I checked my email this morning before I had my first cup of coffee. That’s always a mistake and this morning was no exception. The first thing I noticed in my inbox was an email from the IRS with the subject “Notice of Underreported Income”. I did what any honest, law-abiding, tax paying citizen would do – my heart skipped a beat and I panicked. I opened the email and, after the longest few seconds ever, realized that it was a phishing scam. While phishing is not new – anyone with an email account probably gets several a day – this one is particularly insidious. Most phishing email comes from ‘institutions’ you do not actually do business with. Just yesterday, the First Second and Third National Bank of Who Knows Where asked me to ‘Please to Update Nice Customer Data Form’. I didn’t give it a second thought because I don’t have an account there. Everyone has an account with the IRS. What’s more, the whole tax paying process is so complex that we all harbor a fear of having done something wrong. Fortunately, despite the lack of coffee, common sense overcame my panic quickly. The IRS does not contact taxpayers via email, there are numerous spelling and grammar mistakes and the link goes to www.irs.gov.yhhsszz.net (the important part is the yhhsszz.net). If I had clicked the link the site would have tried to get me to install some malicious software on my computer.
The moral here is that no respectable institution you have any business doing business with will send you an email asking you to click a link and fill out a form divulging financial information online. Here are three common sense rules to follow to detect phishing:
- Does the link actually go where it says it’s going to go? Hover over the link with your mouse and look at the link location in your browser’s (or Outlook’s) status bar. If it says it’s from Ebay but the link points to webapp.ebay.badsite.com it’s not really from Ebay. The only part of the URL that’s important for this test is what’s to the immediate left and right of the last ‘.’ – anyone can put ‘ebay’ or ‘bankofamerica’ or ‘irs.gov’ in front of their actual domain name.
- Are there spelling / grammar mistakes? Any legitimate business email will use proper spelling and grammar. Fortunately, this is something the phishers just can’t seem to manage.
- Is the email from someone you do business with, and do they have reason to contact you via email? Ebay will legitimately send you an email invoice asking you to pay for a purchase. Amazon may need you to update your expired credit card. However, your bank will never ask you to fill out an online form giving them your social security number and credit card information.
Better safe than sorry. If you get a seemingly legitimate email from Ebay, Amazon, Paypal or anyone else you do business with who has a legitimate reason to request that you pay for something or update your information online, you initiate the transaction by typing their address into the address bar of your browser. Don’t just click the link in the email, type in ‘www.ebay.com’, then go to your my ebay page. When your entering your credit card information online (or anything else for that matter) always make sure the URL in your browser’s address bar is what you would expect it to be (ebay.com, not ebay.someothersite.xxyyz.com) and that the URL starts with ‘https‘ – especially if you’re entering financial information.