“Sir….Put the mouse down…and slowly walk away.” Why you should be careful when opening an e-mail

There’s an old adage: Give a man fish and he’ll have dinner – Teach a man to fish and he’ll have dinner for the rest of his life.  In the Internet age, the ending of that saying should be changed, so that it reads:  “…..teach a man to Phish, and he’ll have a condo in the Bahamas and lots of cash to spend.”

What is Phishing, anyway? 

Phishing is when somebody uses an e-mail or a bogus Popup to trick unsuspecting internet users to reveal personal/financial information, visit a bogus website, or download a harmful virus that will trick their computer into sending their personal/financial information to its creator.  “Gee, that’s easy!” you say.  “I’ll just be extra careful and not open, or answer any harmful e-mails.” If only it WAS that easy……The FTC has a great video about phishing.  The Consumer answers his door and the visitor calmly asks for his personal information.  To drive the point home, the guy at the door has an actual fin growing out of his back.  Problem is, you can’t always see the fin growing out of the scam-artist’s back.

“Chosen for a secret mission!”….Me?

That’s the hook-line for a recent campaign by Scott’s tissue.  They are sending mass e-mails out with a link to a Youtube video to convince consumers to do a ‘Secret Swap.’  The swap is when you switch environmentally safer toilet paper in your bathroom, without your familly members knowing the difference.  Unfortunately, the folks at Scott’s aren’t as skeptical as they should be. Otherwise, they would realize that when they send an e-mail with the subject line “You’ve been chosen for a COVERT operation,” everyone who reads Consumer Courage is going to delete it, without looking any further. 

How many of us know when to (and when NOT to) click open an e-mail and start following directions? Just like they guy in the FTC video with the fin on his back, if anybody showed up at your door and asked for your social security number, you would slam the door in his face and call the cops.  So, why do we even consider clicking on the link in the e-mail that looks like it came from our bank, when we know that the person sending that e-mail could very well be someone in a boiler-room in a basement in Kiev who has a stolen list of half a million card holders? Consumer Courage can’t explain it.  But, something happens to us when we start reading our e-mails.  Defenses go down, the gullible index goes through the roof and our mind has a way of turning every red flag that we’ve been trained to recognize into a wide open door with a red carpet.

Can’t I just open e-mails from people that I know?

Unfortunately, scam artists are able to alter the ‘sender’s address’ so it looks like the e-mail came from a friend of ours, even though it really came from our buddy in Russia.  It’s called ‘Spoofing’ and it happens more time than anyone knows.  Scam artists can hack into somebody’s e-mail and trick it into sending a web-link to people from the victim’s address book.  If you get an envelope with your friend’s return address, you can be 100% sure that it came from him………not so with e-mail.  That’s because someone who is two oceans away can send an e-mail from any account to anyone else, if they know what they’re doing. 

What can you watch out for?

    • No ‘Hi, how ya doin?’ just a hyperlink – if the e-mail only contains a link to a website and doesn’t address you like a normal e-mail, or starts with: ‘Friend’, or ‘Thought you might like this,’ or ‘Check this out.’ You’d be better served just to DELETE it and move on;   
    • All addresses are from the same spot in the alphabet – most times, people don’t look at the distribution list on an e-mail.  But, if the e-mail was only sent to a few people and they are all from the same spot in the alphabet, it may be a RED flag.  Are you wondering why your friend Myron has sent a web-link to 5 people whose names start with M?  Maybe it’s not really from Myron, after all.  Be safe: DELETE it and call Myron on the phone. (you probably owe him a call, anyway)

What about e-mails that LOOK legitimate?

If you are able to spot all of the spoofed e-mails that come to your inbox with nothing more than a web-link to click, you’ll be better off.  But, you’re not quite out of the woods.  That’s because of another way scammers have to get you to send your information to them. There are a lot of people who know how to send you an e-mail that looks like it is perfectly legit and from a company that you actually do business with.  The purpose is to trick you into sending them your password – or to visit their website, so the awesome new virus that they created can infect your computer and then send them your personal information (account numbers, passwords, websites visited where you spend money, etc.) THIS is the essence of fishing.  The e-mail that they send you is the BAIT and YOU are the catch.

 Unfortunately, you won’t know that you’ve been ‘caught’ until months later, when your accounts don’t balance, your credit card has a $5,000 charge that you don’t recognize or your checking account has been wiped out by the guy who created that awesome virus. The web has tons of great resources to learn about Phishing and how to avoid getting becoming a victim. Here’s an article that shows you 10 ways to avoid a Phishing scam; here’s one that takes apart the fake PayPal e-mail that tries to get you to send them your password and ID; here’s one from an entire organization created to help you from being a Phish victim; and here’s the advice that the FBI has to offer

There are characteristics that are common to most Phishing schemes.  If the e-mail that you’re looking at has any of these, you should start feeling the need to hit the DELETE key.

    • Misspellings – Don’t let your desire to fly through text cause you to miss this warning sign;
    • Generic greetings – if an e-mail says ‘We’re about to shut down your account!’ or ‘We have to verify your password, RIGH AWAY!’ you would expect it to be addressed directly to you and use your name. But many Phishing e-mails are sent to ‘undisclosed recipients’ or ‘all’ or to no one in particular.  If this happens, you should be thinking ‘RED FLAG BABY!’;
    • Language that contains warnings or scare tactics – Exclamation points, fear and warnings are used to break down your normal misgivings and make you think that you should act right away, without doing any research. Don’t fall for this tactic ! ! ! ……OR ELSE!!!!
    • Forms contained inside the e-mail – this is a sure sign that something is wrong.  Sending information in the body of an e-mail is not even close to being secure.  Legit businesses will never ask you to put information in the body of an e-mail; 
    • Links to other websites – Here’s a rule: if an e-mail has a link in it and it was sent to you after your friend, Myron, told you on the phone “I’m sending a great web-link to your e-mail account. Yoi!” it’s probably OK.  Otherwise, just DELETE the e-mail. 
    • ANY request for personal information – You wouldn’t consider giving your personal information to someone who came to your door.  So, why are you willing to send this info off into cyberspace, just because the e-mail has a company logo that can be re-created using any one of a hundred free computer programs?  Only heaven knows………

What can you do to protect yourself

    • REMEMBER – any company that you are doing business with will NEVER send you an e-mail asking for personal information.  You may get an ‘Alert’ or a reminder to call them. But, that’s a far cry from asking for your password;
    • Search in another window for the company’s website – If the e-mail is from a company you’ve never heard of, get rid of it! If you get an e-mail from a company that you have a relationship with, the only way to make sure it is not a spoof attack is either to 1) call them and ask about the e-mail; or 2) pull up that company’s website in another browser window and try to find the department that the e-mail is supposedly from;
    • Never enter personal info on a site that doesn’t have the little padlock and starts with ‘https’ – if you look at the address bar for any website, it should start with the letters ‘http.’  Before you enter any personal information, look for the web address to begin ‘https’ and has a little padlock icon somewhere in the address bar.  That s means ‘secure’ and is your first clue that the site is protected and legit;   
    • Do not enter information into a Pop-up that appears! – do NOT respond to any – survey; request for information; sale of super-duper travel insurance; or FREE coupon for the next thousand purchases anywhere on the net – if it comes in the form of a Popup that you did not click to open.  Unfortunately, some Phishers are able to Popup on other sites, without permission. All they’re looking for is a reach-out from you, so they can activate that awesome new virus program and infect your computer.

Be careful and stay away from the Phishes! ……………(this blog post will self-destruct in 5 seconds)

Posted by: Mark Wiseman (who once caught an actual fish, but was too creeped out to take the hook out of its mouth)