Phishing: Email Scams
Identity theft information is contained on three pages:
- Identity Theft: obtaining information by deceit
- Phone Fraud: scamming by phone
- Phishing: email scams (this page)
The information on this page was written with computers in mind, but most of the warnings also apply to mobile devices (smart phones and tablets).
Phishing: Obtaining Information by Deceit
Phishing is a form of spam intended to obtain financial and personal information by deceit.
Phishing is sending emails or other electronic communications to fraudulently or unlawfully induce recipients to reveal personal or sensitive information, such as passwords, dates of birth, Social Security Numbers, passport numbers, credit card information, financial information, or other sensitive information, or to gain access to accounts or records, exfiltration of documents or other sensitive information, payment and/or financial benefit. — Microsoft
- It takes advantage of vulnerabilities in some browsers and email programs but depends even more upon people's ignorance.
- The intent is to steal your on-line identity — a crime commonly referred to as identity theft.
- The information gained will be used to gain unauthorized access to your existing accounts or to establish new ones. Crimes may be committed in your name and your reputation may be destroyed.
Phone and email scams have a lot in common.
The magic sauce, as it were, is in the way phishing attacks are branded. Attackers are doing their homework by researching targets on social media, message boards, media reports, and other online sources to find hyperspecific ways to manipulate human nature and emotions. They use people's fears, their sense of urgency or curiosity, or their need for reward, validation, or an entertaining distraction. — Menlo Security
[M]any scams are highly orchestrated endeavors, made up of lots of psychological ploys that might just hit an otherwise intelligent individual at a personal low point in time. — ZoneAlarm Blog
- Is it real or not? How to spot phishing emails.
- Watch out for these subject lines in email phishing attacks.
- 4 tips to keep you safe from timeless scams.
- These are the most common techniques used to attack your PC.
Report Identity Theft
If you have been a victim of identity theft (or suspect you have), contact the police to report identity theft.
Don't let embarrassment keep you from talking to the authorities. If you were the only victim, identity theft would not be a growing problem.
The sooner you report the potential identity theft, the sooner you can begin to resolve the issue.
A staggering 91% of cybercrime starts with email, according to a 2018 report by security firm FireEye. — CSO
Fraudulent emails are called phishing (pronounced “fishing”) emails. When the email is personalized to target an individual using specific accurate information, it is called spear phishing.
Stop and Think Before Acting
The phishing email is designed to get you to act impulsively, without thinking. Remember to STOP and think before you click or connect.
How to protect against scam emails — Acronis
- Do not panic. Do not get scared by the crooks. They do not know you, nor do they have access to your computer. It is a classic scare technique. Try to ignore it, even if it sounds disturbing.
- Do not pay. Once you've paid money, you will not get it back. Instead, you might be attacked more frequently since you've shown the attacker that you are a profitable target.
- Use strong passwords. Use unique strong passwords for different services. If possible, enable multi-factor authentication in order to increase security. A password manager can help you remember all these different passwords.
- Awareness-training programs. As an organization, you should implement an awareness-training program for your employees. Also, make sure that your employees know how to report such scam emails to your IT department.
- Update all relevant systems. Ensure that all your systems are up-to-date and that you are using a comprehensive security solution that can automatically protect you from the newest cyberattacks.
Ignorance is Your Downfall
Your ignorance is your downfall. Learn the signs you're being scammed:
“Your Computer Hacked”
A relatively recent form of phishing attack is a sextortion blackmail email claiming to have hacked your computer demanding payment (in bitcoins, of course) to keep your secrets.
Here's some of the text from an example:
I have bad news for you. I hacked into your operating system and obtained full access to your account [your email address]. After that, I made a full backup of your disk (I have all your address book, view site history, all files, phone numbers and addresses of all your contacts).
I took a screenshot of the intimate website where you are satisfied (Do you understand what I mean?). After that, I made a video of your pleasure (using the camera of your device). It turned out beautiful! I firmly believe that you would not want to show these photos to your parents, friends or colleagues. I think 300 € is a very small sum for my silence.P.S. I guarantee that I will not disturb you after the payment because you are not my only victim. It's a code of honor for hackers.
Passwords as “Evidence”
Often they'll include a password obtained from a security breach (hopefully, you changed all your passwords afterwards).
[I]t is often the case that the scammers have no such evidence of the user's activity; they are just bluffing to get the user to pay the ransom. A password can be bought for a few dollars on the dark web, and scammers are often clever in how they present the little information they have. — ZoneAlarm Security Blog
Unfortunately, in the modern age, data breaches are common and massive sets of passwords make their way to the criminal corners of the Internet. Scammers likely obtained such a list for the express purpose of including a kernel of truth in an otherwise boilerplate mass email. — EFF
Tighten Your Security
If the language is quite generic and without details, I suggest you ignore the threats. However, you should do a security audit to ensure your system is secure rather than paying a scam artist.
Learn more about how to deal with phishing attempts.
The email may appear to come from someone you can trust, but it is a scammer looking to steal from you.
The spear phisher thrives on familiarity. He knows your name, your email address, and at least a little about you. The salutation on the email message is likely to be personalized: "Hi Bob" instead of "Dear Sir." The email may make reference to a "mutual friend." Or to a recent online purchase you've made. Because the email seems to come from someone you know, you may be less vigilant and give them the information they ask for. And when it's a company you know asking for urgent action, you may be tempted to act before thinking.
These messages often have short deadlines or are made to appear urgent in their nature. The more you analyze the message, the more likely you're able to see through the deception.
- Don't take the bait! is a excellent video about phishing from the Bank of Montreal (it requires Adobe Flash Player, a vulnerable plugin).
- How to protect against phishing scams.
Looks Can Be Deceiving
Phishing involves convincing you that you're seeing information from a legitimate source when you're not.
Phishing emails are designed to look like legitimate messages from actual banks, businesses, and other organizations. In reality, though, criminals created the message, usually in an effort to steal your money, identity, or both. They want you to click links that will take you to a website that looks authentic but is really just there to capture your credit card or other personal information or perhaps to distribute malware. — ZoneAlarm Security Blog
These are some excellent resources on dealing with phishing attempts:
- Sextortion: All you need to know.
- Sextortion scam: What to do if you get the latest phishing spam demanding Bitcoin.
- 6 tips to avoid phishing attacks.
- 7 ways to spot a phishing scam.
- Hacked emails: Get protected before and after.
- Several excellent older posts have been removed. Check the current listings.
I use AntispamSniper, an excellent third-party antispam tool, with The Bat!. They have some excellent suggestions on identifying and avoiding phishing attacks.
Identity Theft is a Long-Term Problem
If you are the victim of identity theft, you can expect to fight to regain your credit rating for years — over and over again.
Victims report that it takes months or years to regain their credit rating, only to find that a new report forces them to start all over again.
Keep Paper Files
While electronic data can quickly get you into trouble, financial institutions want physical (on paper) evidence that you're not responsible.
How Phishing Works
Going on a Phishing Expedition
Becoming a victim is easier than you might think. Let's have a look at the process from the perpetrator's point of view.
Remember, YOU are the intended victim of this trap.
Step One: Create a Fake Website
The first step is to set up a look-alike site that closely resembles a site that your victims are already using or could be using. The company's logo and other trademarked images are used to convey authenticity. (See the section on abusing transfer of trust.)
Proprietary Images Can be Hijacked
The “Google Docs” image (shown beside this text) was captured from a fake website several years ago. Phishing technology has improved a great deal since then.
I've seen a similar layout embedded into an email (one of the reasons you DON'T want to allow your email program to automatically download images).
Don't follow a website (or email) link to log into Yahoo!, Gmail, Windows Live, AOL or other email account. The email may simply use fake links to take you to their bogus site. Always use an address included in a legitimate source like a paper invoice or account statement.
The message could exploit a bank (most have been targeted), Google Docs, e-Bay, PayPal or any site where you conduct business using a credit card or is protected with a user name (usually your email address) plus a password. Only your password is unique in this combination.
You should NEVER log into sites using your Facebook or Google account except when logging into those accounts.
While convenient (it avoids creating a new account) it provides that site with a great deal of information about you including your interactions on the Facebook or Google login account. Use a password program like LastPass instead to generate and track logins.
What Happens When You Click on Fake Links?
When you click on these links and enter the requested login information, you giving thieves access to your real account(s).
They probably will change the password to lock you out of your own accounts.
If it is your email account, that account is a key recovery mechanism for your other accounts. The scammer would soon control your social media and other accounts linked to it. All they have to do is click on the “forgot password” link on the various sites then check your email account for the recovery information or links. Even the warning would be sent to the hackers.
Step Two: Send Out an Email
Next, send an email message to thousands of potential victims (like you) indicating that there is a problem with their account, or that their account will be closed unless they go to the website and re-enter personal information, including their user name and password (or bank PIN).
Most such messages indicate that you must act quickly or your account will be closed. They don't want you taking time to think about it or contact the actual company where the account is located, do they?
Legitimate businesses will never ask for personal or account information via email and shouldn't over the phone if the business placed the call.
This message was sent to Islandnet.com customers a number of years ago:
We would like to inform you that we are currently carrying out scheduled maintenance and upgrade of our account service and as a result of this your accounts have to be upgraded.
We are sorry for any inconvenience caused.
To maintain your account you must reply to this email immediately and enter the information below:
Failure to do this within 72 hours will immediately render your account deactivated from our database.
The headers show that the message did NOT come from Islandnet:
From [email protected] Tue, 17Aug 2010 4:33:41 -0700 (PDT)
From: "Islandnet.com::Index" <[email protected]>
Return-path: <[email protected]>
Envelope-to: [address removed]@islandnet.com
Islandnet.com would never send out such a message nor would they use the [email protected] address.
How to Read Message Headers
- How to view message headers on various email providers from Google help.
Scammers Getting Smarter
You can't count on identifying spam by the email sender's address. Scammers often know how to forge headers to make it appear to come from a legitimate company.
Recently I've noticed that spam with the same message seems to come from a different email address every time (probably the same scammer using stolen addresses).
According to Symantec's 2015 Website Security Threat Report Part I, it costs as little as $0.50 to $10 per 1,000 stolen email addresses on the black market — a testimony as to the poor quality passwords many folks use and how easy it is to obtain them.
The Anatomy of an Email Scam
Don't get hooked.
HTML Email Hides Details
One of the dangers of "enhanced" or HTML email is that stuff can be hidden. See How to unmask fake links.
Firefox security features help you avoid problems with invalid or insecure sites. Other browsers may have these features, but Firefox is the only major independent browser.
Step Three: Collect the Information
The victim (you) clicks on the link and finds themselves on what they believe to be the correct site (remember, the perpetrator has created the site to look like the original), so they enter their user name or email address and password.
Of course, this information is not going where you think it is — you're sending it directly to thieves.
Step Four: Assume Your Identity
Taking your electronic identity (which you've just provided to them on the phishing site), the thieves go to the real site (such as your bank) and log into your account.
The information obtained in this manner is then used to either obtain funds from your account or to set up credit in your name.
The example above is designed to lure you into providing account information and/or to visit a bogus website where you'll enter that information.
The URGENT Help Request
A message can also be designed to get you to send money via Western Union or some other method.
This sort of email will seem to come from a friend or family member that needs you to send them money to help them pay their hotel bill and get home because they've suffered some sort of accident or are the victim of a crime.
The sender hopes you reply with financial details so they can collect the funds themselves.
Stop and Examine the Email
Their goal is to get you to respond quickly before you can think too hard about the claims in the message. Beware of these signals:
- The sender indicates they are out of contact but in dire need.
- Watch for any attempt to get your user name and password such as a response form embedded in the email message itself. Would the sender be able to generate such a form, even if it were legitimate?
- Attached files are suspect (most contain scripts that will infect your computer).
- Altered or unusual links in the body of the message or its attachments.
- The presence of official looking logos attached to the message (most companies now use images hosted on their server).
The details in the email are usually general in nature. Some information may be accurate but the scammer doesn't know you as well as the real person does.
How Did They Manage to Contact You?
Ask yourself how the sender was able to email you when they have no cash, credit cards or cell phone?
- A genuine victim could have resolved their issues with a call to the credit card company.
- The hotel would have obtained a copy of a guest's credit card when the reservation was made (and verified it when the person checked in).
- The airline could re-issue a lost or stolen ticket.
- Emergency passports can be re-issued by embassies everywhere.
Fake Emails Getting Better
Recent phishing email scams are harder to detect. Scammers are improving their techniques as well as their grammar and they employ spear phishing techniques to make the message more believable.
[P]hishing messages only seem to be getting savvier and more authentic-looking, fooling even seasoned experts. Gone are the days when obvious misspellings and grammatical errors provide a dead giveaway that shenanigans are at play. — Trustwave Blog
Unmasking Fake Links
One of the methods commonly used to scam people are fake links in email messages.
Fake links drive unsuspecting traffic to websites that:
- drive traffic to websites that generate revenue for them via pay-per-click ads or similar revenue generators; or
- pretend to be a legitimate site like a bank (in order to steal account information); or
- infect their computers with malware (turning their computer into part of a botnet that attacks legitimate sites or attempts to infect other computers).
Where Does That Link Go?
Would you click on links like the following?
Of course not.
Those looking to steal your identity aren't going to unmask themselves. They tell you the link points to something that takes advantage of your curiosity or greed.
You can't trust the linked text to tell you where the links actually go.
Links Have Two Components
Hyperlinks on a website (and in an email) have at least two components:
- the linked text (what you see highlighted in the link); and
- the hyperlink (the actual address where you are being sent).
Only the hyperlink itself (the hidden part) determines where the link sends you.
Just as placing a Mercedes license holder onto a Ford doesn't turn it into a Mercedes, a misleading description doesn't change the link's destination.
Not All Links are What they Appear to Be
Take a look at the following link and then see where it leads you (a new window opens):
Using the Status Bar
If you hover over the link and look in the status bar at the bottom of the program (some browsers show the hyperlink address in a small box above or below the link itself) you can tell the destination without clicking the link (and potentially getting yourself into trouble).
Just because the linked text says it is pointing towards a particular address doesn't mean that is the real destination.
Learning More of the Mechanics
If you are interested in the mechanics of this process, have a look at Cut 'N Paste HTML Editing. It gives some simple HTML lessons and demonstrates how HTML links work.
Short Links (URLs)
Shortened links (web addresses or URLs) are common in Twitter messages because 140 characters doesn't allow for long complex links.
These are also useful in emails where very long and complex links can be broken when the line is wrapped by your email program.
Unmasking Shortened URLs
You can unmask the destination of these links before visiting the site. Paste the address into your browser's address bar with the changes noted below, then hit enter:
- Add preview before a TinyURL address (preview.tinyurl.com/c7b7ybm).
- Add a + after a Bitly address (bitly.com/16M0Io3+).
You're taken to TinyURL or Bitly with information showing about the true (full) destination for the shortened link. In these examples, all shortened links point back to this page.
Other Link Shorteners
If you're unable to determine the destination, I recommend using Redirect Tracker to check any short or affiliate URL (bit.ly, goo.gl, etc.) to see where it goes.
Shortened URLs are seldom needed in an email except where the length of a complex address wraps in the email window, potentially causing the link to break.
Phishing email emails commonly use these to obfuscate the link destination. Emails containing the promise of a financial reward or similar click bait messages should be checked out carefully or ignored if you're unable to verify the destination.
I received a suspicious email (supposedly from “Costco”) with a shortened link. Redirect Tracker revealed that the unmasked destination address was being redirected twice from the obfuscated address:
This is not a good sign, especially since “zharerewards” is an obvious misspelling of sharerewards.
Shortened URLs have security and other issues.
- Destination unknown: shortened URLs and your security.
- Short URLs considered harmful for cloud services (or PDF version).
How Can a Fake Site Exist?
First of all, people that set these fake sites up and send out the phishing emails wish to remain anonymous. They are breaking the law and don't want you (or the police) to be able to find them after they steal your identity.
The provided links are only up for a short time before they are removed by the owners of the site affected or by the legal authorities.
Forged links often point to a site in an educational institution where passwords and access are easy to come by.
By their very nature, universities house a lot of smart and curious people. Smart as they are, too many don't view the issue of security as their problem. Because of a few people's lax attitudes, many will suffer significant financial setbacks.
Delete Attached Forms
More recent phishing attempts have provided an attachment to their messages which, when opened, replace the fake site with a form which accomplishes the same nefarious purpose — to get your information using deception. Don't be fooled. An unexpected attached form (or PDF or Zip file) is likely an attempt at identity theft. Even .DOCX and other Microsoft Office documents can be dangerous.
Configuring Your Software to Protect You
Whatever choices you make with your software, you'll want to take advantage of some advanced (and often hidden) features:
- Ensure that you can see the hints when your mouse hovers over a link or other hot spots on your browser.
- Use stronger passwords. There are complex online password generators as well as software to help remember more complex passwords. I strongly recommend LastPass password manager.
- Only shop on encrypted websites — prefixed with
https://and a padlock symbol in the address bar. Unencrypted sites are more vulnerable to being hacked.
- Learn how to view the headers in an email message (sidebar), and know the signs of a risky message (read this page completely as phone and email scams have a lot in common).
- Ensure your security software is current and updated daily.
- Windows users should ensure that all critical Windows Updates are installed, including the latest service pack. Mac and Linux users need to be vigilant in updating. While infections are not as common, they are vulnerable.
- Ensure your browser and email software are current and updated.
- Stop using and uninstall software that is no longer actively supported or maintained.
Advanced features are often hidden to provide for a cleaner, simpler look. Remember, software vendors don't have to pay to clean up problems caused by the shortcomings in their products or within optional downloads installed at the same time as their own product.
If you need help determining how to configure your software and security protection, contact someone knowledgeable. Be careful when selecting your “expert” helper (especially if they call you). Remember, you're putting your trust in this person.
I provide these services, but only in Greater Victoria (located on the west coast of Canada).
Get Help From Your ISP
Use whatever tools your ISP makes available to identify potential spam, phishing and other problematic email messages. Check your ISP's help or support website or call their help line.
I strongly recommend hosting with Islandhosting.com.
They specialize in website hosting and can provide personal support when you need it. Their friendly, knowledgeable staff can deal with most email programs and services. Unlike some major ISPs, you're dealing with a real person that is knowledgable, not someone overseas with a script in front of them.
Transfer of Trust
A successful phishing scheme, like any con, depends upon gaining your trust.
They'll use your trust of your financial institution, major vendor (e.g. Microsoft) or other authority (CRA, CRTC, FBI, phone company, etc.). They know that if you believe they are who they say they are, then you'll be more likely to follow their instructions.
Your trust in the caller, web page or link is only because it appears to be from someone you know and trust.
The Internet Can Be Exploited
The original Internet was used only by scientists exchanging data. There was no need for high security.
But this has changed. The Web is used for e-commerce, personal transactions and more.
Browsers and enhanced (HTML) email messages can be exploited, particularly if you don't understand the language (HTML markup) and therefore can't protect yourself.
Preventing Successful Phishing
There are a number of things that you can use to avoid being the victim of this type of attack:
- Be wary of any threats to close your account especially emailed notices. Requests for account information or passwords are NEVER legitimate.
- Be wary when using public computers. Your passwords, accounts and personal information can be retained by the browser's cache for later retrieval by anyone with access to that computer.
- Do not use open or untrusted secured wireless networks such as those at coffee shops and other public networks. Someone can be "listening in" on the transaction and obtain your user ID and password.
- Do not trust information emailed to you including any links to sites.
- Do not trust information on an unknown website.
- Keyloggers can capture private information on any computer.
Always use trusted sources to obtain the telephone number or website address to contact any site requiring personal information or a password. Google is not necessarily that trusted source, especially if you click on the sponsored links.