I was recently added to a mailing list for an organization and I started to get a few emails that I wasn't used to seeing, email scams.
Most of these scams are what the industry calls a "phishing" email. Phishing emails are emails that you receive that attempt to get your usernames, passwords, credit cards and other personal information by masquerading as a trustworthy organization that you have dealt with or currently use. Phishing emails may contain links to websites infected with viruses or more often, redirect users to sites that look and feel like the real organization. The follow are some steps on how you can identify an email scam and not get tricked by one.
According to Phishing.org, the first time that the term “phishing” was used and recorded was on January 2, 1996. The mention occurred in a Usenet newsgroup called alt.online-service.america-online. It is fitting that it was made there too; America Online is where the first rumblings of what would become a major criminal issue would take place.
Before you receive email scams, the best solution is to not get them in the first place. There are a number of free or cheap solutions available to assist with prevention.
- Don't use an email address that is easy to guess like info@, webmaster@, contact@, ask@, or careers@ can easily guess these addresses and send emails.
- Most client side software offer spam removal. This software will check for email scams including phishing and automatically delete or move these emails into a "Spam" folder. This will make it very clear that you are viewing likely garbage emails.
- Don't publish your email widely, just to your specific audience. If you have a very public email, maybe that one should be filtered more heavily than your personal email. Just give your personal email to the people you trust most. I have known people to setup an email address that they check just for email subscriptions, so their personal email is just from friends and family. Personally, I think that is too much work to maintain two email accounts just for that purpose. I use Outlook rules to redirect email instead. Here is a guide to help you, if you use Microsoft Outlook.
When you do receive emails, it is important to know how to identify an email scam.
- Check the email address that sent the email (FROM) and what the receiving email address was (TO). If the email is a personal email from your "bank", it does not make sense to receive this kind of email on your corporate email address that your bank does not know about. The email I received below talked about receiving a payment. However, I did not recognize the email address and don't understand why a "payment" would take the form of an email attachment. It is simple; the attachment is a virus and if I opened the zip file, it would have infected my computer.
- Look for bad spelling and/or poor grammar from an email claiming to represent a company. If the email looks like it has gone through Google Translate one too many times, it is not from the company that the email is trying to masquerade as. Here is an email I received from "Apple" about my Apple ID. However, the spelling is bad and does not look anything like what Apple would send me. If I had clicked on the link below, it would send me to a website in Poland and it would try to get access to my Apple username and password for iTunes using a script.
- If you receive an unsolicited email from a company or personal request from someone you have never heard of and don't recall requesting, be suspicious. I received this email on my corporate account one day, but I don't bank with Bank of Montreal.
If you clicked on the link, it would send you to a <fake domain>.com.tw that looked like the Bank of Montreal website. However, because I reported it, this link will now appear with a Web Forgery warning instead, like the one you see in FireFox below.
- If the email is too good to be true, it most likely is. No Nigerian Prince will give you $10 million dollars if you give them only $10,000 now. That doesn't make sense and it is a scam.
- If the email is from a good friend, but the content doesn't make sense, it is possible they have been hacked. If you are unsure, contact your friend back and ask them if they sent you the message (preferably via a different method than email). Whatever you do, DO NOT CLICK REPLY. If the email came from a different email address, but had your friend's name on it, you will get a message back from the spammer, not your friend. I have received an email like this in the past with "My Friend Name Here" <email address I never heard of @hotmail.com>. If I had clicked reply, my friend never would have received the email, only the spammer at the hotmail account. Instead, I emailed my friend at their real email address and found out their computer had a bad virus on it.
- If you are viewing your email on a desktop, just hover over the email link to see where the link goes to. If you are not on a desktop, usually your email client will let you view the HTML source to know where the link will go. If it is not the corporation website you expect, then it is a scam. Do not copy and paste the link in your web browser or click on the link you don't trust. You are on the internet and if you view the page, you could cause the problem you were trying to avoid. Instead hover or view the source of the email instead.
If you identify an email scam, don't let someone else be harmed by it too, report it. The Anti-Phishing Working Group (http://www.antiphishing.org) collects, analyzes, and exchanges lists of verified credential collection sites. These collection sites are then reported to cyber-crime prevention groups in industry, government and law-enforcement sectors. By reporting theses scammers, you can play a part in removing them.