs that damage their brand and reputation. In registering and creating a website from scratch for a completely fictitious organization, fraudsters rarely affect renowned brands. With fake banks, the potential for damage is greater, as fraudsters often try to pose as the local offices of legitimate financial institutions.

Individual users rarely have the know-how or power to fight targeted fraud, and even financial institutions do not always put up their best weapons in the battle against fraud. Europol’s 2012 payment card fraud report stated: ‘Acceptable levels of fraud and expected net profit for banks are more important than the real prevention of fraud that would lead to depriving criminals of the huge amounts of money they are stealing using EU payment cards.’ [7], [8].

Different promotion strategies also allow fraudulent websites to have a longer uptime, while phished websites are taken down more rapidly. Depending on how heavily they are promoted, some fraudulent URLs persist for longer than others.

3.2 Domain and URL management

Phishing web pages aim to replicate the exact content of websites owned by real organizations – most commonly a bank or a payment service – usually on a hacked or compromised domain. Cases of fraud, however, often have bogus entities created from scratch, using domains bought anonymously and registered for a longer period.

Another contrast between phishing and fraud is the manipulation of addresses. For instance, the URL of a legitimate hotel’s website, ‘’, might be used as the basis for a fake website, ‘http://real’.

When creating URLs, cybercriminals sometimes aim to create the impression that the fake site is affiliated to a legitimate company. Meanwhile, (most) phishing URLs are less well crafted, as they are usually placed on compromised legitimate domains.

To make the scams more believable, more than 90% of fake banks and financial institutions are registered on the top level domain ‘.com’. The second choice for fraudsters is ‘.net’ (almost 4%), followed by ‘.biz’, ‘.org’ and ‘.uk’, each with 2% of the overall fake banks registered.

Many fraudulent websites (over 90%) are registered for just a year, which is something to check using the WHOIS tools available on the Internet. In most cases, a one-year registration combined with a webmail address for the registrant (e.g. Yahoo!, Gmail or Hotmail) is a strong indication of a scam.

3.3 Promotion techniques

Phished pages are promoted intensively through spam and social media, while fraudulent sites rely on more targeted techniques which attract less attention, as attackers want to avoid having their websites taken down by hosting companies.

4. Guidelines

The following are some tips to help users stay away from fraud and phishing attacks:

  • Before making any payment online, booking a hotel room or hiring a law firm, check the WHOIS information for the website, which will give you clues about the website’s domain registration, hosting and online activity. Remember that more than 90% of fake websites are registered for just one year. Also, fraudsters tend to use registrant emails that offer anonymity, such as ‘’ or ‘’, as well as free webmail addresses from providers such as Yahoo!, Hotmail, and Gmail. A legitimate organization is unlikely to do this. According to Bitdefender, 19.09% of all fake banks are registered to the email address, while almost 6% are registered to

  • Always be on guard when making an online payment, and don’t use your credentials unless you are 100% sure it’s a genuine website.

  • An unclear web address, spelling errors and poor grammar might be clues that point to a phishing attack. Typing the legitimate URL directly into the browser rather than clicking a link in an email may also help you stay away from scams.

  • Check the list of unauthorized banks [9] in your country when dealing with a financial organization you haven’t heard of before.

  • Double check a banker’s or seller’s identity when he calls or sends you a targeted email. Remember that scammers may go as far as creating a fake website to trick a single user, making money out of small, but successful attacks.

  • Be on your guard when using social networks. Select online ‘friends’ carefully and consider the information you share, and the way you interact with applications.

  • ‘UK global redirecting’ numbers that start with +4470 are a major warning of a scam. Though the country code ‘+44’ may look like a British number, the ‘70’ prefix means the phone call will be redirecting to a number which may be in any country but the UK.


With minimal investment in technology and time, phishing and fraudulent websites provide endless income for cybercriminals. Though many organizations strive to create a safer online environment, victims are still sending their financial information and money to unknown destinations all over the world.

Use of an anti-virus solution will help protect users not only from malware, but also from phishing, identity theft and targeted fraud attacks. User education and raising awareness of phishing and targeted fraud may also help contribute to a safer online environment and a drop in cybercrime revenues.


[1] Kessem L.S. Laser Precision Phishing – Are You on the Bouncer’s List Today? Speaking of Security The Official RSA Blog and Podcast.

[2] Internet Crime Complaint Center. 2011 Internet Crime Report.

[3] McGrath, D.K.; Gupta, M. Behind Phishing: An Examination of Phisher Modi Operandi.

[4] Anti-Phishing Working Group.

[5] Phishing in Season: A Look at Online Fraud in 2012. Speaking of Security The Official RSA Blog and Podcast.

[6] Proofpoint Reports Findings from Email and Information Security Trends Survey Conducted at Microsoft TechEd Conference.

[7] Payment Card Fraud in the European Union. Perspective of Law Enforcement Agencies.

[8] Payment Card Fraudsters Earn 1.5 Billion Euros a Year, Europol Says. Bitdefender Resource Center.

[9] Unauthorised internet banks. Financial Services Authority.



Latest articles:

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…

Dissecting the design and vulnerabilities in AZORult C&C panels

Aditya K Sood looks at the command-and-control (C&C) design of the AZORult malware, discussing his team's findings related to the C&C design and some security issues they identified during the research.

Excel Formula/Macro in .xlsb?

Excel Formula, or XLM – does it ever stop giving pain to researchers? Kurt Natvig takes us through his analysis of a new sample using the xlsb file format.

Decompiling Excel Formula (XF) 4.0 malware

Office malware has been around for a long time, but until recently Excel Formula (XF) 4.0 was not something researcher Kurt Natvig was very familiar with. In this article Kurt allows us to learn with him as he takes a deeper look at XF 4.0.

Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.