Spotting Phishing Scams: Dealing With Fake E-mails

[Sarah81 0]

Phishing e-mails can look so authentic that we don't even realize we've just followed a fake link and have given credit card or other sensitive information to some crook.These scam mails are becoming more popular. I've received two in less than two weeks claiming to be from PayPal's customer service department. The gist of the e-mails was that I needed to click on links within the messages so that I could log into my PayPal account, which is linked to my bank account, and view some questionable credit-card activity. In other words: the senders were trying to scare me into following the links without thinking about what I was doing.The main problem is that a lot of phishing e-mails look VERY authentic. The crooks duplicate from real e-mails from the real Web sites so that there is no difference in appearance between the real and the fake. The clickable links in the fake messages take you to what looks like the company's real Web site, but isn't. You're giving out sensitive information to the wrong people, and you don't even know it until you've been ripped off.The e-mails that I received from "PayPal" (in quotes because they turned out to be fake, as PayPal confirmed after I forwarded the e-mails to their abuse department), looked just like messages I would really receive from the company. The reply address was correct. The clickable links looked VERY similar to the URL that I would see if I went to the real PayPal site. But you can figure it out if you think about what you're doing before you follow links or give login information to Web sites. There are several ways to protect yourself - and none of them require you to download software or do anything special.1. NEVER follow clickable links in e-mail messages. When I received these fake messages, I opened a new browser window and manually typed in PayPal's Web site. Pay attention to what you're typing so that you don't misspell or transpose letters or numbers.2. If you receive an e-mail that you think could be fake, go to the real Web site (using a new browser window, of course) and look for information on how to report abuse. In PayPal's case, it's a "Security" link near the bottom of the main screen. Here I learned that I could forward the messages to PayPal's fraud/abuse e-mail address. (Incidentally: I received replies on the same days that I forwarded the messages. Many companies really want to go after phishing scams, so do your part and report them when they show up in your in-box.)3. When you report a message, be sure to include full headers. This is vital if you want the company to track down the crook. Many phishers can alter the "reply-to" address (which is what you see when you aren't viewing the full headers) so that it looks authentic. However, the full headers include plenty of information that will help the real company trace the e-mails.Look in your e-mail client's "options" or "settings" menu for message header settings. You can always change it back to "abbreviated headers" after you report the fake message. It's okay if you don't understand most of the data that's in the full heading: what's important is that you report all of it to the company's abuse department. 4. Familiarize yourself with the real company's policies and anti-fraud protections. When I went to PayPal's Web site for information about reporting the fake e-mails, I learned that PayPal has several security measures in place to combat phishing. I learned that real e-mails from this company will always greet customers by either our full names or by the business name that we've registered. The phishing e-mails didn't do this, so that's when I knew beyond any doubt that they needed to be reported.5. Use your browser's password-saving features to your advantage. Let's say that you've saved login information for PayPal. If you click on the fake link in the fake e-mail, it won't auto-complete your login details. That's when you know something is wrong and that you need to investigate.Nothing is foolproof, unfortunately, but these tips should make it very, very difficult for phishers to get your information.

Edited November 18, 2005 by szupie (see edit history)