This story was first published on September 16, 2013
Most modern browsers have built-in mechanisms that try to protect users from phishing scams. If a user clicks a link in a reported phishing scam email, the browser will display a page that warns that the user is about to go to a fraudulent website. The warnings very clearly explain the possible dangers of proceeding.
These systems check the clicked URL against a regularly updated list of phishing sites. Of course, if a phishing site has not yet been reported and listed, the browser will not display a phishing warning and, unfortunately, many people still get caught out. Nevertheless, the systems do effectively thwart many scam attempts.
To overcome this impediment to their nefarious schemes, phishing scammers commonly send their fake forms via email attachments. When opened, the HTML attachment will load the fake form in the user’s browser and it will appear like a normal webpage. And, like a “normal” phishing page, any information submitted on the fake form will be sent to criminals. But, because it was delivered as an attached file, the form will not normally be included on the browser’s list of phishing sites and, therefore, no warning will be displayed.
No legitimate entity is ever likely to expect its users to provide login credentials and other sensitive personal and financial information via an HTML form contained in an attached file. Such forms will not be secure as all forms that collect sensitive information certainly should be.
So, any message that asks you to provide personal and financial information by filling in such a form should be treated as extremely suspect. If you do open an attached file and it loads a form in your browser that asks for your account username and password and/or identification information and financial data, back out fast! DO NOT proceed.