The subject line of the e-mail referenced “your Amazon Account.” The body mentioned my credit card and how it had just been “updated.” A quick scan of the rest caused temporary alarm. My credit card? I didn’t make any changes to my credit card or my Amazon account. Upon closer inspection, I recognized this e-mail for what it was: an attempt to infiltrate my computer and steal some personal information. In other words, a hacker doing a little phishing.
While many users are well-acquainted with this practice and know what to look for, I suspect there are plenty of folks who still fall victim. Heck, I consider myself an expert at phishing avoidance, yet momentary glances have almost gotten me to click a fraudulent link more than once. Here are some telltale signs of phishing:
- Like many users, I have several e-mail addresses. But the message mentioned above came to an address that isn’t linked to my Amazon account. Discrepancies like that should raise red flags immediately.
- Check the email address appearing in the “From” field; if it looks like gibberish, comes off as extremely unprofessional, or comes from an entirely different company, that’s an obvious sign it didn’t actually generate from Amazon. In some cases, it could come from a friend’s email address or even one of your own alternate addresses.
- Sometimes, a date may be formatted differently, such as DD/MM/YYYY. However, here in the United States, we use MM/DD/YYYY. This can alert you that an e-mail originated outside of the United States.
- Your name is missing. The salutation might merely read, “Hello, [blank].” Large companies like Amazon typically include your name when communicating with you.
- The biggest clue of all: When you mouse over the “reset your password” link on your email from “Amazon”, it reveals a decidedly non-Amazon URL. If you were to click that, you’d probably be directed to a site that looks fairly Amazon-like, with a form requesting all kinds of personal info, including a credit card number. Alternately, you could land at a site that stealth-installs a bunch of spyware and/or viruses on your system.
Like I said, the email I received involved some sloppy phishing. I’ve seen “your account has been compromised!” e-mails that looked indistinguishable from the real thing and, on occasion, I’ve been distracted enough that I’ve almost clicked a bogus link.
Fortunately, it’s fairly easy to protect yourself against attempts like these:
Always be suspicious
Phishing e-mails try to freak you out with warnings of stolen information (or worse), and then offer an easy fix if you just “click here.” (The flipside: “You’ve won a prize! Click here to claim it!”) When in doubt, don’t click. Instead, open your browser, go the the company’s Web site, then sign in normally to see if there are any signs of strange activity. If you’re concerned, change your password.
Check for bad spelling and grammar
Just as some”phisherman” use the wrong date format, most of the missives that come from outside the US are riddled with spelling mistakes and bad grammar. Big companies hire professional writers and editors to make sure their e-mails contain perfect prose. If you’re looking at one that doesn’t, it’s almost certainly a fake.
Beef up your browser
An accidental click of a phishing link doesn’t have to spell disaster. McAfee SiteAdvisor and Web of Trust are free browser add-ons that will warn you if the site you’re about to visit is suspected of malicious activity. They’re like traffic cops that stop you before you turn down a dangerous street.
Use your smartphone
If you’re checking e-mail on your smartphone, it might actually be harder to spot a phishing attempt. You can’t “mouse over” a questionable link and the smaller screen makes you less likely to spot obvious gaffes. The good news is that most smartphone browsers (and operating systems) are immune from harmful sites and downloads, so there’s little harm in tapping a suspicious link. (Obviously, you still shouldn’t complete a form that asks for your password or other personal info.)
Most of all, rely on common sense
You can’t win a contest you didn’t enter. Your bank won’t contact you using an e-mail address you never registered. Microsoft did not “remotely detect a virus on your PC.” Know the warning signs, think before you click, and never, ever give out your password or financial info unless you’re properly signed into your account.
(Image Source: iCLIPART)