Phishing is a word you hear a lot in the news these days, and this question brought it to mind.
You’re right to be suspicious: this definitely sounds like a phishing expedition.
Become a Patron of Ask Leo! and go ad-free!
Phishing: what it is
Phishing is very much like fishing, except that you’re the fish, and that threatening email is the bait. If you bite, you run the very real risk of account or identity theft and all the hassle that entails.
Phishing is, essentially, an email message that tries to trick you into taking some action by fooling you into thinking that the message comes from someone official when it does not.
There are three basic scenarios.
The misleading link
The bad guys, or “phishers”, create an email that looks VERY much like an official email from some important entity, like eBay, Microsoft, Paypal, or perhaps a bank. The key is that the email asks you to visit some site via a link provided in the email. The site that you land on looks very official and proper. At that site, you’re then prompted to enter all your personal information, typically in the guise of “verification”.
The problem is that you’ve just handed over all your personal information to a thief.
The trick used here is that a link can be made to look like one thing, and yet take you somewhere else entirely. For example:
That looks like a link to ebay, right? It’s not. Click on it and you’ll be taken somewhere else entirely. It’s possible due to the way that HTML and rich-text email can be encoded.
So if you’re tempted at all, hover your mouse over the link, and look before you click:
- The actual destination should match what you expect. Exactly. If the link claims to be eBay, http://ebay.hacker.com is not where you want to go. Nor is ebay.cc (note that it’s not “.com”). That’s a big red flag.
- The actual destination should be a name, not a number. If the destination of the link takes you a link that has numbers, such as http://188.8.131.52, chances are it’s not valid.
- The actual destination should be secure. That means it should begin with https:. If the target destination for anything that claims to be secure, or account validation related begins with the regular, unsecured http:, chances are it’s not legitimate.
Avoiding this is simple. Never click on a link in the email you receive in these scenarios. Instead, open up your browser and go to the site in question yourself using your own bookmarks or by typing the URL you already know to be correct.
The misleading attachment
Another common approach phishers use is to provide you with an attachment that, supposedly, contains important information for you to read or review. One common variant uses the promise of a package shipment via one of the popular shipping services that requires you to acknowledge the attached document.
The problem here is that the attached document isn’t a document at all. It’s typically a mis-named file that looks like a document but is actually a program (report.doc.exe), or the “document” is in a zip file that you must first open’ and inside another program to be run.
That program? Malware.
There is no package. Whatever the email is trying to convince you of, it’s lying. By opening that attachment, you’ve just allowed your machine to become infected.
Once again, avoiding this is simple: never open attachments that you aren’t 100% certain are legitimate. When in doubt, don’t.
Misleading threat of closure
A surprisingly successful phishing attack boils down to this: an email that threatens your online account with closure unless you respond with your account credentials.
Including your password.
This is the easiest of all to avoid. Legitimate businesses will never, ever ask you for your password via email.
Don’t even think about it. Delete that email – better yet, mark it as spam – and move on.
If there’s a real issue
For any of these scenarios, if the messages you get concern you, and you want to ensure you’re not missing something important, that’s also very easily dealt with.
Step one: ignore the email. Completely. Personally, I’d delete it right now.
Step two: go to the site in question manually. Use your own bookmark, or type what you know to be the correct URL into your browser by hand, and log in to your account as you normally would. If there’s something you need to do or verify, then you’ll probably see it then.
And if you’re still not sure, then give the institution a call or contact their support line or search their support site. Trust me, they’d much rather have you ask than have to deal with the possibility of identity or account theft.