Over the weekend a security breach came to light that compromised the email addresses and names of an undisclosed number of consumers from major national companies. You may have received an email over the past few days from one of these companies notifying you of the breach. While this incident does not pose any direct risk (except spam) to consumers it does pose an indirect risk through phishing attacks. Malicious parties may use these names and addresses to email affected consumers, posing as a legitimate company in an attempt to solicit the victim to provide sensitive personal information so they can commit identity theft and financial fraud. Such bogus emails will often ask the victims to confirm an account or log-in to their existing account to receive a prize or discount, however they will typically direct consumers to fake sites or ask that the recipient send sensitive personal information in a direct email response.
The best way to protect yourself from a phishing attack is to recognize these fraudulent emails and not engage them. If you do receive a phishing email you can notify the Secret Service (who is investigating this particular breach) at: email@example.com.
So how do you spot a phishing email? Here’s six tips:
1. Trust your gut and when it doubt, contact the company directly
If you get an email from a company or authority where something seems “off” then contact the company via normal means to confirm the authenticity of the email. Do not contact the company or authority via any URL, email address, phone number or other contact information provided within the suspicious email. Instead, you should either go directly to the company/authority website or call them, using a URL or phone number you or someone else has previously confirmed as legitimate.
3. Check the “from” field
Phishers can easily spoof authentic email addresses, making it appear that an email is coming from an authentic, trusted sender, but checking the “from” field can at least help you identify unsophisticated phishers. If the “from” email contains excessive characters, has spelling mistakes, or does not share the same domain as the company (e.g. “@gapcustomershelp.com” (illegitimate) vs. “@gap.com” (legitimate)) you might have found a phish. But again, just because the “from” email address checks out it does not mean that the email is authentic since this “from” email field can be easily spoofed.
2. Check the “to” field
Legitimate companies with whom you have an established relationship will often (but not always) send you emails with personalized subject lines or introductions (e.g. “John, it’s time to renew your account” or “Dear John A Doe, ” This is not a hard rule, however, so if you receive an email with a generic subject line or introduction do not automatically assume it is a phish or if they do personalize the email do not assume it’s not a phish. Also, if you have multiple email addresses, verify that the email address they used to contact you is the one you used to sign up for that online account. If it’s not, you might have found a phish.
3. Check the links
If the email contains links hover over them (but do not click them) with your mouse – does the preview URL that appears match the URL in the email text? Phishers may include a legitimate URL in their email that redirects to an illegitimate URL. Look how I can redirect you to Google from the following TRUSTe link: www.truste.com. Scammers use the same technique to make you think you are navigating to a legitimate site. If the URL preview does not match the written URL, this can be a strong sign that you have found a phish. Additionally, if either the link or preview link does not contain the traditional company domain address (e.g. “www.gapcustomershelp.com” (illegitimate) vs. “www.gap.com” (legitimate)) you should be suspicious and suspect phishing.
4. Fact check the email content
Look carefully at the contents of the email. If they refer to a previously established account, does the information they provide about the account match up with your actual account information? Phishers may try to trick you into believing in the email’s authenticity by adding erroneous account or confirmation details, hoping you will not be attentive enough to notice the errors. Look carefully. If something doesn’t add up, you’ve probably got a phish on your hands.
5. Legitimate companies and authorities do not ask for personal information via email
If you’ve received an unsolicited email asking you to provide sensitive personal information directly within an emailed response you can pretty safely assume that it’s a phishing attack. Reputable companies would almost never ask you to confirm details like your account, social security, or credit card number via an emailed response, but would instead direct you to a secured company page using SSL to protect your information via encryption.
6. Look for grammatical errors and spelling mistakes
A lot of phishing activity originates from outside the United States in countries where English is not the first language so when they craft these emails these often make grammatical errors or spelling mistakes in abundance – errors your real bank or account provider would never make in a professional customer email. If the grammar and spelling do not add up or if the language seems odd and non-sensical there’s a good chance you’ve found a phish.
So go ahead and test your phish-spotting ability by taking this quick test created by SonicWall: http://www.sonicwall.com/furl/phishing/index.php
Post your scores in the comments section below!