What is phishing? Here's a real-life example

Search Smart Spending:

Smart Spending combines the best money-saving tips from MSN Money and the rest of the Web.

This blog is co-hosted by two experts on stretching dollars. Karen Datko is a veteran journalist based in Montana who finds the best tips from around the Web. Donna Freedman is a veteran journalist, student, and handywoman in Washington who appears in this video and moderates the MSN Money Smart Spending message board.

Smart Spending received the 2008 Clarion Award for best regular column in online journalism.

NEW MSN Money Smart Spending blog RSS feed.

Posted Jun 18 2008, 12:02 AM by Karen Datko

Rating:

Filed under: banking, The Dough Roller, tips, education, consumer guide

This post comes from partner blog The Dough Roller.

I recently received a phishing e-mail intended to trick me into divulging confidential banking information. As a follow-up to my LifeLock review, I thought I'd share the e-mail with you. If you're not familiar with phishing e-mail or how to detect them, I'll cover that in a moment. But first, here's an image of the e-mail I received:

What's so suspicious about this e-mail? Here are three things:

I don't have an account with this bank.
Financial institutions will never send you an e-mail with a link asking you to confirm any information.
Wording such as "obligatory activation" is a bit odd.

In this case the phishing e-mail was not all that sophisticated, but they can be. So let's look at what a phishing e-mail is, how to detect a phishing e-mail, and finally, some resources you can check out for additional information.

What is phishing?

According to the U.S. Computer Emergency Readiness Team -- US-CERT -- phishing is a form of social engineering. Phishing attacks use e-mail or malicious Web sites to solicit personal, often financial, information. Attackers may send e-mail seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts.

Phishing e-mail typically includes a link you are asked to follow to confirm or update certain confidential information like your address, Social Security number or mother's maiden name. The link often takes you to a site that looks virtually identical to the legitimate site being spoofed.

How to know if you've received a phishing e-mail?

While a phishing e-mail can be very convincing, there are several telltale signs to look for:

Unsolicited e-mail. Generally, you should be leery of any unsolicited e-mail, particularly those that include links.

Urgency. Most phishing e-mail seeks information from you urgently. They indicate that your account will be suspended or your card deactivated. In the e-mail above, the information was to "avoid account suspension."

Company logos. The e-mail often contains the logo of the financial institution the fraudsters are trying to mimic. Don't be fooled. Anybody can cut and past a logo into an e-mail or onto a Web site.

It's my bank, so it must be legitimate. Sometimes the e-mail will be about a bank or other company where you actually have an account. Did you ever wonder how the scam artists know that you bank at Citibank or carry a Chase credit card or have an eBay account? They don't. They are just playing the odds. For example, they may send out 1 million e-mail messages, knowing that 80% of the recipients don't bank at whatever financial institution they've decided to spoof. But they are counting on some percentage of the remaining 20% to respond to their "urgent e-mail."

Assurances of security. Phishing e-mail often includes statements and images designed to convince you that they are just as concerned about e-mail scams as you are. For example: "Remember: eBay will not ask you for sensitive personal information (such as your password, credit card and bank account numbers, Social Security number, etc.) in an e-mail." The link in the e-mail then sends you to a site that does ask for confidential information.

Links and return e-mail addresses: Scam artists can do a lot of hocus-pocus with the links embedded in the e-mail and with return e-mail addresses. For example, the text in the link can differ from the actual link destination. They can hide the link destination so it doesn't appear at the bottom of your browser when you hover the mouse over the link. They can use the IP address as the destination for the link to obscure the real destination. That's what the e-mail above did.

The unfortunate point to all this is to trust nothing when it comes to unsolicited e-mail. And if you have any doubts about whether an e-mail is legitimate, call your bank or other financial institution using the customer-support number on your credit card, debit card or last statement.

Additional resources

Here are some additional resources, including where and how you can report a phishing e-mail:

Phishing IQ Test by SonicWALL. This test presents you with screenshots of 10 e-mails and you decide whether they are phishing e-mail or legitimate.
Report Phishing: You can report a phishing e-mail with US-CERT. US-CERT also has a good article called "Avoiding social engineering and phishing attacks." Also check out their reading room for more great articles.
Phishing e-mail list: This site tracks phishing e-mail and provides a list of all known phishing e-mail by date. Please note that just because an e-mail you received is not on the list does not mean the e-mail is legitimate. The e-mail I received happened to be on the list, and you can check out the details here.

Other articles of interest at The Dough Roller:

How to get a payday loan (if you must)

Multiple income streams: 10 ways to earn extra income

How to optimize a WordPress theme for search engines

Back to Smart Spending

Digg this |

Email this |

Link to this

Comments

I took the Phishing IQ test by SonicWALL and found it interesting that they said that the PayPal example email was legitimate. I have PayPal, I know from exprience that PayPal will not send such an email to my email address but will only send it to my Ebay account messages. As PayPal has stated in the past, that is how they assure privacy in a legitimate manner. I was told by PayPal to consider all emails coming only to my email address (and not also sent to my Ebay account messages) to be a phishing scam. So SonicWALL may want to reconsider that example.

Other than that, I have found that the examples were accurate. It is a good test of your knowledge on phishing scams. Everyone should look at it. As a teacher, I plan to use the IQ test in my classrooms for the internet safety lessons.

Wendi from Virginia (Posted 06.18.08 12:34 PM ) Report Abuse

Send a Comment

Comments must be directly related to the blog entry. Comments with offensive language will be deleted. Your e-mail address won't be displayed.

Message (please, no HTML tags. Web addresses will be hyperlinked):

Your name:

Your email address (jdoe@msn.com - email address not for display):

Smart Spending Tools

Top Rated in the last week

Blogs We Like

Subscribe to this blog