Don't get hooked by a Phish
You get an email from Apple thanking you for your purchase of an app you never heard of. In the body of the email is a link for you to click on for more information about the purchase. Your immediate inclination is to click the link, sign in, and let Apple know in no uncertain terms that you want your money back. Don't do it! It's probably a
phishing email, designed to trick you into handing over your log-in credentials.
We've all seen really
obvious phishing emails, written in terrible English from some random email address. But almost every day I get an email forwarded to me that looks pretty good, from a client who, wisely, decided to slow down and ask my opinion of the email prior to taking any action. Here's how to look over any email with a critical eye.
Phishers rarely use a real corporate email address - Real emails from real companies will come from the company's domain - the part of the email address that comes after the @ sign. Emails from @apple.com, @microsoft.com, @amazon.com, are almost always legit. But phishers often create fake email addresses meant to fool the eye. What comes BEFORE the @ sign means very little. I have seen addresses like [email protected], [email protected], etc. - all fakes.
Sometimes the email address is hidden under a legitimate looking display name. If that happens,
hover your mouse over the display name and it should uncover the true email address.
Some very sophisticated phishers will make
fake domains that look very similar to the domain they are spoofing. For example, arnazon.com is not amazon.com - I typed an "r" next to an "n" to make a fake "m". These types of fake domain attacks are more common in the business world, but can be used to fool the general public as well, and can be very hard to spot.
Phishers rely on emotions - almost every phishing attempt has an immediate call to action. Mistaken purchases, accounts that are about to be closed, websites/email addresses that are going to be locked - the phisher is trying to trigger an immediate response, preferably before you think about it too hard. Legitimate businesses just don't work that way - be suspicious of any email that tries to generate a sense of urgency about logging in to a site.
Phishers push you to click on the link in the email (or sometimes download a PDF or other file). Again, a legitimate business will always offer an alternative - they will tell you to go directly to their website, or to call the number on your credit card.
I can tell you that even when I think an email is totally legitimate, I NEVER go to the website by clicking through the email. I always open up a new browser window and go directly to the business website by typing their address.
Yes, much of the junk mail we get is pretty clearly fake. But some phishers are more sophisticated. If you get an email and you are even the slightest bit suspicious, don't hesitate to forward it to me and ask my opinion!
|