The best way to avoid being a phishing victim is to be able to spot fake addresses. Phishing scams use fake Web and email addresses to lure in victims. Here are some common examples of ways invalid addresses are used by phishers.
Popular Phishing Bait
-
Fake Email Address
Phishers often first enter our world via email. If they can send an email and convince you that it's from a legitimate source, they have begun luring you into their trap.
Who can send a spoofed email? It's easy to send an email that appears to be from someone else. Faking the "from" and the "reply-to" address does not require advanced computer skills. Do not rely on the email address as proof that an email is legitimate.
If you receive an email that appears to be from your bank, a government office, or another legitimate company but it is unexpected or the content is surprising, double check that email before following any links in it. Here are some steps you can take to verify that email:
-
View the full headers of the email and identify the "received" information that appears above the Subject line.
-
Contact the company by phone to ask if they sent the email.
-
Visit the company's website, log in to your account then check if they have sent you any requests/messages.
eBay is a company name that's been used in many phishing scams. Check out their page on spoofed eBay websites.
-
-
Misleading Web Addresses
You receive an email that appears to be from your bank and the email message indicates the bank wants to update your account information. It instructs you to:
Please visit www.citibank.updateinfo.com to update your account information with us.
What's wrong with this?
If, in this example, Citibank was sending you a request, the Web address should end with citibank.com. This address above would take you to a site for updateinfo.com. The phishers will have created a fake website to look like a Citibank page and all the information you type in will go to the phisher, not to Citibank.
This same misdirection can happen in Web pages, not just emails. So when you click on any web address, make sure you end up where you expect to and, when in doubt, you can always call or email that company using the contact information on their registered website.
-
Linked/Concealed Web Addresses
The same email example as above may mislead you by inserting the link as words in the email. For example, it might read:
To update your account information with Citibank, click here.
In this case, you'll need to do some basic detective work to identify the scam. Move your mouse over the link. The URL should display in your email window (where will depend on your email client.) If that does not help, you should be able to right-click on the link and copy it. Then you can paste it somewhere to review the link before you visit it.If the address is made up of numbers instead of a named address, do not follow the link.
-
Fake Websites
If you missed all other signs of phishing, you may have ended up at a website asking you for some personal information. The website may appear legitimate in that it uses the name and logo of an existing company. At this point, the phisher is trying to get as much sensitive information from you as possible. A password, a credit card number, Social Security number, address, date of birth, or any combination of these.
The best way to identify the site as fake is to look at the web address. The important part of the web address will appear at the right. This may be at the end of the address or before a /. Here are some examples of addresses that may appear legitimate but are not:
https://mandtbank.secure-info.com
https://irs-gov.account-security.com
https://www.myaccountinfo.com/paypal
https://169.254.125.0/universityofbaltimore
When you review a web address, the key to determining if it is real will be reading the first section from right to left. Ignore any information that displays after the single slash (/). Reading the examples above from right to left would allow you to see that none of these use domain names of the legitimate company. Legitimate websites for these examples would instead be:https://www.mtb.com
https://www.irs.gov
https://www.paypal.com
https://www.ubalt.edu
Legitimate pages may use something other than www. For example, there is a site called https://home.ubalt.edu. The important part is that the last part of the domain name--ubalt.edu--is in the right place and is correct.
-
Social Media Sites
A relatively new way that phishers are gaining access to important information is via social media sites. They use connections or information in your social network to appear legit, either by creating/commandeering a profile and connecting to your network or by posing as a business or contact (such as a celebrity) for you to follow. The scammer attempts to gather sensitive information directly from you by posing as someone trustworthy.
Examples:
- Fake offerings, like "Click here to get a free $25 Starbucks gift card!" or "Click here to claim your free iPad!" – they usually require you to enter contact information or sign up for "special offers"
- "Cash grabs" – you get a message from one of your friends claiming they're overseas and have lost their wallet (or have some other emergency) and need money quickly
- "Share if" scams ("So-and-so will donate a dollar to charity every time this photo is shared!")
- Like-jacking (fake "Like" buttons" on sites)
- Shortened URLs on Twitter, etc. leading to non-legit websites
- Fake social media sites which require you to enter your FB or Twitter username and password (which can then be used to access your account)
Tips for Securing Your Social Network:
- Be wary of following URLs to external websites. If you're really uncertain about a link, check it on a site like https://checkshorturl.com, which will show you where a shortened URL (e.g. bit.ly, owl.ly) really leads to.
- Avoid clicking on or sharing "freebie" posts -- aside from compromising your own info, you're also putting your contacts at risk.
- If you get a suspicious-looking message from a friend, follow up them outside of the site. Make sure the message is really from your friend – especially if it's a link to an unfamiliar site or a request for money.
- Always double-check the URL of a site before entering your login info. Just because it's asking for your Facebook username and password doesn't mean it's Facebook.
See the Social Media Safety page for more information about protecting your privacy.