Number 316 - September 2009
How To Spot a Phishing Email
Front Range PC Users Group newssetter k-bytes, May 09

Extracted from PayPal Security Center web page. Thanks to Linda Gonse, Orange County IBM PC Users Group, http://www.orcopug.org for locating this information.


   There are many telltale signs of a fraudulent email.
   
  • Sender's EMail Address. To give you a false sense of security, the "From" line may include an official-looking email address that may actually be copied from a genuine one. The email address can easily be altered but it's not an indication of the validity of any email communication.

    •    
  • Generic Email Greeting. A typical phishing email will have a generic greeting, such as "Dear User." Note: All PayPal emails will greet you by your first and last name.

    •    
  • False Sense of Urgency. Most phishing emails try to deceive you with the threat that your account will be in jeopardy if itbs not updated right away. An email that urgently requests you to supply sensitive personal information is typically fraudulent.

    •    
  • Fake Links. Many phishing emails have a link that looks valid, but sends you to a fraudulent site that may or may not have an URL different from the link. Always check where a link is going before you click. Move your mouse over the URL in the email and look at the URL in the browser. As always, if it looks suspicious, don't click it. Open a new browser window, and type https://www.paypal.com.

    •    
  • Attachments. Similar to fake links, attachments can be used in phishing emails and are dangerous. Never click on an attachment. It could cause you to download spyware or a virus. PayPal will never email you an attachment or a software update to install on your computer.


    •    How to spot a spoof (fraudulent) website.


       A phishing email will usually try to direct you to a fraudulent website that mimics the appearance of a popular website or company. The spoof website will request your personal information, such as credit card number, Social Security number, or account password.

       You think you are giving information to a trusted company when, in fact, you are supplying it to an online criminal.
       
  • Deceptive URLs.


    •    Be cautious. Some fraudsters will insert a fake browser address bar over the real one, making it appear that you're on a legitimate website. Follow these precautions: Even if an URL contains the word "PayPal," it may not be a PayPal site.

       
  • Examples of fake PayPal addresses:

    •    
  • "http://signin.paypal.com@10.19.32.4/"

    •    
  • "http://83.16.123.18/pp/update.htm?=
    https://www.paypal.com/=cmd_login_access"

    •    
  • "www.secure-paypal.com"

    •    
  • Always log in to PayPal by opening a new browser and typing in the following: https://www.paypal.com.

    •    
  • The term "https" should precede any web address (or URL) where you enter personal information. The "s" stands for secure. If you don't see "https," you're not in a secure web session, and you should not enter data.

    •    
  • Out-of-place lock icon.


    •    Make sure there is a secure lock icon in the status bar at the bottom of the browser window. Many fake sites will put this icon inside the window to deceive you.

       Thanks to PayPal for posting these tips. You can find more about phishing and fraudulent websites on the PayPal Security Center web page https://www.paypal.com/us/cgi-bin/webscr?cmd=
    xpt/marketing/securitycenter/general/RecognizePhishing-outside     --LG. Suggested by Mary Burton.

       (k-byte Editor's Note: These additional resources (also thanks to Linda) for this topic are recommended:
       
  • BBC News http://news.bbc.co.uk/2/shared/spl/hi/picture_gallery/
    06/technology_how_to_spot_a_phish/html/2.stm

    •    
  • Microsoft.com http://www.Microsoft.com/protect/yourself/phishing/identify.mspx


    •    Phishing mail often includes official looking logos and other identifying information taken directly from legitimate Web sites, and it may include convincing details about your personal information that scammers found on your social networking pages.

       The main thing phishing e-mail messages have in common is that they ask for personal data, or direct you to Web sites or phone numbers to call where they ask you to provide personal data.
       
  • Yahoo.com Http://tech.yahoo.com/blogs/hughes/4338

    •    
  • Ebay.com http://pages.ebay.com/education/
    spooftutorial/index.html#learn_more

    •    
  • About.com http://banking.about.com/od/
    securityand safety/a/phishingscams.htm


    •    The best way to avoid becomimg a phishing scam victim is to use your best judgment. No financial institution with any sense will email you to input all of your sensitive information. In fact, most institutions are informing customers that "We will never ask you for your personal information via phone or e-mail."
      Number 316 - September 2009