How to detect E-Mail Scams (Phishing)

2006-01-08

What do the following 5 e−mails have in common. (click any of them for bigger versions)

example #1

example #2

example #3

example #4

example #5

They are all fake, bogus, not really from Paypal, Amazon or Wells Fargo. They are e−mail scams. Sending of this kind of e−mail is called "phishing" as in fishing for suckers.

I get a at least a couple of these every week and because I'm a computer geek I know how to tell that they are fake but I suspect most people don't including many of my friends and family. It really sucks that the net makes it so easy for bad people to screw over good people but that's they way it is for now.

Microsoft, Google, Yahoo and many others are working on solutions but in the meantime, hopefully the instructions below will help you avoid getting taken in by these phishing scams.

The first thing to look at is the To address. In my case, my Paypal account is not registered to gregg@yahoo.com or gregg@activestate.com so clearly this is fraudulent mail. For those of you that use only one e−mail address you're unlikely to get that lucky. Most likely your real e−mail address will appear there but if it's not the correct e−mail address you already know it's fake. Delete it.

Now it gets more difficult. What you have to do is check if the link in the e−mail actually goes to the site it claims it's from. The link might appear to go to Paypal but what it shows and where it actually goes are separate things.

The first thing you can check, especially if you are using web based e−mail, "hover" the mouse cursor over the link. Your browser *might* show where the link goes in the status bar of the browser

Here we can see that link is not going to Paypal. It's going to some site called 200.181.57.130. Clearly this link is fake.

Unfortunately, even if it said Paypal.com in the status bar that doesn't mean the link would actually go to Paypal. There are ways of hiding that. In other words, this step might tell you immediately if the link is fake but if looks like a valid URL you still have to dig deeper.

 In most e−mail programs and e−mail websites you can right click on the e−mail and pick "View Source"

This will bring up some kind of program that shows you the codes used to display the e−mail you are looking at. It will most likely look like lots of gibberish. You need to search for what you see as the link. In the case of example #1 above I searched for "Click here"

If it doesn't find it you can pretty much be sure the mail is fake. In my case it found it.

Now, we have to look for the part just before that that says href=

and to the right of that we see the actual link

Again, it's not Paypal so this is fake. In the case of examples #2 and #3 above they show links so I searched for part of the link ("https://www.paypal")

I found it here and what do you know, the actual link goes to some site called only666times.de. Yes, some asshole is trying to rob me again. 😞

Note that you still have to be careful because the link might only be subtly fake. I've seen links like http://paypal.com.someothersite.tw or other convoluted things that try to make the link appear real.

Unfortunately it gets worse. It's possible for that even if the links look 100% correct the e−mail is designed to take you somewhere else. Technically e−mail links can be programmed to so that when you click the link a small piece of code runs. That code, instead of going to the link you see specified can take you to some other link instead and unfortunately there is no easy way to look that kind of hack up. Most e−mail programs attempt to remove those hacks. For example a full up to date and patched Outlook will tell you the e−mail has scripts in it. Scripts = code. If it says this you know the e−mail is fake. No legitimate e−mail has scripts in it.

For gmail and Yahoo mail they both attempt to delete the scripts from the e−mail but there is probably a way around most of them.

The best advice is, first, if it's not important, ignore the e−mail. Otherwise, if you are concerned and if you've followed all the steps above and the mail looks like it might actually be legit, don't click the link. Instead, manually launch a browser window, go directly to the site yourself, log into your account for the site in question and ask their customer service directly if there is something they need to talk to you about.

(the e−mail addresses above have been changed and are not real)

Comments
SkyScout
Vivienne Westwood