The most common form of online fraud involves what is known as “Phishing.” It typically involves sending fake email messages designed to trick people into providing personal information (username, passwords, and credit card details, etc.), for the purpose of committing identity theft and/or other crimes.
Also known as Brand Spoofing, these email messages (and often the websites they link to), will make a lot of effort to look as if the fake email and website are really coming from a bank, financial services company, or other business where you might have an account. It is now common for the emails and associated websites to use the corporate colors, logos, general design elements, and even legal disclaimers in an attempt to look real.
Knowing how to recognize phony emails and knowing how to proceed are key steps you can take to protect yourself.
Warning Signs an Email is a Spoof
Typical indications that these messages are fake include the following:
- Generic message greetings, such as “Dear customer or member…”
- Prompts to “update,” “validate,” or “confirm” your account information
- Warnings that your account has been “compromised” and a request to change your password
- Misspelled or incorrect website address (URL)
- Requests for immediate action. For example, “Your account will be suspended within 24 hours, if you don’t respond…”
- Spelling errors
Actions to Take
Do not click on a link in one of these messages and do not copy and paste the link into your web browser. The link may look like it belongs to your bank, or to a company you do business with. If the message in the email worries you, call the company using the telephone number you would normally call, and not a telephone number in the email.
Banks, finance companies, and legitimate businesses will never ask you to provide, confirm or verify confidential information like your online banking ID, password, account numbers, balances or PIN through regular email.
If you want to check the website of a real company with which you do business, use your web browser’s bookmarks, or if you do not have the website bookmarked, use Google or Yahoo to search for the company’s website. Never, ever use the address from a suspicious email!
Messages from “Me”
If you receive bounced messages for mail that appears to originate from your email account, or you find messages in Spam from ‘me,’ or you receive a reply to a message you never sent, you may be the victim of a spoofing attack.
When you send a letter through the post, you usually write a return address on the envelope so the recipient can identify the sender, and so the post office can return the mail to the sender in the event of a delivery problem. But nothing prevents you from writing a different return address than your own; in fact, someone else could send a letter and put your return address on the envelope. Email works the same way. When an email server sends an email message, it specifies the sender, but this sender field can be forged. If there is a problem with delivery and someone forged your address on the message, then the message will be returned to you, even if you were not the actual sender.
If you receive a “reply” to a message that was not sent from your address, there are two possibilities:
- The message was spoofed, forging your address as the sender.
- The original sender used your address as a reply-to address so that responses would be sent to you.
A recent trick of the email crooks has been to send email asking you to read a newsletter you supposedly subscribed to. The email you receive does not contain a newsletter; it contains a link which a message like, “If you can’t see the newsletter, click here.” The link is not to a real newsletter and should never be clicked: if you do click the link you will either land on a website designed to steal information, or one designed to install malware (viruses and bots) on your computer.
Legitimate companies do not send you emails to tell you that your account login needs changing, or your credit card has been frozen! If in doubt, use the telephone to talk to the company, do not click on the email links!
Finally, make every effort to keep your computer safe:
- Install and keep your PC security software (like antivirus and a firewall) up-to-date and turned on.
- Update your Operating System, including regular browser and system updates. Windows and Internet Explorer both have frequent security updates because they are the primary target of hackers.
- Scan all e-mail attachments for viruses –- even if you recognize the sender.
- Never respond to e-mails requesting personal information –- delete them immediately.
- Never give out any personal information such as usernames, passwords, or credit card information via e-mail, and never e-mail such information to yourself.
The author, John Lenardon, is president of Data Cyber Labs, a company specialized in computer crime investigations and training. He has been consulting corporations and government departments worldwide for over 20 years.
Click image to enlarge