My wife has a quip about leftovers, especially those found in the far back
reaches of the refrigerator that goes, “If it doesn’t smell quite right, it’s
probably rotten.”
In many ways, this also holds true of some email we receive
urging us to verify or update online account information. Truth be told, most if
not all these requests are nothing more than “phishing” scams.
Phishing is an email scam that attempts to trick you, me, and millions of other
consumers into revealing our personal information, such as their credit or debit
account numbers, checking account information, Social Security numbers, or
banking account passwords through fake websites or in a reply email. Legitimate
businesses will never request their customers to update their personal or
account information via web links contained within emails.
So what does email associated with a phishing scam actually smell like? Well, in
the name of professional decency I won’t try to relate it to the literal smell
you may think, but here are some things to sniff out in an email asking for
personal information.
Subject Line
The first thing to take notice of is the subject line. Email subjects such as
'IMPORTANT - Account Verification', 'Update Your Account', or 'Account
Suspension Notice!' should raise immediate suspicion and put you on guard.
Reputable financial institutions will never request our customers to update
their account information via web links contained within emails. If you receive
email with a subject line similar to one of these, smell a little closer.
Wording
The actual wording within an email that seeks personal information can be
another strong indicator that something isn’t quite right. Specific examples of
suspicious wording include:
- Email that doesn’t cite you specifically by name but instead as ‘Dear Valued
Customer’ or ‘Attention [insert company name] Account Holder’, etc. Wouldn’t you
address your customers by name?
- Warns that you have been the victim of fraud or that your account will be
closed unless you respond quickly. A legitimate business would phone an account
holder to notify them of fraud.
- Has spelling or grammatical errors you wouldn't expect a professional
business to make.
- Fails to confirm the company does business with you, such as referencing a
partial account number.
If any of these are present, it’s a near certainty that rotten "phish" is
afoot.
Masked Links
Another test to distinguish between a possible but unlikely legitimate email and
one that’s part of a phishing scam is in the links you’re urged to click on.
These links may contain all or part of a real company's name but are usually
"masked," meaning that the link you see does not take you to that address but
rather, a phony website.
For example, place your curser on the following fictional link to the fictional
Bank of Somewhere:
www.bankofsomewhere.com/accounts/verification.html.
Note the real link address in the lower left corner of your browser screen:
http://192.168.0.1/bos/account.html. If you were to click on this link, you’d be
taken to this cryptic address instead of the Bank of Somewhere. This is
certainly a phony website and an attempt to part you and your money, or worse –
your identity. Again, reputable financial institutions will never request our
customers to update their account information via web links contained within
emails.
Here are a couple more tips to avoid becoming the victim of a phishing scam.
Do the Typing Yourself
If you do need to verify your account information, type the address directly
into the address bar of your web browser instead of clicking on any link
contained in an email message.
Check the Security Certificate
Check the security certificate when you are entering personal or financial
information into a website. Before you enter personal or financial information
into a website, make sure the site is secure. In Internet Explorer, you can do
this by checking the yellow lock icon on the status bar as shown in the
following example.
The closed lock icon signifies that the website uses encryption
to help protect any sensitive, personal information that you enter, such as your
credit card number, Social Security number, or payment details. It's important
to note that this symbol doesn't need to appear on every page of a site, only on
those pages that request personal information.
Unfortunately, even the lock symbol can be faked. To help
increase your safety, double-click the lock icon to display the security
certificate for the site. The name following Issued to should match the
name of the site. If the name differs, you may be on a fake site, also called a
"spoofed" site. If you're not sure whether a certificate is legitimate, don't
enter any personal information. Play it safe and leave.
Beware of Pop-Up Windows
One common phishing technique is to launch a fake pop-up window when someone
clicks on a link in a phishing email message. To make the pop-up window look
more convincing, it may be displayed over a window you trust. Even if the pop-up
window looks official or claims to be secure, you should avoid entering
sensitive information, because there is no way to check the security
certificate. Close pop-up windows by clicking on the red X in the top right
corner (a "cancel" button may not work as you'd expect).
If you suspect you may have received phishing email designed to steal your
identity, report the email to the faked or "spoofed" organization. Contact the
organization directly—not through the email you received—and ask for
confirmation. If it makes you more comfortable, call the organization's toll
free number (if one exists) and speak to a customer service representative.
Remember, whether it’s leftovers in the refrigerator or email in your inbox,
if it doesn’t smell quite right, it’s probably rotten.
More Alaskan Experts >>
Email
Scams –