You’ve become accustomed to deleting ridiculous Nigerian money scams and all those spam messages promising to help you lose 50 pounds in five days, but this message looks different; it has the eBay logo and uses the same fonts as eBay’s site. It contains links to eBay pages and is professionally written. It’s telling you your account has been associated with fraudulent activity and is about to be suspended unless you can provide some personal details to prove that everything is on the up-and-up.
As official as an email like this looks, don’t take the bait. Millions of consumers rely on the Internet to shop, pay bills, and manage their financial accounts, and a new generation of scam artists is using a combination of social engineering and technological savvy to bilk unwary consumers out of their money or steal their identities. This practice is called phishing (short for password harvesting fishing), and although the techniques used in this type of scam are timeless, the Internet has provided phishers with a vast ocean in which they can cast their nets.
Phishing emails differ in their specifics, but they all share a few common traits. First, they appear to come from a legitimate company, using the same graphics you’d expect to see at that company’s site. Second, they try to create a sense of urgency, telling recipients that their accounts are about to be suspended or are otherwise experiencing major problems. Third, these emails contain forms or links to forms where users are supposed to enter personal information, such as an account password or a credit card number. Once you enter the data in the form and click Submit, it is sent to the scammer’s computer and he can use it to steal from you.
Phishing scam artists consistently come up with ever-more-elaborate schemes to ply their illegal trade, but by following a few simple rules, you can play detective and catch them in the act instead of becoming their next victim.
Rule #1: Pay Attention To URLs
URLs (uniform resource locators) are the characters you enter in a browser’s address bar to visit a particular site, and a favorite trick among phishing scammers is to make users think they are going to one URL when they really are visiting another URL.
URLs can tell you a lot about the site you are visiting. The URL for our Web site, for example, is http://www.smartcomputing.com
. The “.com” portion is the top-level domain (also called the domain extension), telling you what type of site it is. For example, “.com” is mainly used for commercial Web sites, whereas “.edu” is for educational institutions and “.org” is for nonprofit organizations. The companies most commonly targeted by phishing scammers use “.com” top-level domains, so if you see a URL such as “http://www.ebay
.org” or “http://www.citibank.edu”
linked to a spam email, it’s likely a site set up by a scam artist.
The most important part of the URL as far as detecting a phishing site is concerned is the domain name, which is the text to the left of the top-level domain (such as “smartcomputing” in our example). All content at the Smart Computing Web site is accessible via the “smartcomputing.com” domain name, so any additional text between the domain name and the top-level domain name should raise a red flag.
For example, a Web page located at “http://www.smartcomputing.scammer.com”
is located at the domain name “scammer.com,” and a page at “http://www.ebay
.customerservice.com” is actually located at the domain name “customerservice.com,” not at “ebay.com.” Any text that appears to the left of the domain name is a subdomain associated with the main domain. In the examples we just provided, “smartcomputing” is a subdomain of “scammer.com,” and “ebay” is a subdomain of “customerservice.com.” Ignore subdomains and focus on the domain name when determining whether a link or URL is legitimate. Hyphens and symbols such as @ also are used to make a phish site’s URL look more legitimate, so watch for those, too.
Take the guesswork out of deciphering Web addresses by using
a utility such as SpoofStick (free; http://www.corestreet.com/spoofstick
). Here, you see that SpoofStick’s bar within the browser interface states “You’re on ebay.com.”
Unfortunately, some scammers have figured out how to use a sophisticated exploit that displays a fake address bar (containing a legitimate-looking address that doesn’t arouse suspicion) in a Web browser window, so other steps are necessary to fully protect yourself.
Rule #2: Watch The Padlock
All popular browsers display padlock icons when users visit secure sites; these icons are generally in the lower-right corner of the browser window. When users visit secure sites, or secure portions of sites after they’ve logged in, the padlock icon appears and the URL in the address bar begins with “https:” instead of the usual “http:” we see. Knowing this, if you ever see “https:” in the address bar but don’t see a padlock icon displayed, the page isn’t secure and it’s likely you’re visiting a phishing site, so don’t fill anything out or click any links.
However, even this method isn’t foolproof, as scam artists have figured out ways to forge padlock icons, so be sure to follow the other rules we cover for maximum protection.
Rule # 3: Type, Don’t Click
The Internet has conditioned us to click hyperlinks to open new pages, but don’t let that habit get the best of you when a seemingly urgent email arrives. One of the main techniques phishing scammers use to lull users into a false sense of security is to put links in an email that look like they point to a legit company site when they actually point to a phishing site. This is called link masking, and it’s easy to spot and avoid if you know what to look for.
Most email apps let users hover a mouse pointer over a link to see a pop-up window displaying the actual link. For example, a scammer might send an email that has a “http://www.paypal.com”
link, but when you place the pointer over the link, the pop-up window reads “http://www.paypal.phishsite.com.”
Of course, you should avoid clicking that link.
Also, most phishing sites use IP (Internet Protocol) addresses (such as 220.127.116.11) instead of domain names, so if you hover the pointer over a link and see a string of numbers, the link probably points to a phishing site. Instead of clicking links in emails, type their URLs into your browser’s address bar, but only do so if the links use the proper company domain name.
Rule #4: Notice Login Inconsistencies
Some scammers cover their tracks by sending victims to the legitimate company sites after collecting personal information. Common examples of this are phishing sites that ask users to enter usernames and passwords they would use to log in at legitimate sites, and then automatically connect users to those sites after collecting their valuable login information.
If you ever attempt to log in to a legitimate account after following a hyperlink in an email, and the Web site rejects your login information even though you typed it correctly, it’s likely you’ve just been scammed. Contact the legitimate company that the phishing scammer pretended to represent to let it know what happened and change your login password immediately.
Rule #5: Protect Bank Account Data At All Costs
It’s bad when scammers gain access to your credit card accounts, but at least these accounts are protected to the point where victims are liable for only a maximum of $50. Debit card and bank accounts often don’t have this level of protection, so never divulge bank account information in response to an email.
Rule #6: Keep Personal Info Personal
If you take nothing else away from this article, remember this: Legitimate companies never should ask for personal info via email (and if they do, they’re not worth doing business with anyway). Never fill out a form via an email, and never blindly follow links embedded in emails—no matter how official they appear to be. Scammers rely on input from you to do their work, so by trusting your instincts and never responding to emails that ask for personal information, you can force these jerks to find real jobs and earn their own money.