Saturday, October 4, 2008

Maybank2U Phishing Alert

I received a Maybank2U phishing email trying to get my user name, password and even the TAC code. Not that I have a lot of money inside my bank account. With the money in my bank account, I think it is just enough for you to go and buy some sweets. Yes, that is how poor I am. Heck, take the account if you wanted to but on a second thought, better NOT for security reasons.

Now, what is phishing you may ask. Phishing is the illegal deceptive process of trying to get confidential or private information such as the user name, password, financial details by commonly masquerading as established institutions or even trustworthy websites.

The most common phishing method is by e-mail which prompts users to click on a fake link that brings the user to a fake website in order to get sensitive or private information. It is surprising that even until now with all those phishing alerts, people are still getting scammed.

You now basically know what is phishing, back to the focus of the topic. I am going to show you all an example of phishing email and also how to detect phishing attempt.

As I was saying earlier, I received an email from Maybank2U that asks for my user name and password. Maybank2U is an online portal of Maybank, a bank based in Malaysia if you don't know yet.

Being the skeptical person I am, me spidey sense kicks into action and upon inspection found out that the email is not legitimate and is a phishing attempt.

Phishing Email

Now, how to detect phishing attempt? Or how do I know that it is a fake or phishing email? First of all, look at the link provided. Hover your mouse cursor over it and at the status bar of your internet browsers should display the original URL link. In this case, it is different from the displayed link.
Hidden link/illegitimate link

Always remember to not click links on emails. If you are really unsure then you can always copy and paste the link into new browser to access the said link to check. For example, I copied the said link to a new browser and the displayed link does not exists which further reinforce that this email is definitely a phishing attempt.
Copy and Paste into new browser
No, such link exists

In case you are wondering where the link leads to and why is it that a lot of people are still scammed, BenardCometh Revelations take the risk of being scammed by going with the process just for the sake of all readers out there which I am pretty sure is countable by ten fingers on a last count. Am I thoughtful or am I very thoughtful?

Hence, I clicked on the link and another window pop up which at a first glance almost look identical to the real/original Maybank2U website. Oh, the deception. Compare for yourself. The fake and the real in the following easy comparison created by yours truly.

Comparison between fake and real

Note the following favicon as it will be referred later. Favicon is the icon circled in the red circle for the uninitiated.

My User name and password- Note the favicon

Then after I click login an error message pops up. Notice that the error message if from cruky and not Maybank2u.

After making changes to my invalid password, I proceed to reenter a more likely password for the scammers to accept and another screen is shown up. What else but the TAC code. Now, for the uninitiated, in order to transfer money, a TAC code is needed and is sent to the user's mobile phone. I almost dropped to the floor laughing when I saw the supposedly TAC code page.
Fake TAC page
TAC confirmation

Obviously, if you reached until the TAC confirmation page, then congratulation. You have been officially been scammed. Be prepared to have your money transferred to other accounts or even withdrawn. That is why it is vital to detect the phishing attempt earlier on. Don't just simply click on links especially email links just for the sake of clicking and of course blindly follow the illegitimate process. Have some sense, read BenardCometh Revelations.

That is the end of the Maybank2U Phishing attempt example. Now, lets have a look at the hidden link. Upon inspection, the website is a shoddy work with a lot of links not working and here one would think that at least they would make it look as if they are commissioned to collect the sensitive information. 

Talk about professionalism in scamming. Fail. And remember the Favicon. The same. = Scam
Links error throughout the website

In conclusion, please oh dear readers of BenardCometh Revelations, please be at least a bit skeptical at all times to prevent getting scammed. In this case, if you are not sure whether the email from so called Maybank2U is authentic or not then don't click but to call up Maybank yourself to confirm. That is the safer way.

Among the common phishing techniques are link manipulation, usage of image to fool anti-phishing filters, and false website where as shown above, deception is made in the email link that appear to belong to Maybank2U.

One more common phishing technique is through the phone. There are a lot of cases in Malaysia where lots of people getting scammed through the phone. The most common would be the phone phishing that involves the deception of being from financial institutions to get credit card information.

Always remember to be skeptical and if you are unsure, just go to the official website or call up the legitimate centers to reconfirm. Alright?

With that, this post ends.


  1. Very useful,thank you.
    BTW can I put the Article to my blog..all credit & source will link to your blog.

  2. very useful piece of info, thanks for the simulation and sharing!

  3. ahmad tarmizi: Yeah, you can put up the post if you give credit to where it is due... =)

    Spreading the awareness would educate ppl to avoid getting scammed.

    Nux V: You are welcomed. Sharing is good mmmmkay. =)

  4. Hey this is a really good article. Unfortunately there are some people who really don't know even this sort of basic stuff.


  5. Thanks, sharing is good to create awareness so that people wont be scammed that easily.


Leave Yer Revelations