Every since I got tricked by the former Sultan of Nigeriascam, I have begun to treat all emails with an extra dose of suspicion.

“Hi Cap, I have some question on personal finance…” an email would read.

To which I’ll write back, “Nice try Mr. Ex-Sultan, I hope you rot in hell.”

Phishing: A social engineering technique that attempts to fraudulently acquire your sensitive information. These days, they are mostly found in the form of fake email and websites.

Spotting phishing email doesn’t require every day paranoia, but a red flag should always go up when you notice these things in an email:

An obvious phising email

Note: A matching link & URL in status bar doesn’t necessary mean it’s a legitimate email. URL in a status bar can easily be spoofed. Sender’s address can also be spoofed.

The above email is a rather obvious phishing email, but was shown to point out some common trend in phishing email:

  1. A sense of urgency: You better take action fast or your sh*t out of luck!
  2. Threat: Do it or your account will be closed (or some other penalty)!
  3. A Link: Directs you to a spoofed website that looks legitimate.
  4. Requires you to either enter or confirm your personal information.
  5. Poor grammar. They spell and write like Cap of Stop Buying Crap.

Here are some things you should consider when you receive a suspicious email:

  1. Do you do business with the bank or retailer?
  2. Is the email to you or is there a generic greeting? (e.g., Dear XXX Customer)
  3. Do they offer an alternate form of contact such as a phone number?
  4. Does it contain information the company should know? (e.g., last 4 digit of your account #, your user name, etc.)

The trick is that even if all those questions above pan out, it doesn’t necessary mean you’re receiving a legitimate email.

This brings us to Targeted Phishing:

A targeted phishing email may contain your real name, and may be from a bank or retailer that you actually do business with. These phishing email will usually reference to a very specific transaction.

Example:

  1. A confirmation email thanking you for your purchase.
  2. An email notifying you of a specific transaction on your account.
  3. An email from “eBay” giving you a second chance to your recent failed bid.

Distinguishing a legitimate email from targeted email can be difficult, so when you’re in doubt, you should always contact the company directly yourself via a different method than those mentioned in the email.

If the email was regarding your credit card account, call the number on the back of your card. If the email is regarding your bank, find your bank number on your statement and give them a call.

Targeted phishing works especially well because they are often from a familiar source aimed at a specific group of people. These type of emails may not necessary be seeking for your entire personal information, but merely asking for a certain information (such as user name or password) in order to obtain the rest on their own.

When you belong to a social networking site, you should also be wary of emails from the supposed organization asking for any of your information. What may look to be a harmless survey may be an identity thief seeking further information.

Targeted phishing becomes Spear Phishing when they are highly targeted. These are generally aimed at a employees of a specific organization or company. The email may appear to be from a colleague or executive, asking you to either download an attachment or furnish them with certain information.

Just as a regular targeted phishing attack, spear phishing attacks are difficult to spot on a first glance basis, especially when they are highly customized. When in doubt, always contact the the supposed sender via a different channel.

Some General Guideline in Avoiding Phishing:

  1. Do not reply to any emails asking for your personal or financial information. Remember, legitimate companies don’t ask for sensitive information in an email.
  2. Do not download attachment from suspicious or unfamiliar emails.
  3. When in doubt, contact the company yourself directly through familiar channels.
  4. Do not click on links from suspicious email. If you need to login to your account, open a new browser window and type in the URL.
  5. Check the security certificate of the website before you enter any personal information. (Look for the yellow lock icon on the bottom right of your browser and double click on it).

Related Links and Resources