The term “Phishing” generally refers to an attempt by someone to gain access to personal information by posing as someone else. A common form of phishing is email phishing, often in the form of a notice or alert that claims to be from a person’s bank or credit card, telling them there is a problem and that they must sign in to clear it up. The email will look legitimate, complete with company logos, but the links they want you to click will send you to a fake website. As soon as the user “logs in” to this fake website, they’ve just given scammers access to their account.
While not all phishing scams are exactly alike, there are many common features that can easily identify them.
The first part of the scheme involves an email which is designed to look official. Sometimes the return address is obviously not from the company in question, while other times they’ll use a return address which actually points back to the real company. This is done to throw you off the scent, and in hopes you’ll click the fake link and not actually respond to the email. Today, we received a phishing email claiming to be from Citibank. The return address was email@example.com. That address looks legit, but there were other factors that tipped us off that this was a phishing scam… besides the fact that we don’t have a Citi account!
Most phishing emails will contain corporate logos to give the email a more realistic look. I’ve seen these from come disguised as coming from banks to Facebok, to World of Warcraft accounts. A phisherman can easily grab these logos from the internet, so don’t let official logos fool you.
There are many ways in which a phishing email will attempt to fool you into clicking their link. Sometimes it will just say “Click Here” and point you to a website that clearly isn’t official. Other ways include a misspelled variant of a company’s website, perhaps using a number instead of a letter, such as b0fa.com (using a zero instead of the letter “O”). A common technique is for an official URL to be displayed, while the actual link takes you somewhere else. In our Citibank phishing article, we pointed out that the link being displayed read https://online.citibank.com, while the actual link took you to a page on ngiom.com. Another common method is to use official-looking subdomains. So, for example, a link may read citibank.xyz.com. Clicking that link will take you to xyz.com, not citibank.com. Phishing relies on this confusion to fool you into clicking the link, especially when you’re in a hurry due to fake urgency.
Many phishing emails will tell you there is a problem that you must fix immediately. For example, a Citibank phishing email we received today read:
We recently have determined that different computers have logged on to your Online Banking account and multiple password failures were present before logons.
We now need to re-confirm your account information with us.
If this is not completed by June 10, 2012 we will be forced to suspend your account indefinitely, as it may have been used for fraudulent purposes.
This creates a false sense of urgency, which will lead a consumer to forego good judgement in order to “fix” this problem. Those unaware of phishing scams may read the text above, feel a sense of panic, and click the link without really taking the time to think about if the email was real or not. I’ve seen this type of urgency used for fake emails from banks to video games to Facebook and Twitter.
Once a person clicks on one of these phony links, they are often taken to a website that was created to look just like the original. Often an exact replica of the company’s website is created to make the user believe he or she is logging in to the original. There are actually apps out there now that allow phishing scams to be generated automatically.
Ideally, your email client’s spam filters will catch most phishing scams, but sometimes crafty phishing scams will use methods to get around filters, such as using an image of text instead of actual text. To an automated spam filter, such an email only appears to be an image and a link. The filters are unable to scan the image of text for signs of phishing.
Ways to Spot Phishing Scams
- Emails from real accounts will almost always address you by your real name or user name. Phishing emails almost never do. They may say “Dear customer” or not address you at all.
- Hover over the links. If you hover your mouse over a link in the email, the address to which the link is pointed will appear at the bottom of your browser. Look at this link very carefully! If it’s not pointing to the exact URL of a known corporate website, it’s likely fake.
- If an email’s text is actually an image, it’s probably a phishing scam.
- Look closely at the return address. If it’s not from the company’s domain in question, it’s likely fake.
- If the email was spotted in your spam folder, most likely it’s there for a good reason!
- See the end of this article for a list of articles with specific examples and graphics for more info.
What to do
First of all, do NOT click the link! Either delete the email, or report it. If you wish to report a suspicous email, forward it to the company being spoofed. Many larger companies have resources set aside to investigate these incidents, such as these below.
- Bank of America: firstname.lastname@example.org
- Citibank: email@example.com
- Paypal: firstname.lastname@example.org
- Wells Fargo: email@example.com
You can also report any suspected phishing scam here.
If you aren’t sure whether or not an email is legit, simply open a web browser and log on to the corporate website which you are sure is legit. If there are any notifications for you, they will be found there. You can also pick up the phone and call their known national 800 number and ask them if there are any problems with your account.
If you suspect you may have inadvertently handed over your username and password to a phishing scam, call the bank or entity in question immediately and tell them.
Specific Phishing Scams