Scam artists use clever schemes to defraud millions of people around the world each year. People need to learn how to recognize common phishing tactics and malicious emails and what you can do to avoid them.
Scammers typically create emails and messages that look like they’re from real companies, agencies and organizations and even use their logos, fonts, layouts and color schemes.
According to OnGuardOnline.gov, some clues that an email or text message is suspicious include:
- the message is requesting your personal information — do not respond or click links! Companies, agencies (like the IRS, etc.) and organizations will not request your password, user name, credit card data, account numbers, or other personal or financial data through e-mail or text.
- the email appears in your junk folder;
- the sender’s email address does not have that business or agency domain name in it;
- when you hover over a link or coupon the web address is not that company’s / agency’s website;
- if you receive a coupon for a free or discounted item, ask yourself if you signed up to get emails from this company. If not, it’s unlikely they’d send you a discount or freebie out of the blue;
- the email or message has several typos, missing data or poor English.
If you’re not sure an email is legit, DON’T click any links or open any attachments. Instead, look for signs that the email isn’t the real thing or do a search or visit that company’s site to see if there are any complaints from others who received similar emails.
Shipping confirmations or delivery failed messages
Fedex, UPS, USPS and other carriers are often used in fraudulent emails asking users to click on links that more often than not will place malware on the user’s machine. The subject lines typically say things like there was a problem with delivery or they want you to verify information or some important information is missing, etc. The fraudulent email may have an attached file that contains a virus or other malware … or the link may take you to a website that might download a malicious file. Don’t fall for these scams and report it (if you want to) then delete it.
Receipts
Be on the alert for fake emails posing as online retailers like PayPal, Amazon and others with a subject line similar to a receipt you would see for a purchase on that vendor’s online store, a PayPal payment to someone, etc. ~ esp. during holidays. These fake receipt emails are sent by cyber criminals — not the retailers — and clicking links contained in a fake receipt email may install malware on your system, in particular spyware used in severe forms of cyber crime such as credit theft, extortion, and identity theft.
For example, recently I placed a small order on Amazon and received my order confirmation as usual.
The next day I received another Amazon confirmation email for a $1,099 electronic device and the first thing I thought of is someone hacked our account..!
I immediately logged onto Amazon.com and checked our shipping history and it didn’t appear so I went back to the email in my Inbox and noticed several things…
#1 – The “To” line had an email id called “bobrph@…” (my name is Janet);
#2 – The “Hi %USERNAME%” didn’t auto-populate a name;
#3 – When you hover the mouse over a link (DON’T CLICK IT – just hover) it displays a website NOT called “amazon.com/…” but rather “imailsolution.com/…”. We strongly suggest you not visit these types of sites – just in case!
Note the email has Amazon’s logo and layout, fonts and color scheme are almost identical to a typical order confirmation email from them so you need to be on guard.
#4 – As I scrolled down and hovered the mouse over other links (again without clicking) the same domain / website name kept showing up.
#5 – Whoever designed this email even added a typical footer that Amazon uses on their confirmations. This was just an image (nothing popped up when I hovered over these links), but it sure gives the appearance it is a normal message from them.
If you click a phishing or malicious link…
According to Anti-abuse.org once a victim visits a malicious website the deception is not over. Some phishing scams use JavaScript commands in order to alter the address bar. This is done either by placing a picture of the legitimate entity’s URL over the address bar, or by closing the original address bar and opening a new one containing the legitimate URL.
In another popular method of phishing, an attacker uses a trusted website’s own scripts against the victim. These types of attacks (known as cross-site scripting) are particularly problematic, because they direct the user to sign in at their bank or service’s own web page, where everything from the web address to the security certificates appears correct.
A Universal Man-in-the-middle Phishing Kit, discovered by RSA Security, provides a simple-to-use interface that allows a phisher to convincingly reproduce any website and capture any log in details entered at the fake site.
Report Malicious / Phishing / Scam emails
It does help to report suspicious emails to the respective company but it is always best to find out how they want you to report it. Some may ask you to forward an email while others prefer you send it as an attachment.
Below are some examples of common brands we’ve seen in suspicious emails over the years, and it’s easy to do a search on a company name and the phrase “report phishing” to find their preferred method of sending them the data.
Once you report an email just delete it so you don’t accidentally click on any links in it later. Realize you probably won’t hear back from the company you reported the malicious email to, but you will get an auto-reply explaining they received it and will be investigating it.
As Amazon.com mentioned in the auto-reply to me, “please be assured that Amazon.com is not in the business of selling customer information. Many spammers and spoofers use programs that randomly generate e-mail addresses, in the hope that some percentage of these randomly-generated addresses will actually exist.”
You can also forward phishing emails to phishing-report@us-cert.gov and/or reportphishing@antiphishing.org. The Anti-Phishing Working Group, a group of ISPs, security vendors, financial institutions and law enforcement agencies, uses these reports to fight phishing.
If you might have been tricked by a phishing email:
- File a report with the Federal Trade Commission at www.ftc.gov/complaint .
- Visit the FTC’s Identity Theft website. Victims of phishing could become victims of identity theft; there are steps you can take to minimize your risk.
Additional resources:
Protecting your devices from cyber threats
OnGuardOnline.gov
StaySafeOnline
US-CERT
Anti-Phishing Working Group