I love the Toshiba laptop I bought last year. I keep just about
everything related to work, school, and my finances on it. So when I
received an e-mail from Toshiba warning that my model may have a
data-threatening memory defect, I was anxious to find out whether my
machine was affected. A link in the message took me to a Toshiba Web
page, which promised to download a utility to my PC that would check
for a defective memory module. All I had to do was click one button.
But just as I was about to click that button, a doubt bubbled up from
the depths of my digital credulity. Could the whole thing be a scam?
Was I about to download and install a Trojan horse, backdoor program,
or worm? As it turned out, it wasn't a trick: Toshiba really did send
out an e-mail containing an embedded link leading to an executable
file download located at a long, complex Web address. Trouble is,
phishing exploits, browser hijackers, and other online scams often
hook their victims by using similar-looking e-mail messages.
Fortunately, you can learn to spot these e-mail cons by using a
handful of investigative techniques and a boatload of common
sense. Here are some of the ways to tell a genuine message from a
Don't Take the Bait
If you keep just this one thing in mind, you'll protect yourself from
the majority of e-mail attacks: Assume any message could be
malicious. It matters not who the sender appears to be, or whether the
message's corporate logos, artwork, and embedded links look
authentic. It's a trivial matter for scam artists to create fake
messages that contain return addresses, images, and URLs lifted from
the real company's own Web site.
Next, use your newfound paranoia to examine messages critically. If
you don't have an account with Citibank, for example, the company
won't be sending you any account-related e-mail. But even messages
that appear to come from firms you have an account with may not be
real. Remember, your new motto is "Trust No One."
Before clicking a link or taking any action requested in a message,
determine for certain that the message is genuine. Return addresses,
embedded links, and images can be deceiving. Look for dire warnings
and other classic con techniques, undoubtedly accompanied by a link to
a bogus Web site where you'll be asked to enter personal information.
Legitimate e-mails and scams can look very much alike. Both may be
text-based, reasonably well written, and plausible (although phishing
messages often contain typos and poorly composed sentences with
questionable logic). Both also contain real addresses to each
company's Web site. The only difference is that, for example, a
faux-Citibank message also may have a link to a short-lived phishing
site where the unsuspecting visitor is asked to enter personal
information. Rather than providing a link to a specific page, genuine
messages from companies that are savvy to phishing and other online
fraud will generally instruct you to visit or log in to the company's
main Web site.
Another clue: A phishing message may be delivered to an e-mail address
that you don't use with that company or institution. Note that I've
received phishing messages at a widely publicized (and indexed)
address (firstname.lastname@example.org), whereas a genuine PayPal message came
to my personal address, which I had previously verified with
PayPal. If you get a message at an address you never registered with
the company, it's fake.
Intuition and a suspicious nature are a good start, but to separate
real messages from bogus ones, you also need to decipher their Web
addresses. In a couple text-based messages I received, all addresses
were plain text, so what I clicked was what I got. Clicking
"https://www.paypal.com" took me to the real PayPal Web site. But
exactly lead to a Citibank Web site.
One clue is the string of numbers following the URL prefix
"http://". Every Web site resides at a specific Internet Protocol
address, so, for example, you can get to the PCWorld.com site by
typing 220.127.116.11 in your browser's address bar instead of
www.pcworld.com. However, "18.104.22.168" doesn't lead to the Citibank
Web site, even though the rest of the address looks like other links
you may routinely click. The only way you can be sure to reach the
real Citibank site is to type the domain-name-based URL
www.citibank.com into your browser's address window manually. (And
once you do, be sure to click the Consumer Alert link that describes
these fraudulent e-mail messages.) If you're not sure where an IP
address leads, don't click it.
Substituting a numeric IP address for a domain name in a URL isn't the
only way a malicious message will try to trick you. The address
"www.citibank.com" is the real deal, but "www.citibank.phishing.com"
could lead anywhere. Every domain name ends with a top-level domain,
such as.com,.org,.edu, or a country-specific TLD such as.cn
(China),.uk (United Kingdom), or.ru (Russia). The word just to the
left of this TLD, together with the TLD portion, spells out the actual
domain name: "citibank.com", for example, is all it takes to get to
Citibank's site. When a phisher modifies a domain name slightly, or
inserts a word to the left of the TLD, the link changes. Phishers hope
that you won't know or notice the difference between "pcworld.com" and
"pcworld-gotcha.com" or "pcworld.phishing.com."
E-mail attacks can also use the HTML formatting to conceal the true
destination of links. If a message is composed using HTML, the
underlined link text may not be the same as the actual embedded
link. This was true of the e-mail I received from Toshiba and was one
reason I became suspicious of its origin. Most e-mail programs display
an embedded link's destination URL in the bottom status bar or in a
pop-up window when you hover the mouse pointer over it.
I needed to find out whether the message from Toshiba was genuine; if
it was, I would have to test my beloved laptop for a faulty memory
module. First I entered a likely Toshiba site URL -- "toshiba.com" --
into my browser's address bar; this move transported me to a global
After rummaging around awhile, I finally stumbled upon a Web page
describing the same issues noted in the Toshiba e-mail, and using the
same URLs. Voil?! I had my confirmation -- the Toshiba e-mail was truly
legitimate. But I still never clicked the message's embedded link,
going instead through the link on the company's Web site. You can
never be too careful.</p>
Scott Spanbauer is a contributing editor for PC World He writes the
monthly Internet Tips column.
NOTE: For more telecom/internet/networking/computer news from the daily
media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra . Hundreds of new articles daily.
*** FAIR USE NOTICE. This message contains copyrighted material the
use of which has not been specifically authorized by the copyright
owner. This Internet discussion group is making it available without
profit to group members who have expressed a prior interest in
receiving the included information in their efforts to advance the
understanding of literary, educational, political, and economic
issues, for non-profit research and educational purposes only. I
believe that this constitutes a 'fair use' of the copyrighted material
as provided for in section 107 of the U.S. Copyright Law. If you wish
to use this copyrighted material for purposes of your own that go
beyond 'fair use,' you must obtain permission from the copyright
owner, in this instance, Reuters Tech Tuesday, PC-World.
For more information go to:
[TELECOM Digest Editor's Note: I wonder if most netizens realize the
serious way in which phishing has proliferated. I must get a dozen or
more of these daily in my account here at massis. Since massis is an
old-fashioned style mail service (uses 'sendmail' with text copy) it
is very easy for me to tell where I would be sent to if I clicked on
something by just reading through the html looking at the links which
would appear if I had been using html and had clicked. It is really
pretty disgusting, the volume of it. It is literally all over the
place. I get them all the time pertaining to 'errors found in my
PayPal account' or 'fraud discovered in my Citibank account' etc. I
don't even have a Citibank account, and my PayPal account does not
go through massis. PAT]