How to Recognize and Protect Against Phishing Emails

Understand What a Phishing email is

"Phishing" may be a cute or clever name, but you have to remember what it is: an attempt to steal your money, or online access credentials - in order to clean out your bank account. In other words a thief has sent you an email in an attempt to steal from you. All it takes is a little information and caution so you don't fall prey to their schemes.

Link to phone site

Check the Link

Once you get a phishy looking email (pardon the pun), this should be the first thing you look at. The way a Phiser will try to get your info is to trick you into entering your credit card info or bank logon info into a phony site where they can collect the info, and either use it themselves, or sell it to someone who will.

To do this they will provide a link to what looks like your institution's online website. However if you place your mouse on the link - don't click just hover over it - the destination site will generally be revealed at the bottom of your browser (see the picture). If it does not match exactly the link that you see in the email, don't use it - someone's trying to steal your money.

Your Name is not used

Your name is not used

The thieves who are trying to steal from you have collected your email through a number of methods. But what they won't have is your real name, and they certainly won't have your account info. (That's why they're asking you for it!) So phishing emails will not as a rule use your name in it. See below how financial institutions use this fact to protect you.

English Mistakes

Poor English / Grammar / Spelling

Often times the thieves are not from an English speaking country and English is a second language for them. Therefore their emails are typically poorly worded and exhibit one (or typically many) spelling and/or grammar errors. In the attached picture I count at least 10 errors. Rest assured no self respecting bank will ever send you an email with such poor English and obvious mistakes.

Why are you getting this?

From a Bank you don't have an account with

This is a dead give away. If a bank where you don't have an account tells you to login to update your account, you know this is a phish attempt. Typically such attempts also come with a threat of account suspension or cancellation if you don't do what's requested. That's simply more psychological manipulation called social engineering in an attempt to induce you to give the thief access to your account.

Fake return path

Return Path doesn't match

Emails contain a number of internal headers that allow the internet system to route email. One of the headers is the Return path and is used to return email that can't be delivered. If you use Outlook or Outlook Express you can view the headers by right clicking on the email, selecting properties, then the details tab. In the Details tab, the first entry will be the Return-Path (see the picture).

In phishing emails, typically the return path will not be from the institution it's claiming to be from - but it should be. Though this entry can be forged, typically phishers don't use the name of the victim institution, probably because they don't want bounce backs to go to the real company - which would alert the institution to the fraudulent activity allowing for a quicker reaction to the scam.

If the Return-path does not match the company it purports to be from, that's a good indication the email is a phishing attempt.

Beware of these subject lines

Subjects to beware of

Phishing emails tend to use the same types of subject lines and pleas in order to trick you into handing over your account information.
Subjects for the typical attempts run along the following lines:

* Update your account information
* Security enhancement, required to update
* Confirm your identity

The above often come with a warning that if you don't comply your account will be cancelled or suspended.

Individualized pictures add security

Protection Measures:
Understand How Banks are trying to Protect you

Banks recognize this issue and they've responded. Three important things they've done:

* Dual Factor Authentication on Websites
This is where you select a picture that the site stores. Then every time you login you see the picture after you put in your login name - but before you put in your password. What this does is allow you to verify that you're at the genuine site you think you're at. If you've selected for instance, the astronaut picture, and you arrive at a site that doesn't display it, you know you're at the wrong site. (Phisers won't know what you've selected and will be unable to duplicate this feature.)

* Using your Name and partial account number in emails
To prove they already know who you are, it was directed to you (and not spam) and you have an account at their institution some banks have included a security section that shows who the email was sent to and includes the last 4 of the account number. This demonstrates it's a legitimate email. (Phishers won't know your name (generally) or account number.)

* Concern for your safety in emails
Some banks, aware of the common advice to protect against phishing emails (don't click on any links in an email), are attempting to address such concerns. They're doing so by telling you if you're concerned about clicking on a link in the email, go instead to their online site and login. So they're showing concern for your safety and not requiring you to click a link in an email. You'll see no such concern from a phishing email. Instead you'll see all kinds of manipulative attempts to try to get you to click on the link.