10 Ways to Identify Spam & Phishing Emails
1. The message contains a mismatched URL One of the first things that I recommend checking in a suspicious email message is the integrity of any embedded URLs. Often times the URL in a phishing message will appear to be perfectly valid. However, if you hover your mouse over top of the URL, you will see the actual hyperlinked address. If the hyperlinked address is different from the address that is displayed, then the message is probably fraudulent or malicious.
2. URLs contain a misleading domain name Often times people that launch phishing scams depend on their victims not knowing how the DNS naming structure for domains works. It is the last part of a domain name that is the most telling. For example, the domain name info.brienposey.com would be a child domain of brienposey.com because brienposey.com appears at the end of the full domain name (on the right hand side). Conversely, brienposey.com.maliciousdomai.com would clearly not have originated from brienposey.com because the reference to brienposey.com is on the left side of the domain name, not the right. I have seen this trick used countless times by phishing artists as a way of trying to convince victims that a message came from a company like Microsoft or Apple. The phishing artist simply creates a child domain bearing the name Microsoft, Apple, or whatever. The resulting domain name looks something like this: Microsoft.maliciousdomainname.com.
3. The message contains poor spelling and grammar Whenever a large company sends out a message on behalf of the company as a whole, the message is usually reviewed for spelling, grammar, legality, and a number of other things. As such, if a message is filled with poor grammar or spelling mistakes it probably didn’t come from a major corporation’s legal department. To give you a rather amusing example, I received an email message a few weeks ago that was supposedly from one of the large real estate companies. However, the body of the email merely said, “Me buy house fast”. Obviously, that email was not legit. I’ll concede that this particular message was more of a spam than a phishing message, but the same basic principle applies to phishing emails as well.
4. The message asks for personal information No matter how official an email message might look, it is always a bad sign if the message asks for personal information. Your bank doesn’t need you to send them your account number. They already know what it is. Similarly, a reputable company should never send an email asking for your password, credit card number, or the answer to a security question.
5. The offer seems too good to be true There is an old saying that if something seems too good to be true, it probably is. That saying holds especially true for email messages. If you receive a message from someone unknown to you who is making big promises, then the message is probably a scam. After all, why would a Nigerian prince that you have never heard of contact you to help him smuggle money out of his country?
6. You didn’t initiate the action Just yesterday I received an email message informing me that I had won the lottery!!!! The only problem is that I never bought a lottery ticket. If you get a message informing you that you have won a contest that you did not enter then you can bet that the message is a scam.
7. You are asked to send money to cover expenses One telltale sign of a phishing E-mail is that you will eventually be asked for money. You might not get hit up for cash in the initial message, but sooner or later a phishing artist will likely ask for money to cover expenses, taxes, fees, or something like that. If that happens, then you can bet that it’s a scam.
8. The message makes unrealistic threats Although most of the phishing scams seem to try to trick people into giving up cash or sensitive information by promising the victim instant riches, other phishing artists try to use intimidation to scare the victim into giving up information. If a message makes unrealistic threats then the message is probably a scam. Let me give you an example. About ten years ago, I received a very official looking letter that was allegedly from US Bank. Everything in the letter seemed completely legit except for one thing. The letter said that my account had been compromised and that if I did not submit a form (which asked for my account number) along with two forms of picture ID then my account would be canceled and my assets seized. I’m not a lawyer, but I’m pretty sure that it’s illegal for a bank to close your account and seize your assets simply because you didn’t respond to an email message. The amusing part however, was that the only account that I had with US Bank was a car lease. There were no deposits to seize because I did not have a checking or savings account with the bank.
9. The message appears to be from a government agency Phishing artists who want to use intimidation don’t always pose as a bank. Sometimes phishing artists will send messages claiming to have come from a law enforcement agency, the IRS, the FBI, or just about anything else that could scare the average law abiding citizen. I can’t tell you how government agencies work outside of the United States. In America however, government agencies do not normally use email as the initial point of contact. That isn’t to say that law enforcement and other government agencies do not use email – they do. However, law enforcement agencies follow certain protocols. They do not engage in email-based extortion (at least that hasn’t been my experience).
10. Something just doesn’t look right In Las Vegas casino security teams are taught to look for anything that JDLR (as they call it). The idea is that if something just doesn’t look right, then there is probably a good reason why. This same principle almost always applies to email messages. If you receive a message that seems suspicious then it is usually in your best interest to avoid acting on the message.
Best Practices When you receive any email requesting personally identifiable information, follow these best practices to protect yourself and your company: NEVER reply to an unsolicited email that asks for your personal information, including requests for passwords, Social Insurance Numbers, or requests for credit card information. Remember, the majority of legitimate companies will never request personal information via email. Institutions (your bank or credit card company) would not email you requesting this type of information either.
DON’T click on links directly from emails.
BE WARY of messages with suspicious, misspelled, or awkward language, or that reference non-existent departments like “University Webmail Support” or the “Webmail Messaging Center.”
DELETE messages you confirm or recognize to be phishing attempts from your “Inbox” and your “Deleted Items” folder to avoid accidentally accessing the Web sites within the bogus email.
DO NOT send personally identifiable information, such as passwords, credit card account numbers, and Social Insurance Numbers, through email. Regularly UPDATE and USE antivirus and anti-spyware software, and your firewall.
BE CAUTIOUS about opening any attachments or downloading any files from emails you receive, regardless of who sent them.
Test Your Anti-Phishing Skills