Can you spot a fraud when you see one?
Posted on February 26, 2005
Filed Under Internet & Technology
Recently, I switched the [SCOPES](http://www.scopesnetwork.org) email address to the woman who will be taking over the organization when I leave. A few days later, she forwarded me an email she received about updating records on some list somewhere. After 6+ years as a domain owner, I have learned from experience how to separate the legitimate emails from the ones that are spammed out to anyone in a whois record. I explained to her that she should ignore these requests.
But it made me think about the whole phishing thing and why these emails clog our boxes: they work. These things are tricky and you have to be so very careful on what you click on from your inbox.
For those that aren’t familiar (yes, Mom, I’m talking to you) phishing is when you get an email that appears to be from your bank or PayPal or your ISP asking you to click a link to update/verify your personal information on their site. These emails are carefully designed to look like the real thing. The websites you go to look just like the real website. The catch is that the <form> you fill out you doesn’t go to your bank or ISP, it goes to the scammers. Congratulations, you’ve just given thieves your passwords or your social security number or your bank account info. They now have everything they need to wipe you out.
Some of these scams practically scream “I am trying to rob you”. The English is poor, like they were written from some online translator (because they were). But some are mastery (in an evil way). This is a big business and these folks know what they’re doing.
[The Office Weblog](http://office.weblogsinc.com/entry/1234000523033085/) points to an online [Phishing IQ test](http://survey.mailfrontier.com/survey/quiztest.html). Click on sample emails and mark whether it’s legitimate or not, then check your results. Some are not as obvious as they first appear.
I got 10 out of 10 on the first try. 
If you want to protect yourself, here’s what you should look for:
1. Legitimate emails will usually include some personal information that can’t be gathered from your email address. It will say something like “for your account ending in 1234” (assuming your account actually does end in 1234) or they will include your account username.
2. I’ll emphasize the last point: PayPal will **always** include your name as you registered it with them in their emails to you. If it doesn’t say “Dear Your Realname” then it’s a scam. I’m sure the scammers will eventually figure out a way around this, but most only have your email address so they can’t guess this information. So they’ll address the email to “Dear member:” or “Dear client of Whatever Bank” If an email is asking for an action on your part and you don’t see anything in the email that is not uniquely identifiable to you, then ignore it or be safe and enter the URL for the site manually in your browser.
3. If an email appears to be a response to an action you took, such as changing your email address or preferences, and you did just do what the email said you just did then it’s likely legit.
4. Phishers are usually better than this, but look at the URL they want you to go to. A legitimate URL will be something like www.domain.com/something-specific-here. A fake domain will be something like www.domain-unsubscribe.com.
5. Phishers like to alarm you with a crisis. If the email is just selling you a feature of the service, then it’s likely just the service trying to sell you.
6. The last place you should look for validation of an email is the “from” line. I can send you an email that appears to be from anyone I choose to be and it takes 3 seconds of my time to change the setting in my email application. This is too easy to fake, and it’s the reason why you might be accused of sending spam that you didn’t send. If spammers can fake being you, then scammers can fake being Amazon or your bank.
7. Get familiar with how your legitimate businesses do their business. You already know how PayPal addresses their emails. Save a few legit ones from eBay or your bank and get a feel for their style and syntax. That way, when a fake comes in you’ll do a better job of spotting the differences.
8. If you have the slightest doubt about an email, err on the side of caution. Don’t click on anything. Instead, go to your browser and manually type in the main URL of the bank/service. Then navigate to the login link to get to the details of your account. Most legit businesses have set up email addresses, FAQs or even have real people assigned to deal with these issues so if you’re in doubt and you fear you’re being scammed get in touch with them and find out for sure.
Comments
One Response to “Can you spot a fraud when you see one?”
Leave a Reply
Very interesting test. I erred on the side of caution and got bank of america and capital one wrong. They say that both of them have strange links and that the bank of america one should be used for information only, and say that although the capital one has a strange web address, the fact that they have the last 4 digits of the account number makes it probably legit. So in my book I got all 10 correct.
If the link is wierd that is a good enough reason not to trust the email. The last 4 digits means nothing–maybe the phishers stole some info from somewhere and have numbers and addresses.
The simple answer is, there is no reason to trust any emails at all, and NEVER to click on any link in an email unless you spend the time to research it carefully if you feel you must do something with the email.
Considering I get bombed with 200+ emails a day, I really can only have filters for people I expect to get email from, and ignore all the rest. I don’t have time to look through and consider whether emails are legitimate or not, nor do I have any need to. I know the companies I’m dealing with, and I know their websites and phone numbers already…
Tek.
P.S. I noticed that when people get junk snail mail, the chuck almost all of it in the trash. I don’t believe that most people have the drive or the time to sift through virtual messages and figure out what’s legit or not… Maybe those who have nothing else to do in life…