Phishing (or email fraud) is one of the fastest growing online frauds today. It uses spam email to defraud victims. Phishing is becoming increasingly common – and increasingly dangerous.
Phishers send out emails falsely claiming to be an legitimate company in an attempt to scam users into surrendering private information that will be used for identity theft. The email directs the user to a website that asks them to update personal information. This can include usernames and passwords, credit cards, social security, bank account numbers and other sensitive information that the legitimate organization already has on file.
This website is bogus even though it looks identical to the legitimate site. Once a customer has updated their data, the phishers steal the identity and run up bills in your name or use the information to commit other crimes.
A common phishing technique involves creating the impression that there is an immediate need for personal information, luring unsuspecting users to quickly click on a link to these bogus sites. By spamming large groups of people, phishers can convince up to five percent of email users to reveal sensitive and personal information.
Even Scarier – Spear Phishing
A step up in complexity is phishers who gather information about you or your company and use it make the email seem even more legit.
For example, several Bower Web Solutions customers have received emails purporting to be from us requesting email passwords. How did they get this information? Usually just by looking up your domain on public whois directories to determine where your dns was hosted. This is much like old school telemarketers who used the phone book to get your name and address before calling.
Often spear phishing emails will be copies of legitimate emails from vendors or clients with only a few links or details changed.
Email Fraud Prevention Tips
One of the easiest ways to protect yourself from phishers is to take simple precautions:
- Do not respond to unsolicited emails that ask for any personal information regardless of how urgent the request appears. Legitimate companies do not ask for personal or sensitive information in this format. If you are concerned about your account – contact the company directly using an email address, website or phone number that you know is legitimate.
- Do not email any personal your financial information. If you initiate a purchase online, look for indicators that the site is secure. E.g. a lock icon, a url that begins with “https:” (the “s” stands for secure)
- Review your credit card and bank statements as you receive them to ensure that all transactions are legitimate.
- Get spam and antivirus protection such as Bower Web Solution’s Email Defense product. Good spam programs also identify phishing emails and filter them to stop you from receiving them. Contact Bower Web Solutions for more information on email defense and other email products.
- Report anything suspicious. Contact the legitimate company in the suspect email using an email address or phone number that you know is correct.
- Information about known attacks is available from and can suspected phishing can be reported to the Anti-Phishing Working Group.
What to do if You Were “Phished”?
If you believe that you responded to a phishing email and provided sensitive and personal information to a bogus website:
- Contact the legitimate company in the suspect email using an email address or phone number that you know is correct.
- Contact your credit card company and place a request to place a fraud alert on your card(s).
- Take preventative action for the future through awareness and by investing in an anti-spam and anti-virus service.
Checking emails authenticity
Since phishers are trying to get you to go send them the information or even money they want, they use a few tricks to hide their identity.
Hiding their actual email address: Any email can be sent to look like it is coming from a different email. Legitimately you might want to send from 1 email address and have it look like it comes from another or have replies go to a different email address. For example, we at Bower Web Solutions sometimes want to have it look like emails come from the general support email address but are actually sending from our personal addresses. This is sometimes visible in the address itself, but more sophisticated phishers will hide it and it can only be seen by looking at the email header. Here’s how to view the email headers in most common email clients. Email headers contain a ton of information and explaining them is way beyond the scope of this tutorial, but parts of it are human readable.
Directing you to a legitimate looking and sounding domain that isn’t. Many phishers will direct you to a website that looks like a legit website both in design and in the domain name itself and use a domain that is similar to the correct domain. Subdomains can be anything – it’s only the actual registered domain that matters. For example anything.bowerwebsolutions.com would be fine for us but bowerwebsolutions.com.bowerweb.us is not.