I recently received a phishing email intended to trick me into divulging confidential banking information. As a follow up to my LifeLock Review, I thought I’d share the email with you. If you’re not familiar with phishing emails or how to detect them, I’ll cover that in a moment. But first, here’s an image of the email I received:
So what’s so suspicious about this email? Here are three things:
- I don’t have an account with this bank
- Financial institutions will NEVER send you an email with a link asking you to confirm ANY information
- Wording such as “obligatory activation” is a bit odd
In this case the phishing email was not all that sophisticated, but they can be. So let’s look at what a phishing email is, how to detect a phishing email, and finally, some additional resources you can check out for additional information.
What is phishing?
According to the United States Computer Emergency Readiness Team (US-CERT), phishing is a
form of social engineering. Phishing attacks use email or malicious web sites to solicit personal, often financial, information. Attackers may send email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts.
Phishing email typically include a link you are asked to follow to confirm or update certain confidential information such as your address, social security number or mother’s maiden name. The link often takes you to a site that looks virtually identical to the legitimate site being spoofed.
How to know if you’ve received a phishing email?
While a phishing email can be very convincing, there are several telltale signs to look for:
- Unsolicited Email: Generally, you should be leery of any unsolicited email, particularly those that include links.
- Urgency: Most phishing email seek information from you urgently. They indicate that your account will be suspended or your card deactivated. In the email above, the information was to “avoid account suspension.”
- Company Logos: The email often contains the logo of the financial institution the fraudsters are trying to mimic. Don’t be fooled. Anybody can cut and past a logo into an email or onto a website:
- It’s my bank, it must be legitimate: Did you ever wonder how the scam artists knew that you banked at Citibank or carried a Chase credit card or had an Ebay account? They didn’t. They are just playing the odds. For example, they may send out 1 million email, know that 80% of the recipients don’t bank at whatever financial institution they’ve decided to spoof. But they are counting on some percentage of the remaining 20% to respond to their “urgent email.”
- Assurances of security: Phishing email often include statements and images designed to convince you that they are just as concerned about email scams as you are. For example: “Remember: eBay will not ask you for sensitive personal information (such as your password, credit card and bank account numbers, social security number, etc.) in an email.” The link in the email then sends you to a site that does ask for confidential information.
- Links & Return Email addresses: Scam artists can do a lot of hocuspocus with the links embedded in the email and with return email addresses. For example, the text in the link can differ from the actual link destination. They can hide the link destination so it doesn’t appear at the bottom of your browser when you hover the mouse over the link. They can use the IP address as the destination for the link to obscure the real destination. That’s what the email above did.
- Phishing IQ Test by SonicWALL: This test presents you with screenshots of 10 emails and you decide whether they are a phishing email or legitimate.
- Anatomy of a phishing email: This is an excellent essay on phishing email and spoofed websites.
- Report Phishing: You can report a phishing email with US-CERT. US-CERT also has a good article on Avoiding Social Engineering and Phishing Attacks. Also check out their reading room for more great articles.
- Phishing email list: This site tracks phishing email and provides a list of all known phishing email by date. Please note that just because an email you received is not on the list does NOT mean the email is legitimate. The email I received happened to be on the list and you can check out the details here.
The unfortunate point to all of this is to trust nothing when it comes to unsolicited email. And if you have any doubts whether an email is legitimate, call your bank or other financial institution using the customer support number on your credit card, debit card, or last statement.
Here are some additional resources, including where and how you can report a phishing email: