Beware of Sophisticated Email Phishing
When you think you’ve seen it all — the scammers take it up a notch.
Over the years, I’ve watched how those with nefarious motives have evolved to try and trick email recipients for various reasons. Some want to infect your computer; others want your data, then some want to sell you something.
Phishing has become something most of us are aware exists. But, unfortunately, it is not uncommon to have a company or business let you know when they find out about Phishing emails using their brand to trick others.
But boy, are these guys getting sophisticated. Of course, this requires that you up your game and become even more vigilant, including taking a couple of extra moments to double-check a few things before clicking on anything.
Paying Attention to Email Details
The primary reason people get caught in these phishing nets is that they are not paying attention to details. Details that can indicate that the email is not from who it appears to be or about what they want you to think it is.
When I talk about sophisticated, I mean that these folks are very clever and know what they need to do to fool you. For example, they can make emails look exactly like they are from your bank. Or a company you do business with. Logos, vocabulary, colors, and all.
So if the email looks almost identical to those you are receiving from legitimate sources, how do you identify the fakes?
Underlying Email Address
You can put any address in the email From: field within your email program. You have total control of what is displayed to the person you are sending to.
What displays is not always reflective of the underlying email address. Mouse-over or view the underlying address in the from field to see if it, in fact, is the dot com of the perceived sender.
If that address doesn’t line up with the email content, delete it.
Links that Go Elsewhere
These emails include links and calls to action directing you to a website to login, get details or even sign-up. The link text displayed in the email shields the underlying URL. The same applies to graphical “buttons” or images.
Always mouse over the linked text or button to view what displays in your email program to make sure there is a legitimate URL underneath. And these guys are even good at entering similar URLs at a glance but not the actual URL of the entity they are spoofing.
Let’s use Amazon as an example:
- https://amazon.com — Good
- https://www.amazon.com/ — Good
- https://www.amazon.com/something-after — Good
- https://something-before.amazon.com/z/tc/?l=PV0vY&m=….. — Good
- https://amazon.hoaxdomain.com — BAD
- https://www.hoaxdomain.com/amazon — BAD
A good rule of thumb is that if you do not see the company name directly in front of the .com, you can bet something “phishy” is going on and NOT click the link. Also, be cautious of other domain extensions.
Nowadays, there are tons of TLDs (top-level domains) available. For hobbies, countries and more. With all that rare, does a company use a different TLD in the email links when their primary is .com? One clue of many to take notice of.
Please don’t fall for similar domains that have the company name you are familiar with in them but are not the domain you trust. For example, things like amazonshipsfast.com or orderatamazon.com.
Both of which would be trademark infringement. Anyone using those can expect to hear from Amazon’s legal team as soon as they are made aware. Using trademarked names in domain names can get you in big trouble with the trademark holder, but when do laws stop those trying to pull a fast one?
Targeting Online Sellers
A typical phishing scheme that’s becoming more common is targeting those who sell online. The schemers will send an email saying they are trying to order from your site but are getting errors — click this link to see the screenshot. The link takes you to a nefarious site.
Or you may get an email stating someone would like to do business with you with a link that goes to a document of requirements they are looking for. Here again, be very cautious.
If you don’t know the sender — don’t click. If they want to send you info, ask them to copy-n-paste their requirements in an email to you. No links.
Be Cautious of Strangers
The best advice is not to trust emails from folks you don’t know that just so happen to land in your inbox. If the email address is not recognizable or uses a throwaway account like Gmail, Hotmail, or Yahoo, for example, delete it. Legitimate businesses do not use these services; they use their .com.
Crooks and scammers are counting on you not doing the things I mentioned above as a means to their end. So if something doesn’t seem right or legit, it most likely isn’t.