The best way to avoid being a phishing victim is to be able to spot fake addresses. Phishing scams use fake Web and email addresses to lure in victims. Here are some common examples of ways invalid addresses are used by phishers.
Phishers often first enter our world via email. If they can send an email and convince you that it's from a legitimate source, they have begun luring you into their trap.
Who can send a spoofed email? It's easy to send an email that appears to be from someone else. Faking the "from" and the "reply-to" address does not require advanced computer skills. Do not rely on the email address as proof that an email is legitimate.
If you receive an email that appears to be from your bank, a government office, or another legitimate company but it is unexpected or the content is surprising, double check that email before following any links in it. Here are some steps you can take to verify that email:
View the full headers of the email and identify the "received" information that appears above the Subject line.
Contact the company by phone to ask if they sent the email.
Visit the company's website, log in to your account then check if they have sent you any requests/messages.
eBay is a company name that's been used in many phishing scams. Check out their page on spoofed eBay websites.
You receive an email that appears to be from your bank and the email message indicates the bank wants to update your account information. It instructs you to:
Please visit www.citibank.updateinfo.com to update your account information with us.
What's wrong with this?
If, in this example, Citibank was sending you a request, the Web address should end with citibank.com. This address above would take you to a site for updateinfo.com. The phishers will have created a fake website to look like a Citibank page and all the information you type in will go to the phisher, not to Citibank.
This same misdirection can happen in Web pages, not just emails. So when you click on any web address, make sure you end up where you expect to and, when in doubt, you can always call or email that company using the contact information on their registered website.
The same email example as above may mislead you by inserting the link as words in the email. For example, it might read:
To update your account information with Citibank, click here.
In this case, you'll need to do some basic detective work to identify the scam. Move your mouse over the link. The URL should display in your email window (where will depend on your email client.) If that does not help, you should be able to right-click on the link and copy it. Then you can paste it somewhere to review the link before you visit it.
If the address is made up of numbers instead of a named address, do not follow the link.
If you missed all other signs of phishing, you may have ended up at a website asking you for some personal information. The website may appear legitimate in that it uses the name and logo of an existing company. At this point, the phisher is trying to get as much sensitive information from you as possible. A password, a credit card number, Social Security number, address, date of birth, or any combination of these.
The best way to identify the site as fake is to look at the web address. The important part of the web address will appear at the right. This may be at the end of the address or before a /. Here are some examples of addresses that may appear legitimate but are not:
When you review a web address, the key to determining if it is real will be reading the first section from right to left. Ignore any information that displays after the single slash (/). Reading the examples above from right to left would allow you to see that none of these use domain names of the legitimate company. Legitimate websites for these examples would instead be:
Legitimate pages may use something other than www. For example, there is a site called http://home.ubalt.edu. The important part is that the last part of the domain name--ubalt.edu--is in the right place and is correct.
A relatively new way that phishers are gaining access to important information is via social media sites. They use connections or information in your social network to appear legit, either by creating/commandeering a profile and connecting to your network or by posing as a business or contact (such as a celebrity) for you to follow. The scammer attempts to gather sensitive information directly from you by posing as someone trustworthy.
Tips for Securing Your Social Network:
See the UB Social Media Safety page for more information about protecting your privacy.