How to avoid the #1 cause of compromised accounts.
You’re right to be suspicious: this definitely sounds like a phishing expedition.
Phishing is the #1 way accounts are hacked and credentials stolen.
Become a Patron of Ask Leo! and go ad-free!
Phishing is an email message trying to trick you into handing over confidential information or installing malware. One form involves misleading links that take you to fake sites and ask you to sign in. Another uses attachments to deliver malware. Whenever you’re not 100% certain, visit the website manually, using your own bookmark or typing in the URL by hand. If needed, reach out the company’s support, but above all, avoid the suspicious email.
Phishing: what it is
Phishing is like fishing, except you’re the fish and email is the bait. If you bite, you run the risk of account or identity theft and all the subsequent hassle.
There are three basic scenarios.
The misleading link
The bad guys, or phishers, create an email that looks very much like an official message from an important entity, like eBay, Microsoft, PayPal, or your bank. The email insists you visit a site via a link in the email. The site it takes you to looks very official and proper. You’re then prompted to enter personal information, like signing in to verify your account.
Fall for it, and you’ve just handed over your personal information to a thief.
The trick is that a link can look like one thing and yet take you somewhere else. For example,
That looks like a link to eBay, but it’s not. Click on it and you’ll be taken somewhere else entirely. This is possible due to the way HTML and rich-text email can be encoded.
If you’re tempted at all, first hover your mouse over the link, and look before you click.
- The destination should match what you expect. Exactly. If the link claims to be eBay, http://ebay.hacker.com is not where you want to go. Nor is ebay.cc (note that it’s not “.com”).
- The destination address should be a word (like askleo.com), not a number. If the destination has numbers, such as http://184.108.40.206, it’s not valid.
- The destination should be secure, beginning with https:. If the destination for anything claiming to be secure (or for account validation) begins with regular, unsecured http:, chances are it’s not legitimate.
Avoiding this is simple. Never click on a link in the email you receive in these scenarios. Instead, open your browser and go to the site yourself, using your own bookmarks or typing the URL you already know to be correct.
The misleading attachment
Another approach phishers use is to include an attachment supposedly containing important information. For instance, it might say you have a package coming via a popular shipping service, and you must acknowledge an attached document to get it.
The problem is the attached document isn’t a document at all. It’s typically a mis-named file that looks like a document but is actually a program (report.doc.exe), or the “document” is in a zip file you must first open — and when you do, another program is run.
That program? Malware.
There is no package. The email is lying. Opening the attachment infects your computer with malware.
Avoiding this is simple: never open attachments you aren’t 100% certain are legitimate. When in doubt, don’t.
The misleading threat of closure
A surprisingly successful phishing attack boils down to what you’ve seen: an email threatening to close your online account unless you respond with your account credentials — including your password.
If there’s a real issue
If you get a message that concerns you and you want to safely ensure you’re not missing something important, here’s how.
Step one: ignore the email. Completely. Personally, I’d delete it right now.
Step two: go to the site in question manually. Use your own bookmark, or type what you know to be the correct URL into your browser by hand, and log in to your account as you normally would. If there’s something you need to do or verify, you’ll probably see it there.
If you’re still not sure, give the institution a call, contact their support line, or search their support site. Trust me: they’d much rather have you ask than have to deal with the possibility of identity or account theft.