Internet Safety: Your Guide to the Most Important Concepts and Practices of Avoiding Identity Theft and Fraud

Previous Lesson
Next Lesson

Phishing Examples

Internet Safety: Your Guide to the Most Important Concepts and Practices of Avoiding Identity Theft and Fraud Phishing Examples

You can probably find many of the following examples in your spam folder right now. Millions of phishing emails, with virtually unlimited variations, are sent every day. Look at the following criteria and look for the hallmarks of a phishing attempt.

Email from friends (not really)

It’s easy to “spoof” (use a fake name) a sender’s name in an email. Hackers often access a victim’s email or social media account, copy their contacts, then send phishing emails to everyone posing as the victim. Please don’t fall for it! Look for out-of-character messages, and double-check senders by hovering over the name to see where the email came from.

A response to an email you didn’t send

A widespread phishing scheme is an email that poses as a notice that an email you sent was undeliverable.

This scam works because it seems to be a response to an email you sent. The phishing email almost seems helpful; you sent an email that didn´t get delivered because of a password issue. Click here for a simple way to fix the problem. The sender, in this case, “exchange.postmaster,” is ambiguous but official-sounding. Scammers can spoof sender names, so don’t trust them. If you hover over (rest your cursor on) the sender’s name, you will see the actual sender’s name in a pop-up window, as shown below. In this case, it comes from an email account at a site with a domain of “uwe.ac.uk.” Have you ever done business with a company called uwe.ac.uk?

This email came into a Gmail (Google) account. Gmail automatically checked the sender and noticed that it does not appear to be a response to an actual email, even though it claims to be.

The email wants the recipient to reset a password. But hovering over the Reset button reveals the link’s address: “expertlaserclinic.com/bureaucracyk.php.”

In short, this email poses as a response to a nonexistent email. By hovering over the sender’s name and the Reset password button (or tapping the link on a touch-screen device), we can see that the sender and the link appear to be a marketing ploy at best and a link to a malware (destructive code) site at worst.

The urgent message

Phishing attempts often create a sense of fear or urgency, so you will react quickly and perhaps not heed warning signs. Using fear is a form of social engineering. Some common themes are:

  • Your computer is infected with a virus.
  • Your Social Security account has been hacked.
  • The IRS is about to freeze your account or sue you.
  • Some account, like Facebook, is about to be permanently blocked, like the following message:

Messages from businesses you do not do business with

Here is a message that poses as communication with the USAA, a financial services company that caters to military personnel.

Computer bots (automated programs) send these out daily by the millions. Most recipients don’t even have accounts with USAA. This fraud relies on many people who mistake the email as legitimate. If you hover your pointer over the sender (or tap the sender’s email address on a touchscreen device), you can see the message came from an account at [email protected]as shown below. You should see an actual person’s name followed by “@usaa.com.”

All financial institutions publish warnings and instructions concerning online theft and fraud. USAA has the following instructions posted on their site:

Remember: We will never ask you for personal information, such as account numbers or passwords. We will not ask you to download software in an email. Do not respond to any email that asks you to update your personal information online or by dialing a telephone number. Use only the customer service numbers listed on usaa.com.

Similar to the warning about clicking links in an email, look up phone numbers yourself and don’t rely on the numbers you see in an email. They may not lead to the company at all.

Your bank and the IRS do not do business via email

Email is not a secure method of communication. No legitimate organization or business will EVER ask you to disclose confidential information in an email. You might get an email notification that your bank has a message for you on their secure website but never a request for personal data to be sent via an email message.

Always carefully check the Internet address (the URL) of the site in your browser. Internet addresses are exact and unique. Scammers will often try to fool you with addresses that are close to or include elements of the actual address.

Using current events and disasters

To solicit donations, scammers piggyback on current events, hurricanes, earthquakes, and pandemics. It only takes a few minutes to create a website or funding campaign.

Make sure you are not giving your bank account and other personal information to a cybercriminal. Be wary of new nonprofit groups that take advantage of the outpouring of cash donations. Here are some tips for finding legitimate charities:

  • Donate to established charities that you know and trust.
  • Go to your desired charity’s website by typing in the address (such as “redcross.org”) rather than clicking on links in email solicitations.
  • Watch out for new charities that somehow appear in the wake of disasters like Harvey and Irma. Massive disasters provide countless opportunities for fraud.
  • If you are looking for a reputable charity, check them out with services that monitor complaints and tax compliance. Reliable sources of information include the Wise Giving Alliance, Charity Navigator, Charity Watch, and GuideStar.
  • Be wary of email appeals. Check the sender’s address carefully.

Remember that you can designate where you want your money to go, e.g., Hurricane Harvey. By law, the money you budget for a specific purpose must be used solely for that purpose.

Fake sites and deceptive emails

Websites can be cloned or spoofed. Email messages can include elements that make them seem legitimate. Here are two emails purporting to be from LinkedIn.

It is obvious when compared side-by-side that one message is suspect:

  • The fake message contains grammatical errors. Misspelling and capitalization errors are common in scam messages. The proper name “adam thomas” is not properly capitalized, but “People You May Know” in the footer is.
  • The fake message comes from someone “@usm.edu.” A real message from LinkedIn comes from “@linkedin.com.”
  • Although not immediately obvious, the LinkedIn street address is incorrect in the scam email.

Misspellings, errors in capitalization, and grammatical errors are a glaring warning signal: This email is suspect! Many scams originate overseas with non-English-speaking cyber crooks.

Free money!

Not surprisingly, few companies want to bestow money on you out of the blue. That doesn’t stop cybercrooks from sending spam messages that you are a big winner!

Don’t fall for this “Dear Microsoft Esteemed Winner” trap! Notice the request for your personal information that the scammer can then use to try to access your accounts.

Phishing employees

Phishing scams often target businesses. Employees receive an email that appears to be from an actual executive officer requesting confidential information. The request might be for employee data or log-in information (passwords etc.) for company websites or servers. The Internal Revenue Service (IRS) published the contents of one such email:

Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary?)

The IRS suggests that any request like this be verified before complying.

Social media

Cybercriminals frequently use social media platforms like Facebook in phishing attempts. Facebook has over a billion users, so the odds are good for random emails generated by Internet bots. Here is a typical example.

There are several grammatical indications that this email is fraudulent, but the address of the sender is a dead giveaway.

Facebook quizzes

Do you love those quizzes that match you with a favorite movie star or Harry Potter character? How about IQ tests? Not so fast. Some of them grant access to personal information in your profile. Others ask questions about your birth city, first pet’s name, favorite high school teacher’s name, and other questions that are… you guessed it… also used as the “secret” questions you must answer to gain access to your account. Better to let the quizzes pass.

SMiShing: Phishing for your smartphone

Don’t think you can avoid phishing scams by avoiding a computer and using only a smartphone or mobile device. Cybercrooks have a scam for every device. (SMiShing— the name is a combination of “SMS,” the acronym for a standard text protocol, and “phishing.”) A popular scam sends messages to “confirm” a purchase or a subscription. The recipient clicks the link, alarmed to learn that a charge is pending for something they did not order. When opened, the website downloads a trojan virus.

Review Questions

What is phishing?

Phishing is a fraudulent attempt to obtain sensitive information such as passwords, usernames, and credit card details by disguising as a trustworthy entity through electronic communication, typically emails.

How can one identify a phishing email?

One can identify a phishing email by looking out for hallmarks such as emails from fake friends, responses to emails you didn’t send, urgent messages, messages from businesses you do not do business with, and those that use current events and disasters to solicit donations.

Is email a secure method of communication for disclosing confidential information?

No, email is not a secure method of communication for disclosing confidential information. No legitimate organization or business will ever ask you to disclose confidential information in an email.

Previous Lesson
Back to Course
Next Lesson
Scroll to Top