Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Phishing: How to Know It When You See It

I’ve received an email from Microsoft asking for billing details and threatening the end of my Outlook.com account. Contacting Microsoft resulted in referral to a support alias, but no answer. Is this a problem, or a forgery?

Phishing is a word you hear a lot in the news these days, and this question brought it to mind.

You’re right to be suspicious: this definitely sounds like a phishing expedition.

Become a Patron of Ask Leo! and go ad-free!

Phishing: what it is

Phishing is very much like fishing, except you’re the fish and threatening email is the bait. If you bite, you run the very real risk of account or identity theft and all the hassle that entails.

Phishing is, essentially, an email message that tries to trick you into taking some action by fooling you into thinking that the message comes from someone official when it does not.

There are three basic scenarios.

The misleading link

The bad guys, or “phishers”, create an email that looks VERY much like an official email from some important entity, like eBay, Microsoft, PayPal, or your bank. The email asks you to visit some site via a link provided in the email. The site it takes you to looks very official and proper. At that site, you’re prompted to enter personal information, typically to verify your account.

Phishing The problem is, you’ve just handed over all your personal information to a thief.

The trick used here is that a link can be made to look like one thing, and yet take you somewhere else entirely. For example,

http://www.ebay.com/

That looks like a link to eBay, right? It’s not. Click on it, and you’ll be taken somewhere else entirely. It’s possible due to the way that HTML and rich-text email can be encoded.

So if you’re tempted at all, hover your mouse over the link, and look before you click.

  • The actual destination should match what you expect. Exactly. If the link claims to be eBay, http://ebay.hacker.com is not where you want to go. Nor is ebay.cc (note that it’s not “.com”). That’s a big red flag.
  • The actual destination should be a name, not a number. If the destination of the link takes you a link that has numbers, such as http://72.3.133.152, chances are it’s not valid.
  • The actual destination should be secure. That means it should begin with https:. If the target destination for anything that claims to be secure (or for account validation) begins with the regular, unsecured http:, chances are it’s not legitimate.

Avoiding this is simple. Never click on a link in the email you receive in these scenarios. Instead, open your browser and go to the site yourself, using your bookmarks or typing the URL you already know to be correct.

The misleading attachment

Another common approach phishers use is to provide you with an attachment that supposedly contains important information for you to read or review. One common variant says you have a package coming via one of the popular shipping services, and you must acknowledge an attached document.

The problem here is that the attached document isn’t a document at all. It’s typically a mis-named file that looks like a document, but is actually a program (report.doc.exe), or the “document” is in a zip file you must first open — and when you do, another program is run.

That program? Malware.

There is no package. Whatever the email is trying to convince you of, it’s lying. By opening that attachment, you’ve infected your computer.

Once again, avoiding this is simple: never open attachments that you aren’t 100% certain are legitimate. When in doubt, don’t.

Misleading threat of closure

A surprisingly successful phishing attack boils down to this: an email that threatens your online account with closure unless you respond with your account credentials.

Including your password.

This is the easiest of all to avoid. Legitimate businesses never, ever ask you for your password via email.

Never.

Don’t even think about it. Delete that email — better yet, mark it as spam — and move on.

If there’s a real issue

If you get a message that concerns you, but you want to ensure you’re not missing something important, that’s also very easily dealt with.

Step one: ignore the email. Completely. Personally, I’d delete it right now.

Step two: go to the site in question manually. Use your own bookmark, or type what you know to be the correct URL into your browser by hand, and log in to your account as you normally would. If there’s something you need to do or verify, you’ll probably see it there.

If you’re still not sure, give the institution a call, contact their support line, or search their support site. Trust me: they’d much rather have you ask than have to deal with the possibility of identity or account theft.

If you found this article helpful, I'm sure you'll also love Confident Computing! My weekly email newsletter is full of articles that help you solve problems, stay safe, and give you more confidence with technology. Subscribe now and I'll see you there soon,

Leo

Podcast audio

Play

Video Narration

33 comments on “Phishing: How to Know It When You See It”

  1. Dear Dr. Leo,
    The phishing attacked my email address just in the same way as you described. I received an email which seems to come from Window Live… and ask me to supply my personal information to update my account, otherwise my account will be closed in a couple of days. To avoid any inconvenience, I updated my personal information. Since yesterday, I failed to log in my account. Subsequently, some of my friends informed me that they received an email from my hotmail account claiming that “I” was in trouble in a African country where I have never been and ask them to send “me” some money. Thank you for your informative help. I will never be a fish of “phishing”.

    Reply
  2. I assume that the following (series) of emails to me are a scam, but Hotmail makes it almost impossible to verify. Can anybody help?
    Thanks! -Rich

    [LARGE collection of scam/phishing examples deleted.]

    Those are all scams. They don’t come from official Hotmail email addresses. The English in the messages is grammatically incorrect. They ask for personal information, which such a message would NEVER do.

    Here’s the official word from Microsoft on this scam: Phishing Scam: Hotmail Warning (Verify Your Hotmail Account Now to Avoid it Closed)

    Visiting Windows Live Help is always a good first step.

    – Leo
    28-Jun-2009
    Reply
  3. Michelle,

    You sound surprised that a link that says “www.ebay.com” to the user could actually go to buyleoalatte.com instead. But, think about it. How many times have you seen “click here to do something”, and never thought “how does that do to a website not called “click here”?

    The answer is simple… That’s how HTML works. There is an HTML tag which says “when you click here, do this”, and the text within it is what is displayed to the user.

    Basically (hoping the formatting comes through):

    <a href=”phishing_site_URL”>real site name</a>

    Reply
  4. So, I feel like a moron. I got an email from a guy named Mark Savorn regarding a rental, shortly after emailing several people who had rentals posted on craigslist. In Savorn’s email, he made no reference to the listing number, number of bedrooms, location, or any other identifying factor or way in which I could link this email to any particular rental listing on the site. There was however, a very reasonable tone about his email and what seemed like a harmless request to fill out a credit report. I wasn’t sure what to think, but despite the fact that I was a little suspicious, I clicked on the link! uh–whoops! so now i’m wondering how bad it is to click? I didn’t fill anything out, just looked at the site, then left it. I don’t do any online banking, but occasionally make purchases online so what are my chances of not being screwed here? I got smart just a minute too late and googled the guys name, and it’s plastered all over flakelist.org! Help!

    Reply
  5. I am so desperate looking for a house I did not even think to check the link location. I filled out personal information on what seemed to be a credit checking site. I’m wondering where I go from here now that the information has already been accepted.

    Reply
  6. Hi everyone, Hi Leo.
    I’ve got a question to you Leo( or everyone who can answer my question), it could be that my question is totally stupid but, how did you do that ‘www.ebay.com’ , so that it leads to another website? Can you teach me how to do it? so i can do something similar to prank my friends?(btw:i have my own subdomain, so it would like to give an existing link to my friends that leads to my own site..) Bye and thanks in advance

    I’d recommend learning basic HTML as the best way to learn how to do this kind of thing.

    Leo
    15-Jul-2011

    Reply
  7. Good job Leo in having your fake “Ebay” link go to “Buy Leo a Latte” – that is a very cute phishing example. Maybe you’ll get some coffees out of it!

    Reply
  8. A few questions;

    1) In Firefox, there is an option to “not redirect” a page. Would this help?

    2) What exactly is the act of downloading a malware? Opening the suspicious email, clicking something in the email (like go to a site), or actually downloading something (either email attachment or from site)?

    If it is “opening email”, can it be sent to spam box and opened with caution (to check)? If it is downloading, usually there is a prompt to Run or Save File. At that point is it already too late?

    Many thanks Leo

    Reply
  9. Leo…I use a great email/spam screening program called Mailwasher from Firetrust. There’s a paid version but I’m a single user and have the free program. I consider Mailwasher one of the most useful items, such as Belarc which I love. Mailwasher lets you screen the email, determine if it’s malware, etc., and a range of options such as mark as good, delete, spam, add to friends list, etc. This is a great program for more security. ec

    Reply
  10. I like to Forward phishing emails to the purported sender, the Federal Trade Commission (spam@uce.gov) and my Internet Service Provider, Comcast (abuse@comcast.net). I figure that the “Sender” has a name, brand and reputation to uphold with a justified reason to investigate. The Feds have job to do and my ISP has a responsibility to protect their customers.
    This is what I do. First, set your email program to “View All Headers”. Second, look up the legitimate “Sender” web site to find their “contact us”, “report fraud” or “report phishing” email address. Third, look up your ISP report abuse email address, then forward the suspicious email to all of the above. I’ve even been known to read through the Nigerian 419 emails to find a brand name of a shipping company, a bank or a corporate “sponsor” and send them the emails of scammers using their name in vain.
    This won’t stop getting spam in your inbox, but it feels good to let others know what’s happening. Just maybe I’ve helped stop one or two of these clowns.

    Reply
  11. I still use Outlook Express. When I get a suspicious email I look at who sent it by going to Files > Properties where all the info on the source and routing is displayed and check the email address of the sender. The last one was supposedly from my email provider but the sender’s address was madeupname@aol.com and why would ATT be using AOL for their emails? I don’t think so, so I just hit delete.

    Reply
  12. Leo … I seem to recall phishing is a contraction for ‘password harvesting fishing.’ I checked your glossary and didn’t find this, and reread all these comments to verify nobody mentioned it. Some quick research didn’t locate this contraction; quick for me being the first paragraph of two Google references. Reading more in Wikipedia because I find the subject captivating, the term phishing is attributed to a hacker: Khan C. Smith (6th paragraph under History and current status). I was amused to find variants such as ‘Spear Phishing’ and ‘Whaling.’

    Reply
  13. Hi Leo,
    Nowadays, these criminals have come up with new ideas. A few days back, I received a mail threatening me that a case has been filed against me (in some god forsaken named court). I must open the attachment for details and reply immediately. Otherwise, the case will be decided in my absence!

    Mmm… What to say about this?

    Reply
    • I’m almost sure a “case”, such as for a lawsuit, the paperwork must be delivered via certified U.S. postal mail and/or hand-delivered by a person known as a Process Server.

      Reply
  14. Is it possible that a cyber criminal even though it compromised your email account would use one (or maybe even 2) of your contacts to phish more information about you (to perhaps get access to your computer)?, because my contacts has not been hacked at all and nothing is showing in his recent activity and no other contact has recieved anything from them. It gets me confused

    Reply
  15. I once received a phishing email for a bank where I don’t have an account. I clicked on the link and entered a bunch of fake account information. When I submitted the data, I was sent to the real bank log-in page which looked incredibly like the fake page. Most people would have just assumed that something went wrong with their inputted data and not have suspected anything.

    Reply
    • Not a good idea. A hacker can craft a link specific to your e-mail address. The link may have had a string of characters after the URL. Just by going to the link, the hacker was “notified” of a valid e-mail address. Some websites (and e-mails that are viewed as HTML) have a “web beacon” that notifies the web site owner (or the sender of the e-mail) of various things. I can’t explain web beacons to easily; maybe Leo can.

      Reply
  16. New definition of irony?! Your email notification for this phishing article was blocked by Windows Live Mail as a suspected phishing attack … 🙂

    Reply
  17. I often come across questions like those on Yahoo Answers and gave them the very same advice as found in this article. Yes, I came across those messages in my Outlook and Yahoo email accounts and deleted them on the spot.

    Reply
  18. one thing thats a big red flag, the greeting. when you see “hello dear”
    “dear email owner” “dear customer” or the like. if your financial
    institution contacts you using the email you gave them, you can be
    sure they will use your name in the email. my credit cards actually
    use the last 4 digits of my card in the email. and i still open a new
    tab and type the URL in myself.

    Reply
  19. Note that many phishers/scammers etc now direct you to https sites, so that on its own won’t show it’s real. Just look at the domain on its own as Leo says.

    Reply
  20. Hi Leo,

    You mention learning basic html to people (which is a great idea!) but don’t mention to them that they should view the Source of the email to obtain this information. If they’re unaware of html structure then they’re probably unaware of how to find the information that will validate their skepticism and protect them or build their confidence.

    ps: regarding poor English grammar in an email it’s often hard to decide whether it’s from a non-English scammer or a Millenial talking chat!

    Reply
  21. I saw a phishing email from an email address when clicking on reply it went to another email, a yahoo.com email. Using abuse.net and entering the yahoo domain name I got the email to report the spam.

    https://www.abuse.net

    Abuse.net is NOT a spam reporting service or feedback loop. But if you can identify the origin of an unwanted message, abuse.net can help you get your complaint to the right place.

    Reply
    • The problem is that the reply address may not have been involved in the spam at all — it could easily have been faked or spoofed. So you may have just reported an innocent user. I do NOT recommend this approach.

      Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.