E-mail Fraud, a.k.a. Phishing

What is e-mail fraud?

 

Fake e-mail messages sent to you for the purpose of obtaining personal and financial information are some of the most common e-mail fraud messages received by Internet users today. Colloquially, these fraudulent e-mails are called phishing.

Phishing e-mails are made to appear that they are from a legitimate company, typically a financial services organization, like a bank, credit union, or investment brokerage. Others purport to be from other organizations that perform financial transactions using personal data.

The phishing e-mails typically inform you that account information needs to be updated and that action must be taken immediately. The information they ask for ranges from user name and password all the way to name, address, and credit card information, depending on which legitimate company they are posing as.

 

How to recognize e-mail fraud.

 

Identifying phishing e-mails is not always easy as criminals are becoming more adept at learning from their past mistakes. However, there are generally certain clues that will give away a phishing e-mail, and the associated fake web page, that you can use when you are in doubt about the integrity of an e-mail message.

 

Companies with which you have no prior relation.

 

We all get e-mail messages from companies with whom we've never done business, that's just marketing, but you shouldn't get messages from those companies asking you to update account information, provide personal data, or otherwise imply an existing relationship. This should be your first clue that something isn't right with this e-mail message.

 

Urgent appeals.

 

While legitimate senders, particularly marketers, use terms like 'act now' and 'this offer expires soon' they generally don't tell you to act within the next 24 hours. Also, phishing e-mails will often state that your account will be suspended, terminated, closed, or otherwise rendered useless if you don't act immediately.

 

Generic message or no personalization.

 

These criminals typically do not know who you are, they just have your e-mail address. Since they don't know you, they cannot put "Dear John Smith" at the top of the message. They will tend to either use no salutation at all, or will use phrases like "Dear RealCompany Customer", "Dear RealCompany User", etc. [Note: RealCompany is a made up name for example purposes in this article and has nothing to with any company or organization that may actually have that name.]

The criminals can get your e-mail address many ways, but the most common is through viruses and worms planted on other users' computers. The viruses gather e-mail information from the address book of infected computer's e-mail client (like Outlook or Messenger) and report this back to the criminals. The viruses typically infect tens, if not hundreds, of thousands of computers at one time so given the size of most people's address books, the criminals can build a list pretty quickly. If you're on someone's address book and their computer is infected, the criminals can get your e-mail address.

 

Requests for personal or secure information.

 

This is what they are after. They'll indicate that you need to provide your user name and password or credit card number because they have lost it, are ensuring all of their customers are legitimate, or state that they are addressing a security breach and need you to "re-confirm" your information.

 

Typos and errors throughout the message.

 

A few typos and poor grammar occur even in legitimate communications, however, some criminals may not have a good command of English or may be in such a rush that they don't do quality assurance on the phishing e-mail. One of the most easily recognized clues is poor verb conjugation.

 

Links to web sites that don't have the typical domain URL used by the legitimate company.

 

In our example above RealCompany.com may use domains like www.realcompany.com, secure.realcompany.com, mail.realcompany.com. A phisher does not have access to the server(s) with the address of realcompany.com so he must spoof, or forge, the address. He might use something like secure.realcompany.realcompany-confirm-update.com, or even a numeric IP address like 101.58.33.233/realcompanycom/index.aspx, all in the hope that if you glance up and see realcompany in the address bar you'll think it's okay.

Phishers will also sometimes put links into the body of the e-mail that look legitimate, but actually go to a different address. Continuing the with RealCompany.com example, the text in the e-mail might state, "...go to https://www.realcompany.com to update your account information..." but the actual link might go to a different address altogether. Do note however, that a legitimate link to Realcompany might actually take you to https://www.realcompany.com/productinfo.html where they want you to be able to go directly to the information pertaining to the subject of the e-mail.

Another thing to look for is what is called the top level domain. Top level domains can be .com, .net, .org, .edu, .mil, .bz, .info, among others, as well as country codes like .uk for United Kingdom, .jp for Japan, .us for United States, .ru for Russia, among others. Sometimes the phishers will compromise servers in other countries and this will be reflected in the web address. If the company is one that you do business with and typically has a .com or .org address, you should be suspicious if the address on the fake web page has a country code. Particular ones often used by criminals include:

  • .ru Russia
  • .cn China
  • .kr Korea

 

Phishing e-mails link to web sites that are not secure.

 

Phishers, working fast to avoid getting caught, often won't have time to create a secure web site. They are also not likely to have the credentials for common security technology such as Secure Sockets Layers (SSL).

A few ways to check for this include making sure the web address starts with "https", not just "http", looking for the lock icon at the bottom, double clicking the lock icon to review the web site's certificate. This last one is probably the most important as the more advanced criminals can spoof the lock icon and address bar. You'll want to make sure that the URL listed in the certificate matches what is displayed in the address bar.

 

Where can you see samples of phishing e-mails?

 

A non-profit organization called the Anti-Phishing Working Group hosts a web site full of information about phishing as well as samples of select reported phishing e-mails in their Phishing Archive at www.antiphishing.org.

 

Which companies are most often spoofed in phishing e-mails?

 

According to the Anti-Phishing Working Group's web site, there are many major U.S.-based companies whose names are used by criminals for phishing e-mails. This doesn't mean that all communications from these companies should be treated suspiciously, but that the criminals know that these companies have many customers and their chances of finding a customer of one of these companies from the e-mail addresses they have harvested are much greater than if they posed as a smaller company.

 

What should you do if you receive a phishing e-mail?

 

First, do not respond to it either by hitting the "Reply" button or by clicking the links. The sender's address is usually fake, so responding that way won't do anything for you, and in the worst case could let the criminals know they have a valid e-mail address they can use for further activity. Clicking through the links will only take you to the phisher's fake web site where they may be able to download spyware and malware onto your computer.

If you want to take some course of action, report the phishing e-mail to the legitimate company or organization that has been spoofed in the e-mail. Most have online mechanisms, either forms or e-mail addresses, where you can communicate this to them. Legitimate companies generally post their phone number, usually a toll-free number, on their web site should you decide to call them instead.

You can also file a complaint with the Internet Fraud Complaint Center at www.ic3.gov. They will probably not be able to address your specific incident, but by providing information to them they can warn others and investigate the crime.