Nov 13 2012

How to Spot Bait and Phishing E-Mail Scams

These tips for identifying baiting and phishing e-mails can help keep your users out of trouble.

Although hardly a new problem, baiting and phishing e-mails continue to threaten users (and their workstations) in organizations of all sizes. Baiting e-mails, in the simplest terms, are designed to get users to unwittingly click a hyperlink that will compromise their machine. Phishing e-mails aim to harvest a user’s personal information — through the procurement of credit card information or social networking passwords, for example — so his or her identity can be stolen or sold.

Help users protect themselves and their machines from dangerous e-mails by ­explaining these identification strategies:

Consider the source.

It sounds simple, but simply questioning why you are receiving something from the sender can stop many threats before their so-called “credibility” can take hold.

If the e-mail originated from a bank, for example, ask yourself: Do you even have a checking or savings account with that institution? Did you actually register your account with a social networking site or popular online retailer using your work (rather than personal) e-mail address?

If you can’t come up with a good answer to such questions, delete the e-mail.

Watch the language.

Many phishing and scam attempts are perpetrated by those whose first language isn’t English. Be on the lookout for words that aren’t commonly used in everyday conversation (“kindly” is a favorite) and awkward or redundant phrasing, such as “This is by virtue of its secret nature and being utterly confidential and top secret.”

The global nature of business often requires communicating with non-native English speakers (and being more forgiving of grammar and vocabulary mistakes). But unsolicited personal correspondence featuring such highly unnatural language should be considered carefully.

Examine links before you click.

Bad guys know they cast a much wider net if they disguise malicious hyperlinks with legitimate website names. As a result, it’s always a good practice to double-check URLs before clicking on them.

Most popular mail clients will display the true destination of hyperlinks if you hover over the link with the mouse cursor — the URL will display in the status bar at the bottom of the window or in a pop-up box. Make sure the destination matches the text and isn’t pointing to a website other than the one represented in the e-mail.

Also, be wary of shortened links such as bit.ly or t.co addresses. Although these can be highly useful for character-limited sites such as Twitter, they serve little purpose in the context of a business e-mail other than to disguise malicious web links.

Is it too good to be true?

Random strangers never want to give you something for nothing (even if they are embezzling foreign funds). If it sounds too good to be true, it is. Delete these e-mails with extreme prejudice.

Is it too bad to be true?

Likewise, the IRS does not harass people by e-mail, your Uncle Vernon hasn’t been marooned in Cambodia, and chances are no one just spent $3,000 using your iTunes account. Alarming e-mails are a common ploy designed to send unsuspecting recipients into a panic and cause them to blindly click their way into trouble.

If you receive an e-mail with purported bad news, contact the sender directly. Some companies even post scam alerts on their websites to help debunk these types of communications.

Remember: No reputable company will ask to “verify your information.”

The only exception to this is if you have recently initiated a transaction with that company that would actually result in a need to verify information. For example, if you register your work e-mail address to create a login for your company’s wellness site, then you may get a “confirm your e-mail address” message. But no reputable company, just out of the blue, e-mails its customers to ask them to verify their information. If in doubt, a simple phone call can quickly set things straight.

If you ever doubt an e-mail’s credibility, call your IT department. Any technician would rather spend two minutes reviewing a message to confirm its authenticity before you respond than spend hours cleaning up your machine after the fact.

Ocean Photography/Veer