Monday, February 04, 2008

Let's talk about Fish

I receive a lot of junk e-mail which is not surprising considering I have multiple websites with different e-mail addresses on each; I'm an e-mail farmer's dream. It drives me crazy though that other people tend to make simple mistakes in trusting the e-mail they receive and are thus very susceptible to phishing schemes. For those that don't know, a phishing e-mail is one whose sole purpose is to steal your information by tricking you into entering it at their website. The website usually purports to be a well-known business, but is at an incorrect web address.

I would like to share a single piece of very simple junk mail (a phishing scam) that almost seems legit, and talk about why it's not:

Dear NAVY Federal Credit Union Member,

You have one new message at NAVY Federal Credit Union.

INBOX ( 1 )

From: NAVY Federal Credit Union Customer Service Date: 02/04/2008 Subject: Navy Account Suspended

In order to read this message please click on the link:

Thank You

NAVY Online Banking Mail Security Team

Copyright © 2008, NAVY Federal Credit Union. All rights reserved.

There are many reasons not to believe this e-mail. For starters, if you don't have a NFCU account it's obviously trash; but let's assume the recipient does in fact have such an account. Overall it may seem fairly normal, as they want you to go to the website to see your message, as many legitimate bank e-mails also require. Another flag may be the fact that it claims your account is suspended, which is a usual trick of phishing e-mails, as they want to grab your attention in such a way that you click out of fear or worry.

Yet another flag is the website address. I think regular e-mail users highly underestimate the importance of the website address and what it can tell you. There are many clues in that line alone that it is not a legitimate e-mail: the website is not the one you would expect, with instead of; the address includes "upload" and "files"; and the last folder is "navy". The combination of these address facts should clue you in that the website will probably be designed to look like the NCFU website but will not be real!

Of course this particular e-mail was particularly bad as the address is obvious in the text. Often the website address that shows up in the e-mail (if it is rich text or HTML e-mail) will be different than where the link actually goes; think of this as putting a "click here" message that links to a website. Thus you should always go to the website of the business that is supposedly contacting you by googling for their website, finding the website via your bookmarks, or using a website address you otherwise know to be correct. If everyone did this, phishing schemes would completely fail!

If you want examples of some of these other situations and some more basic tips, try Recongizing Phishing Scams, by Microsoft.

No comments: