Phishing is a word you hear a lot in the news these days, and this question brought it to mind.
You’re right to be suspicious: this definitely sounds like a phishing expedition.
Become a Patron of Ask Leo! and go ad-free!
Phishing: what it is
Phishing is very much like fishing, except you’re the fish and threatening email is the bait. If you bite, you run the very real risk of account or identity theft and all the hassle that entails.
Phishing is, essentially, an email message that tries to trick you into taking some action by fooling you into thinking that the message comes from someone official when it does not.
There are three basic scenarios.
The misleading link
The bad guys, or “phishers”, create an email that looks VERY much like an official email from some important entity, like eBay, Microsoft, PayPal, or your bank. The email asks you to visit some site via a link provided in the email. The site it takes you to looks very official and proper. At that site, you’re prompted to enter personal information, typically to verify your account.
The problem is, you’ve just handed over all your personal information to a thief.
The trick used here is that a link can be made to look like one thing, and yet take you somewhere else entirely. For example,
That looks like a link to eBay, right? It’s not. Click on it, and you’ll be taken somewhere else entirely. It’s possible due to the way that HTML and rich-text email can be encoded.
So if you’re tempted at all, hover your mouse over the link, and look before you click.
- The actual destination should match what you expect. Exactly. If the link claims to be eBay, http://ebay.hacker.com is not where you want to go. Nor is ebay.cc (note that it’s not “.com”). That’s a big red flag.
- The actual destination should be a name, not a number. If the destination of the link takes you a link that has numbers, such as http://220.127.116.11, chances are it’s not valid.
- The actual destination should be secure. That means it should begin with https:. If the target destination for anything that claims to be secure (or for account validation) begins with the regular, unsecured http:, chances are it’s not legitimate.
Avoiding this is simple. Never click on a link in the email you receive in these scenarios. Instead, open your browser and go to the site yourself, using your bookmarks or typing the URL you already know to be correct.
The misleading attachment
Another common approach phishers use is to provide you with an attachment that supposedly contains important information for you to read or review. One common variant says you have a package coming via one of the popular shipping services, and you must acknowledge an attached document.
The problem here is that the attached document isn’t a document at all. It’s typically a mis-named file that looks like a document, but is actually a program (report.doc.exe), or the “document” is in a zip file you must first open — and when you do, another program is run.
That program? Malware.
There is no package. Whatever the email is trying to convince you of, it’s lying. By opening that attachment, you’ve infected your computer.
Once again, avoiding this is simple: never open attachments that you aren’t 100% certain are legitimate. When in doubt, don’t.
Misleading threat of closure
A surprisingly successful phishing attack boils down to this: an email that threatens your online account with closure unless you respond with your account credentials.
Including your password.
This is the easiest of all to avoid. Legitimate businesses never, ever ask you for your password via email.
Don’t even think about it. Delete that email — better yet, mark it as spam — and move on.
If there’s a real issue
If you get a message that concerns you, but you want to ensure you’re not missing something important, that’s also very easily dealt with.
Step one: ignore the email. Completely. Personally, I’d delete it right now.
Step two: go to the site in question manually. Use your own bookmark, or type what you know to be the correct URL into your browser by hand, and log in to your account as you normally would. If there’s something you need to do or verify, you’ll probably see it there.
If you’re still not sure, give the institution a call, contact their support line, or search their support site. Trust me: they’d much rather have you ask than have to deal with the possibility of identity or account theft.