Published: Mar 10, 2005
By: Scott Spanbauer
I love the Toshiba laptop I bought last year. I keep just about everything related to work, school, and my finances on it. So when I received an e-mail from Toshiba warning that my model may have a data-threatening memory defect, I was anxious to find out whether my machine was affected. A link in the message took me to a Toshiba Web page, which promised to download a utility to my PC that would check for a defective memory module. All I had to do was click one button.
But just as I was about to click that button, a doubt bubbled up from the depths of my digital credulity. Could the whole thing be a scam? Was I about to download and install a Trojan horse, backdoor program, or worm? As it turned out, it wasn't a trick: Toshiba really did send out an e-mail containing an embedded link leading to an executable file download located at a long, complex Web address. Trouble is, phishing exploits, browser hijackers, and other online scams often hook their victims by using similar-looking e-mail messages.
Fortunately, you can learn to spot these e-mail cons and phishing scams by using a handful of investigative techniques and a boatload of common sense. Here are some of the ways to tell a genuine message from a bogus one.
Phishing Scam Technique #1: Don't Take the Bait
If you keep just this one thing in mind, you'll protect yourself from the majority of e-mail attacks: Assume any message could be malicious. It matters not who the sender appears to be, or whether the message's corporate logos, artwork, and embedded links look authentic. It's a trivial matter for scam artists to create fake messages that contain return addresses, images, and URLs lifted from the real company's own Web site.
Next, use your newfound paranoia to examine messages critically. If you don't have an account with Citibank, for example, the company won't be sending you any account-related e-mail. But even messages that appear to come from firms you have an account with may not be real. Remember, your new motto is "Trust No One."
Before clicking a link or taking any action requested in a message, determine for certain that the message is genuine. Return addresses, embedded links, and images can be deceiving. Look for dire warnings and other classic con techniques, undoubtedly accompanied by a link to a bogus Web site where you'll be asked to enter personal information.
Legitimate e-mails and phishing scams can look very much alike. Both may be text-based, reasonably well written, and plausible (although phishing messages often contain typos and poorly composed sentences with questionable logic). Both also contain real addresses to each company's Web site. The only difference is that, for example, a faux-Citibank message also may have a link to a short-lived phishing site where the unsuspecting visitor is asked to enter personal information. Rather than providing a link to a specific page, genuine messages from companies that are savvy to phishing and other online fraud will generally instruct you to visit or log in to the company's main Web site.
Another clue: A phishing message may be delivered to an e-mail address that you don't use with that company or institution. Note that I've received phishing messages at a widely publicized (and indexed) address (firstname.lastname@example.org), whereas a genuine PayPal message came to my personal address, which I had previously verified with PayPal. If you get a message at an address you never registered with the company, it's fake.
Phishing Scam Technique #2: Know Your Links
Intuition and a suspicious nature are a good start, but to separate real messages from bogus ones, you also need to decipher their Web addresses. In a couple text-based messages I received, all addresses were plain text, so what I clicked was what I got. Clicking "https://www.paypal.com" took me to the real PayPal Web site. But clicking "22.214.171.124/signin/citifi/scripts/login2/index.html" didn't exactly lead to a Citibank Web site.
One clue is the string of numbers following the URL prefix "http://". Every Web site resides at a specific Internet Protocol address, so, for example, you can get to the PCWorld.com site by typing 126.96.36.199 in your browser's address bar instead of www.pcworld.com. However, "188.8.131.52" doesn't lead to the Citibank Web site, even though the rest of the address looks like other links you may routinely click. The only way you can be sure to reach the real Citibank site is to type the domain-name-based URL www.citibank.com into your browser's address window manually. (And once you do, be sure to click the Consumer Alert link that describes these fraudulent e-mail messages.) If you're not sure where an IP address leads, don't click it.
Substituting a numeric IP address for a domain name in a URL isn't the only way a malicious message will try to trick you. The address "www.citibank.com" is the real deal, but "www.citibank.phishing.com" could lead anywhere. Every domain name ends with a top-level domain, such as.com.org.edu, or a country-specific TLD such as.cn (China).uk (United Kingdom), or.ru (Russia). The word just to the left of this TLD, together with the TLD portion, spells out the actual domain name: "citibank.com", for example, is all it takes to get to Citibank's site. When a phisher modifies a domain name slightly, or inserts a word to the left of the TLD, the link changes. Phishers hope that you won't know or notice the difference between "pcworld.com" and "pcworld-gotcha.com" or "pcworld.phishing.com."
E-mail Phishing attacks can also use the HTML formatting to conceal the true destination of links. If a message is composed using HTML, the underlined link text may not be the same as the actual embedded link. This was true of the e-mail I received from Toshiba and was one reason I became suspicious of its origin. Most e-mail programs display an embedded link's destination URL in the bottom status bar or in a pop-up window when you hover the mouse pointer over it.
Phishing Scam Technique #3: The Safe Way to a Site
I needed to find out whether the message from Toshiba was genuine; if it was, I would have to test my beloved laptop for a faulty memory module. First I entered a likely Toshiba site URL--"toshiba.com"--into my browser's address bar; this move transported me to a global Toshiba site.
After rummaging around awhile, I finally stumbled upon a Web page describing the same issues noted in the Toshiba e-mail, and using the same URLs. Voila! I had my confirmation--the Toshiba e-mail was truly legitimate. But I still never clicked the message's embedded link, going instead through the link on the company's Web site. You can never be too careful.Tagged:
phishing, email security, identity theft