What is Phishing?
Phishing is a scam by which an Internet user is duped (as by a deceptive email message) into revealing personal or confidential information which the scammer (the sender of the deceptive email) can use illicitly.
I wrote an article about Smishing, which is similar to phishing, but instead of a scammer sending you an email, they send text messages to your smartphone.
Let’s Look at an Example Phishing Email
First Clue — the FROM field
You first see the descriptive text which says “verizon.net (Post)”, then you see the actual email address which is clearly not a Verizon email address.
Sometimes this address is not shown, just the descriptive text. You can move your mouse pointer over any field or link to see the actual information — don’t click, just hover. The information may pop up in what we call a tooltip, or you may see the information in the status bar of your web browser.
Second Clue — Subject & Message
Most legit companies when contacting you will use a subject that is more descriptive of what to expect inside the email. In this case, “Post mail” might cause most people to think of something arriving in “snail mail”. Why would Verizon send you an email about that?
The message is the tricky part:
- No internet service provider will send you an email about a password that is going to expire — especially on the same day as the email is being sent.
- No company will ever recommend that you keep using the same password. You should never reuse passwords for any account, anywhere.
- The blue “keep the same password” button is actually a link to a website that will look like your AOL login page and send your log-on information to the cybercriminals who sent you the email.
- The other links in the email will also not take you to AOL; they will go to the same malicious website that will continue with the ruse of convincing you to enter your information.
Other Clues to Be on the Lookout For
- Personal or otherwise sensitive information is being requested
No matter how official an email message may seem, it’s always a bad sign if the email asks for personal or sensitive financial information. Your bank should already know your account number. Similarly, any reputable company should never send an email asking for your password, credit card number, or the answer to a security question. Nor will they include a link for you to log in. If they do include a link, don’t use it. Open your web browser and use a saved bookmark instead.
- Companies you do business with usually address you by your name
Phishing emails will usually use generic salutations, such as “Dear valued member,” or “Dear customer.” If a company you deal with is asking for information about your account, the email would call you by name and direct you to call the company directly. Some scammers skip the salutation altogether, this is more common with advertisements seemingly from a company you may deal with (travel coupons are a favorite among scammers).
- You didn’t initiate the action
If you get a message informing you that you have won a contest, but you didn’t enter any, then you can bet that the email is a scam. Another popular tactic is to say that an order you made recently has a problem, or cannot be delivered. Often these emails will have an attachment that is supposed to be your invoice or other important information. In reality, it’s typically malicious software or a keylogger. Don’t act on the email, if you made any orders recently then go back to the online store and check your account.
- The email contains poor spelling and grammar
Normally, when large companies send out a message on behalf of the company as a whole, the message is usually reviewed for spelling, grammar, and legality. So if a message is filled with poor grammar or spelling mistakes, it probably didn’t come from a real company.
- Making unrealistic threats
Phishing scams always attempt to trick people into giving up money or their sensitive information. A common tactic is using intimidation to scare victims. If a message makes unrealistic threats, it’s probably a scam.
- The message appears to be from a government agency
Phishing emails that use intimidation don’t always pose as a bank. Sometimes they’ll send messages claiming to have come from the IRS, the FBI, or just about any other entity that might scare the average law-abiding citizen.
Here in the United States, government agencies don’t normally use email as an initial point of contact. Government agencies have specific protocols they must follow. Email-based extortion is not one of those protocols.