How to Identify Bogus Banking Emails
Some phishing attempts are so crude, they're laughably obvious -- but too often, otherwise savvy consumers are getting duped by fake email messages that convincingly emulate real correspondence from financial institutions. There are some steps you can take to vet a message before getting into trouble, though. First and foremost, treat all suspicious emails as guilty until proven innocent.
05/09/13 5:00 AM PT
I've recently written about ways to stop spam, but what do you do about bogus email -- that is, email that appears legitimate but isn't?
Fake emails are sent by criminals in order to get your money, or to take advantage of your computer's processing power and Internet connection to launch Web-clogging Denial of Service attacks on other networks.
This practice, aka "phishing," works by embedding dummy Trojan software on your PC, or by getting you to visit fake websites to enter personal details, or by capturing personal details directly from your computer.
The emails are often hard to spot and can look like they come from common financial institutions and social networks. Here's how to identify those emails -- and what to do if you suspect you've received one.
Step 1: Notice the Red Flags
Red flags include
- requests for personal information such as banking details and password changes;
- prompts to click on links or download attachments; and
- requests from institutions you don't already have a relationship with.
Treat any red flag emails with caution and proceed to the next steps.
Warning: Don't click on a link within an email if you have any doubt as to the legitimacy of the message.
Step 2: Don't Panic
Be wary of alert-style text within emails that suggests your security has been compromised and that the embedded link you are being urged to click on will fix the problem.
This is a pressure technique that instills a sense of urgency. Just as you would in entering a common purchasing transaction, take time to evaluate.
Look for language that implies something onerous will happen if you don't click on the link within the email message -- for example, that your account will be closed.
Tip: Look for bad grammar, strange capitalization or spelling mistakes. Legitimate companies usually put effort into catching mistakes before releasing an email. Peculiar text can be used to circumvent spam software.
Step 3: Look Closely at Links
Place your mouse over the common language link in the email -- again, without clicking on the link -- to see if the link's Web address is repeated within the status bar on the browser or email client.
A legitimate link will echo the text in the message. For example, the link in a message from the XYZ Bank will read https://www.xyzbank.com/link, or similar, rather than http://somethingelsefakebank.com/link or similar, or a series of numbers, called an "IP address," like http://188.8.131.52/link, or similar.
The secure designation "https," rather than the generic "http," will precede a legitimate transactional website. The "s" means it's secure.
Tip: Look for marginally changed link addresses, for example XYX Bank, rather than the legitimate XYZ Bank. Again, don't click on the link.
Step 4: Check the Header
Check the sender's actual address in the message header against the From address. The displayed From name is easier to fake than the sending mail address. The actual addresses should match, or the sending mail address should clearly be originating from a legitimate institution sending a message.
Look for a lack of personalization within the message. Generally, but not always, a classic phishing email will not include personalization. Banks try to differentiate themselves from phishers by using personalization. A "Dear XYZ Bank Member" is an example of bogus message, whereas "Dear Mr. Smith" is likely legitimate.
Warning: Legitimate institutions will not send downloadable email attachments unless you have already entered into a dialog with them about it -- for example instrument copies. Never download attachments with a ".exe" extension.
Step 5: Take the High Road
Browse to the sender's website directly. Do this by manually entering the Web address root in a Web browser address bar. Then use the website's navigation to find the information referred to in the email message.
If the email message was legitimate, the contents will be available at the website too.
Tip: When browsing, check the browser's address bar for the correct institution's address -- for example, XYZ Bank. Even if the Web address has the bank's name in it, it may not be the bank's website. For example, XYZBankSecure.net, is not the same as XYZ Bank.com
Warning: Never enter bank login details after following an emailed link. Always log in to the bank directly from a fresh tab in a Web browser. Never enter details in pop-up windows.
Step 6: Good Riddance
Delete the bogus email message.
Tip: You can report bogus emails. Many email clients have ways to mark messages as scams. Look for "Mark as phishing scam," or similar, adjacent to the message.
Alternatively, report phishing to the Anti-Phishing Working Group, or APWG.
Want to Ask a Tech Question?
Is there a piece of tech you'd like to know how to operate properly? Is there a gadget that's got you confounded? Please send your tech questions to me, and I'll try to answer as many as possible in this column.
And use the Talkback feature below to add your comments!