Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

Phishing: How to Know it When You See It

//
I’ve received an email from Microsoft asking for billing details and threatening the end of my Outlook.com account. Contacting Microsoft resulted in referral to a support alias, but no answer. Is this a problem, or a forgery?

Phishing is a word you hear a lot in the news these days, and this question brought it to mind.

You’re right to be suspicious: this definitely sounds like a phishing expedition.

Become a Patron of Ask Leo! and go ad-free!

Phishing: what it is

Phishing is very much like fishing, except that you’re the fish, and that threatening email is the bait. If you bite, you run the very real risk of account or identity theft and all the hassle that entails.

Phishing is, essentially, an email message that tries to trick you into taking some action by fooling you into thinking that the message comes from someone official when it does not.

There are three basic scenarios.

The misleading link

The bad guys, or “phishers”, create an email that looks VERY much like an official email from some important entity, like eBay, Microsoft, Paypal, or perhaps a bank. The key is that the email asks you to visit some site via a link provided in the email. The site that you land on looks very official and proper. At that site, you’re then prompted to enter all your personal information, typically in the guise of “verification”.

PhishingThe problem is that you’ve just handed over all your personal information to a thief.

The trick used here is that a link can be made to look like one thing, and yet take you somewhere else entirely. For example:

http://www.ebay.com/

That looks like a link to ebay, right? It’s not. Click on it and you’ll be taken somewhere else entirely. It’s possible due to the way that HTML and rich-text email can be encoded.

So if you’re tempted at all, hover your mouse over the link, and look before you click:

  • The actual destination should match what you expect. Exactly. If the link claims to be eBay, http://ebay.hacker.com is not where you want to go. Nor is ebay.cc (note that it’s not “.com”). That’s a big red flag.
  • The actual destination should be a name, not a number. If the destination of the link takes you a link that has numbers, such as http://72.3.133.152, chances are it’s not valid.
  • The actual destination should be secure. That means it should begin with https:. If the target destination for anything that claims to be secure, or account validation related begins with the regular, unsecured http:, chances are it’s not legitimate.

Avoiding this is simple. Never click on a link in the email you receive in these scenarios. Instead, open up your browser and go to the site in question yourself using your own bookmarks or by typing the URL you already know to be correct.

The misleading attachment

Another common approach phishers use is to provide you with an attachment that, supposedly, contains important information for you to read or review. One common variant uses the promise of a package shipment via one of the popular shipping services that requires you to acknowledge the attached document.

The problem here is that the attached document isn’t a document at all. It’s typically a mis-named file that looks like a document but is actually a program (report.doc.exe), or the “document” is in a zip file that you must first open’ and inside another program to be run.

That program? Malware.

There is no package. Whatever the email is trying to convince you of, it’s lying. By opening that attachment, you’ve just allowed your machine to become infected.

Once again, avoiding this is simple: never open attachments that you aren’t 100% certain are legitimate. When in doubt, don’t.

Misleading threat of closure

A surprisingly successful phishing attack boils down to this: an email that threatens your online account with closure unless you respond with your account credentials.

Including your password.

This is the easiest of all to avoid. Legitimate businesses will never, ever ask you for your password via email.

Never.

Don’t even think about it. Delete that email – better yet, mark it as spam – and move on.

If there’s a real issue

For any of these scenarios, if the messages you get concern you, and you want to ensure you’re not missing something important, that’s also very easily dealt with.

Step one: ignore the email. Completely. Personally, I’d delete it right now.

Step two: go to the site in question manually. Use your own bookmark, or type what you know to be the correct URL into your browser by hand, and log in to your account as you normally would. If there’s something you need to do or verify, then you’ll probably see it then.

And if you’re still not sure, then give the institution a call or contact their support line or search their support site. Trust me, they’d much rather have you ask than have to deal with the possibility of identity or account theft.

Play

20 comments on “Phishing: How to Know it When You See It”

  1. Dear Dr. Leo,
    The phishing attacked my email address just in the same way as you described. I received an email which seems to come from Window Live… and ask me to supply my personal information to update my account, otherwise my account will be closed in a couple of days. To avoid any inconvenience, I updated my personal information. Since yesterday, I failed to log in my account. Subsequently, some of my friends informed me that they received an email from my hotmail account claiming that “I” was in trouble in a African country where I have never been and ask them to send “me” some money. Thank you for your informative help. I will never be a fish of “phishing”.

  2. I assume that the following (series) of emails to me are a scam, but Hotmail makes it almost impossible to verify. Can anybody help?
    Thanks! -Rich

    [LARGE collection of scam/phishing examples deleted.]

    Those are all scams. They don’t come from official Hotmail email addresses. The English in the messages is grammatically incorrect. They ask for personal information, which such a message would NEVER do.

    Here’s the official word from Microsoft on this scam: Phishing Scam: Hotmail Warning (Verify Your Hotmail Account Now to Avoid it Closed)

    Visiting Windows Live Help is always a good first step.

    – Leo
    28-Jun-2009
  3. Michelle,

    You sound surprised that a link that says “www.ebay.com” to the user could actually go to buyleoalatte.com instead. But, think about it. How many times have you seen “click here to do something”, and never thought “how does that do to a website not called “click here”?

    The answer is simple… That’s how HTML works. There is an HTML tag which says “when you click here, do this”, and the text within it is what is displayed to the user.

    Basically (hoping the formatting comes through):

    <a href=”phishing_site_URL”>real site name</a>

  4. So, I feel like a moron. I got an email from a guy named Mark Savorn regarding a rental, shortly after emailing several people who had rentals posted on craigslist. In Savorn’s email, he made no reference to the listing number, number of bedrooms, location, or any other identifying factor or way in which I could link this email to any particular rental listing on the site. There was however, a very reasonable tone about his email and what seemed like a harmless request to fill out a credit report. I wasn’t sure what to think, but despite the fact that I was a little suspicious, I clicked on the link! uh–whoops! so now i’m wondering how bad it is to click? I didn’t fill anything out, just looked at the site, then left it. I don’t do any online banking, but occasionally make purchases online so what are my chances of not being screwed here? I got smart just a minute too late and googled the guys name, and it’s plastered all over flakelist.org! Help!

  5. I am so desperate looking for a house I did not even think to check the link location. I filled out personal information on what seemed to be a credit checking site. I’m wondering where I go from here now that the information has already been accepted.

  6. Hi everyone, Hi Leo.
    I’ve got a question to you Leo( or everyone who can answer my question), it could be that my question is totally stupid but, how did you do that ‘www.ebay.com’ , so that it leads to another website? Can you teach me how to do it? so i can do something similar to prank my friends?(btw:i have my own subdomain, so it would like to give an existing link to my friends that leads to my own site..) Bye and thanks in advance

    I’d recommend learning basic HTML as the best way to learn how to do this kind of thing.

    Leo
    15-Jul-2011

  7. Good job Leo in having your fake “Ebay” link go to “Buy Leo a Latte” – that is a very cute phishing example. Maybe you’ll get some coffees out of it!

  8. A few questions;

    1) In Firefox, there is an option to “not redirect” a page. Would this help?

    2) What exactly is the act of downloading a malware? Opening the suspicious email, clicking something in the email (like go to a site), or actually downloading something (either email attachment or from site)?

    If it is “opening email”, can it be sent to spam box and opened with caution (to check)? If it is downloading, usually there is a prompt to Run or Save File. At that point is it already too late?

    Many thanks Leo

  9. Leo…I use a great email/spam screening program called Mailwasher from Firetrust. There’s a paid version but I’m a single user and have the free program. I consider Mailwasher one of the most useful items, such as Belarc which I love. Mailwasher lets you screen the email, determine if it’s malware, etc., and a range of options such as mark as good, delete, spam, add to friends list, etc. This is a great program for more security. ec

  10. I like to Forward phishing emails to the purported sender, the Federal Trade Commission (spam@uce.gov) and my Internet Service Provider, Comcast (abuse@comcast.net). I figure that the “Sender” has a name, brand and reputation to uphold with a justified reason to investigate. The Feds have job to do and my ISP has a responsibility to protect their customers.
    This is what I do. First, set your email program to “View All Headers”. Second, look up the legitimate “Sender” web site to find their “contact us”, “report fraud” or “report phishing” email address. Third, look up your ISP report abuse email address, then forward the suspicious email to all of the above. I’ve even been known to read through the Nigerian 419 emails to find a brand name of a shipping company, a bank or a corporate “sponsor” and send them the emails of scammers using their name in vain.
    This won’t stop getting spam in your inbox, but it feels good to let others know what’s happening. Just maybe I’ve helped stop one or two of these clowns.

  11. I still use Outlook Express. When I get a suspicious email I look at who sent it by going to Files > Properties where all the info on the source and routing is displayed and check the email address of the sender. The last one was supposedly from my email provider but the sender’s address was madeupname@aol.com and why would ATT be using AOL for their emails? I don’t think so, so I just hit delete.

  12. Leo … I seem to recall phishing is a contraction for ‘password harvesting fishing.’ I checked your glossary and didn’t find this, and reread all these comments to verify nobody mentioned it. Some quick research didn’t locate this contraction; quick for me being the first paragraph of two Google references. Reading more in Wikipedia because I find the subject captivating, the term phishing is attributed to a hacker: Khan C. Smith (6th paragraph under History and current status). I was amused to find variants such as ‘Spear Phishing’ and ‘Whaling.’

  13. Hi Leo,
    Nowadays, these criminals have come up with new ideas. A few days back, I received a mail threatening me that a case has been filed against me (in some god forsaken named court). I must open the attachment for details and reply immediately. Otherwise, the case will be decided in my absence!

    Mmm… What to say about this?

  14. Is it possible that a cyber criminal even though it compromised your email account would use one (or maybe even 2) of your contacts to phish more information about you (to perhaps get access to your computer)?, because my contacts has not been hacked at all and nothing is showing in his recent activity and no other contact has recieved anything from them. It gets me confused

  15. I once received a phishing email for a bank where I don’t have an account. I clicked on the link and entered a bunch of fake account information. When I submitted the data, I was sent to the real bank log-in page which looked incredibly like the fake page. Most people would have just assumed that something went wrong with their inputted data and not have suspected anything.

  16. New definition of irony?! Your email notification for this phishing article was blocked by Windows Live Mail as a suspected phishing attack … 🙂

Leave a reply:

Before commenting please:

  • Read the article. Comments indicating you've not read the article will be removed.
  • Comment on the article. New question? Start with search, at the top of the page. Off-topic comments will be removed.
  • No personal information. Email addresses, phone numbers and such will be removed.
  • Add to the discussion. Comments that do not — typically off-topic or content-free comments — will be removed.

All comments containing links will be moderated before publication. Anything that looks the least bit like spam will be removed.

I want comments to be valuable for everyone, including those who come later and take the time to read.