It seems like there’s almost no limit to ways you can have your identity stolen on the Internet. The truth is that most scams are pretty similar. The most common come in the form of something known in the cybercrime world as phishing. Like real fishing, phishing is the process of putting out bait, hoping to entice prey to bite. In this case, the bait is an e-mail message from a company you trust. The prey, of course, is you.
Since most phishing attacks come from e-mail messages, a good spam filter can do a lot to keep you protected. No spam filter is one hundred percent effective, and there are plenty of other phishing attack vectors (such as Twitter, Facebook, and even the telephone), so it’s a good idea to know how to spot a phishing attack. It’s really not hard; it just takes some common sense, and a little bit of knowledge. You probably already have the common sense. Here comes the knowledge.
A phishing attack begins with an e-mail message (usually) that purports to be from a company you already do business with. Often, it will be a bank. People are always concerned about their money, and scammers know that you’ll pay attention when you get a message from your bank. Of course, the message isn’t really from your bank, but it sure looks like it. In addition to banking sites, social networks (Facebook, Twitter), e-mail providers (Gmail, Yahoo), and retail sites (like Amazon) are also popular with scammers.
The Web site ConsumerFraudReporting.org has a good collection of sample phishing e-mails. Most of them look very legitimate, like they were actually sent to you by Bank of America, or Amazon.com, or PayPal, or any number of reputable businesses. Here’s what separates the bad from the good:
If you get an e-mail message from Facebook, the e-mail address in the From field had better have “@facebook.com” at the end of it. If it doesn’t it may not be legit. Many companies use third-party services to send marketing e-mails, so the domain name may not match. Marketing e-mails won’t ask you for personal information though. Click here for more information about recognizing domain names.
Even if the e-mail address looks legit, that’s not a guarantee that the message is OK. Here are some more tip-offs that the message is a scam.
Sometimes, scammers, rather than trying to convince you their message came from someplace you trust, go the more obscure route, and don’t include any identifying information. If you get a message that says something about “your account” but isn’t clear about which account they’re talking about, just delete it. It’s a scam.
If the message reads like the assembly instructions for a cheap bookshelf, it’s probably a scam. Anyone can confuse their for there, or its for it’s, but if the writer wouldn’t pass seventh-grade English class, you can bet he doesn’t work in the communications department of a major company.
Convenient Problems: “Due to an error . . .”
In order to work, a phishing attack has to get you to enter personal information into the scammer’s Web site. One popular ploy is to write something like, “While performing maintenance on our servers, we noticed an error in your account. Please click here to log on and verify your information.” No legitimate Web site will ever send this sort of message. You will never be asked to log in to correct an error.
Threats: “If you don’t log in, we’ll delete your account.”
Another tactic common in phishing attacks is to threaten to delete your account unless you log in in so many days. Legitimate sites don’t do this.
Garden Path Links
The text of a link in an e-mail message (or on a Web site) doesn’t have to match the address that it takes you to. For example: http://www.youtube.com. It looks like that link would take you to Youtube, but it really takes you somewhere much more interesting. Before clicking on any link in an e-mail message, pause the mouse over it. You should see a box pop up that lists the actual target of the link. If it doesn’t look right, don’t click it.
Here’s an example of what you’ll see when you pause the mouse over a link. Notice that the domain name (which I’ve highlighted on the image) does not match the sender.
If the domain name in the link doesn’t match the purported sender, don’t click it! Click here for more information about recognizing domain names.
When All Else Fails
If an e-mail looks “phishy” don’t click any links in it. If you think it might be legit, but you’re not sure, simply open a Web browser and type in the Web site address directly. For example, if you receive an e-mail that looks like it comes from PayPal, telling you you need to update some information, just open your Web browser and type in “paypal.com”. That way, you know you’ll be going to the correct site, and not some scammer’s page somewhere. If the real PayPal doesn’t ask you to update information when you log on, the e-mail probably wasn’t legitimate.
You Just Had to Do It, Didn’t You?
You went ahead and clicked that link, anyway. Now you’ve got a Web page in front of you, and you’re not sure if it’s legit. Well, many of the tips that apply to e-mail messages apply to Web sites as well. Here’s a quiz (created by DNS provider OpenDNS.org) to test your ability to spot a scam Web site.
If you saw an interesting link above, but didn’t want to stop reading to click it, here’s a list:
- ConsumerFraudReporting.com, collection of sample phishing e-mail messages.
- How to Recognize Domain Names in a Web address. (It might be harder than you think.)
- Test your ability to spot a scam Web site.