Phishing is a form of Internet fraud that involves tricking the victim into divulging sensitive personal data such as login information (user-names and passwords), bank account numbers, credit card numbers and security codes, and so on.
A typical phishing message will almost always include a link to a bogus web site which attempts to imitate the real web site that the victim expects to see. These web sites range in quality from unbelievably lame copies to exact replicas and everything in between. What they all have in common is a form that allows the victim to submit private information.
Occasionally, and mostly with Phishing attacks that are trying to gain access to your email account, the email message itself will claim to be an official form that you are supposed to fill out and return by email.
The object of the game is to get the victim (you) to go to the web site and enter the data the phisher wants to collect. If you take the bait the phisher wins. If you recognize the message as a scam and delete it, you win.
What Types of Accounts Are Phished?
Phishing is not just used to acquire explicitly financial information. We’ve seen phishing attempts for all of the following (just to name a few):
- Banks and Credit Card Companies
- The IRS and other Government Agencies
- Gmail, Yahoo! and other Email Hosts
- Online Games (especially Gambling)
- PayPal, Google Cart, Authorize.Net and similar Merchant Services
- Internet Domain Registrars like GoDaddy and Network Solutions
- Amazon, eBay, Facebook, Twitter, Craigslist, Vonage and Wikipedia
- Word Press and other Blogging Tools
- Professional Organizations
The list of targets is endless so don’t trust an email just because it’s not from your bank. Be suspicious of anything that wants you to provide information that you would normally keep secret.
The Usual Advice
Before we go any further we have to make sure you’re familiar with the usual advice for phishing avoidance.
- Don’t click links or call phone numbers in Internet messages (email, chat, etc.) to get to login forms. Visit the web site directly and find the login page from there or use a phone number from a statement or other official document to call the company in question.
- Don’t email sensitive information. Email is not a secure form of communication. Only provide information through secure web forms (you should see both https:// in the address bar of your browser as well as the lock icon or whatever your browser uses to indicate a secure connection) or use a telephone (preferably a wired land line if you have such a thing.)
- Don’t give out sensitive information that the company should already have. Nobody is going to ask you to confirm your username and password or to provide your full name. If they’re already doing business with you they already know these things.
- Never fill out forms in email messages. This goes for both HTML forms and hand typed forms (e.g. Name:…..). See all of the above.
If all you get from this article is the items above you’ll be fairly safe. But if you’re interested in getting really savvy about phishing, keep reading.
Spotting Identity Thieves
The trick to staying off the phishing hook is being cautious and knowing how to recognize bogus email when you see it. Most of the time this is pretty easy.
Note: The items below are mostly positive indicators meaning that their absence does not prove the email’s authenticity. Very sophisticated phishing attacks will exhibit none of these telltales.
Check the From:
Any good phishing artist will spoof the From: address so it looks like it comes from firstname.lastname@example.org instead of email@example.com. (More on this below.) However, not all phishing practitioners are artists. A lot of them are really bad at what they do. Consequently, spotting random, not-at-all-official-looking addresses in the message’s From: field can tip you off right away, especially since most email clients display this information before actually opening the message.
Phishers try to force you to act by creating false urgency. They will often claim that your account will be closed if you don’t respond within some very short time frame. This works because real institutions do this too.
Threats go hand in hand with urgency. Urgency only works if failing to respond quickly results in some dire consequences. Thus the claim that your account will be closed or your property will be seized if you don’t respond yesterday.
Real businesses generally use decent grammar and spelling in their official emails. If the message is poorly written with numerous spelling, usage, capitalization and other errors it’s almost certainly fraud.
Poor Quality HTML
This mainly applies to larger institutions like Amazon or PayPal. Big companies pay a lot of money to make all of their communications look good. If you get an email that tries to say it’s from CitiBank and the layout looks like crap it’s not because they’re having a bad hair day.
Most phishing attempts originate in “developing” countries and the authors are often not familiar with the languages or current business practices in more prosperous countries. Therefore you’re likely to see something like “Esteemed Customer” or “Honored Sir” instead of the usual “Dear Customer”.
Phone Numbers With Country Codes
Not all phishing messages tempt you with links, sometimes they ask you to call them. Or they may do both. In any case, phone numbers with country codes are particularly suspicious. A country code alone is unusual enough to worry about but finding one that resolves to Nigeria or Russia in an email from craigslist is a dead giveaway.
Taking It Up A Notch
The following items require a bit more effort and skill with a computer but if you learn to use them they can be immensely helpful in spotting more sophisticated phishing attempts.
Link Stealth Techniques
To get you to go to a bogus web site, the phisher has to provide you with a link that will take you there. Most of the time these links are connected to text like “Sign-In”, “Update your account” or something similar. The trick is to know how to find out where links really go. This is something that is very difficult to hide so it requires extra trickiness on the part of phishers.
To find out where a link goes, all you have to do is hover your mouse over the link and look at the status bar at the bottom of your browser. (If your status bar isn’t showing, look for it under the View menu.) This is a problem for phishers so they use a couple of tricks to fake you out if you know how to see where links go.
- Sneaky domain names – The important part of a domain name is the part on the right so a domain like bankofamerica.com.phishing.org might persuade you to think it’s bankofamerica.com. The link above goes to phishing.org but the first thing you see bankofamerica.com. They do this one a lot.
- Sneaky file names – The right side of a URL is the file name of the page so you might also see myphishingdomain.com/bankofamerica.com/login. The domain is still myphishingdomain.com no matter what they call their files.
- Hiding in plain sight – Many legitimate organizations will include fully qualified links like http://www.legit.biz/index.html in an attempt to be less phishable. This is great if they’re not linked. Unfortunately, cutting and pasting a link to the browser’s address bar is a lot to expect of everyone using the Internet so they’ll often include a link. This allows phishers to use the tricks above but with the expectation that you’ll trust the link because the text looks like a legitimate link. Super sneaky.
Hovering over links to see where they go is an excellent tool for avoiding fake websites with one caveat: Sometimes banks and other institutions will use third party processing services or register separate domains for their financial services divisions. This can lead to situations where you suspect an “innocent” email. If your bank is doing this they’re asking to be phished, look up their phone number and call them; never trust their emails.
Another interesting feature of the way the Internet currently works is that it’s really easy to fake email addresses. Therefore, checking the From: address in an official looking email is seldom helpful (unless you’re dealing with a lame phishing attempt as noted above). To detect spoofing you have to look at the message headers. (We’ll write a more detailed post about message headers soon.) Spoofing is a certain indictment of an email’s authenticity but it takes effort and knowledge to prove it. We think it’s fun but then we’re in the spam filtering business.
Secure Sockets Layer (SSL) is how browsers and servers exchange information privately. Using SSL requires a secure certificate and not all phishers have access to SSL servers. Consequently, something to look for if you actually visit websites linked from emails (generally not a good idea) is a secure connection. If you don’t see https:// in your browser’s address bar you can eliminate the site immediately.
However, just having https:// in the URL is not enough and phishing sites will take advantage of this by allowing SSL calls on their servers without backing the connection with a valid SSL certificate. Your browser will detect this and point it out. (How browsers indicate an encrypted connection varies so you should make it a point to learn how to tell if you have a secure connection.)
It is possible that the phisher DOES have a secure server. Don’t assume that a site is safe because your browser says it’s secure. Check the URL and apply all of the other tips above as well.
This post lists several ways to identify bogus emails. Armed with this knowledge you will be able, with certainty, to avoid falling into most of the identity theft traps that land in your email. There will still be a few that you will be unsure about and for these remember the two cardinal rules of phishing avoidance:
- Never contact an institution asking for private information using the links, addresses, phone numbers or anything else provided in the email itself. Always look up their contact info yourself.
- Don’t provide sensitive information using email at all and only provide it using secure web forms if you have followed rule one and contacted them to verify the authenticity of the email.
OnlyMyEmail is an award winning hosted spam filtering service and business email hosting provider. Our enterprise cloud computing anti-spam solution, the MX-Defender, has the highest capture rate of any spam filter ever tested in the VBSpam Challenge, blocking a record setting 99.9993% of all malicious and junk email.
Our Personal spam filtering system is also a Software as a Service (SaaS) solution and has won both the PC World "World Class Award" and also the PC Magazine "Editor's Choice Award."
OME-Kids is a webmail solution that protects children from spam and other harmful emails. OME-Kids offers unique Parental Controls that allow you to choose the level of security and oversight that's right for your child.