How to Spot a Phishing Scam

Mon Sep 25, 2006 11:59AM EDT

See Comments (73)

If you haven't read part one of this phishing report, I recommend you do so before diving into part deux. Knowledge is power, and you should learn how to recognize every trick phishers have up their sleeves.

Today we're going to demystify everything inside their bag of tricks, as I teach you how to spot a fake web site better than you can spot a fake Louis Vuitton on the street. So before you volunteer private information to the phishing professionals, learn to recognize the following telltale signs, test your phishing IQ, and don't forget to delete all those spam emails.

A recent study recognized three reasons why people still fall prey to phishing scams: lack of knowledge, visual deceptions, and inattention to detail.

They say the devil is in the details, and I'll show you why that's true in this case.

Security Signs

There are a few ways to recognize a secure connection between servers. You probably miss them every time you visit a secure web site. Because these indicators are so subtle, most of us still can't easily spot them.

Follow along with me here, by going to the Yahoo! Mail login page. Notice a few very important things here:

1) The URL of the page is https://login.yahoo.com/config/login_verify2. Notice the "s" at the end of "https." This "s" means the connection is over SSL (Secure Socket Layer), which means the page has established a secure connection and will encrypt all the information you enter on this page. You must always look for "https" on any site you use to enter sensitive information. This includes login pages, online shopping sites and bank web sites.

2) Notice the closed padlock on the lower right corner of the browser window. If you move your mouse over it, it will say "Signed by Equifax." If you click on it, it will open a window that gives you more details regarding the certificate. Every company that asks you for sensitive information must have a digital certificate, preferably one from an established certificate authority. VeriSign, Thawte, GeoTrust, and Entrust.net are just a few of these companies. Also keep in mind that the padlock must always be on the browser bar; any padlock within the content of the page doesn't mean a thing.

3) Yahoo! users have added security when they activate Yahoo!'s new phishing feature. If you notice on the mail login page, users can now add an extra layer of security using personalized sign-in seals such as their own secret message or image on their login page. Every computer they use to login to their Yahoo! accounts will display this seal, making it easier for them to recognize if they're on the real Yahoo! site or a fake one. Phishers be warned!

URL Madness

You can't judge a book by its cover, and in this case, you won't be able to tell if a web site is a fake just by looking at the web design. These smart criminals can replicate any web site down to the last detail, and it wouldn't surprise me if they used the same web designer to do it. Consumers have lost $630 million to email scams in the last two years, according to Consumer Reports' State of the Net. Phishing is a big business, so never think for a second that these criminals wouldn't spend thousands of dollars creating sites as credible as the real thing. Sometimes their designs feel so authentic, they even link to the real web site to boost your confidence. This is where it gets tricky, and you must watch out for illegitimate domain names.

Here's what you should look for:

a) Misspelled domains are big deceivers. Phishers will purchase a domain name that resembles the real domain. They will replace letters with numbers or with other letters. Pay close attention to the spelling of a domain names, and learn to spot a fake like www.yohoo.com or www.paypol.com.

b) Variations of domains should also be a red flag. Don't click on any email that contains URLs like http://center.yahoo-security.net. A legitimate URL should read http://center.yahoo.com if it actually belongs to Yahoo! Anyone could've purchased www.yahoo-security.net for a scam (I'm just using Yahoo! as an example here).

c) An IP address looks something like 102.199.60.250. Bottom line, never trust emails that point you to URLs that only show an IP address.

Other Tips

1) Never test web sites to see if they're legitimate or not. This means entering passwords or personal information. These sites may install malicious software—known as keylogger software—that records everything you type, then sends that information to scammers.

2) Stay abreast of the latest scams: The FBI's web site has a list of all the latest scams reported, so check it periodically.

3) If you're being urged to "verify" sensitive account information, contact the company directly instead. Always type the web site's address in the address bar instead of clicking links on suspicious emails.

4) PayPal never uses generic greetings in their emails. Next time you get an email from PayPal, check the salutation, as PayPal will usually use your member name.

5) Emails from banks and credit card companies will usually include partial account numbers. Therefore, one should always be suspicious if the message does not contain specific personal information.

Test Your Phishing IQ 

The Washington Post and MailFrontier have some excellent tests you can try out. Find out how well you recognize a fake. Then come back, and tell me how you did.

Do you have extra tips to offer? Share them with me in the section below.

Disclosure: Yahoo! Mail is owned and offered by Yahoo!, Inc., which also owns and operates Yahoo! Tech.

Top 5 Posts

Comments on How to Spot a Phishing Scam

Post a Comment

Join in the discussion. Here you'll see the comments in the order they were posted.

  • 6 Posted by silverlox3 on Thu Sep 3, 2009 9:23PM EDT Report Abuse

    Hey, This was a great article because it does seem as if a lot of people still don't really know about these kinds of things. I always catch the fake emails, but one time a "credit card company" called me and I gave them all of my social security except for the last 4 digits when I realized it was most likely a scam. It is too easy to let your gaurd down. It is a shame that there are people out there with such low values and morals. They should be ashamed that they were ever born. Anyways, here is another tip for avoiding spoof emails. When you read a real email from a company like ebay or paypal, it is very professional. There may be one or two mistakes. But when you receive a spoof email there are usually a lot of typing errors, whether it is misspelled words or things that just seem wrong. A lot of times the logo will be a little bit messed up. I hope that helps some people.

  • 7 Posted by cornhusker1940@sbcglobal.net on Thu Sep 3, 2009 3:29PM EDT Report Abuse

    Thanks much for your articles on phishing. I am all for revocation of their rights and hope they can be shut down when caught and a heavy fine should also be in order!

  • 8 Posted by jophhart@flash.net on Thu Sep 3, 2009 4:40PM EDT Report Abuse

    good information. I took the Washington Post test and errored on one to the conservative side. Passed your article on to my children. thanks

  • 9 Posted by lee34swann on Thu Sep 3, 2009 6:48PM EDT Report Abuse

    Just went to the Post and took their Phishing test. I answered all the questions correctly.

  • 10 Posted by msuttonateuclid on Thu Sep 28, 2006 9:01AM EDT Report Abuse

    Watch out for phishing scams using VoIP technology too. See here for story on it as well as more about ID theft and security breaches: http://blog.euclidmanagerskc.com/home/a-new-twist-on-phishing.html

  • 11 Posted by stevenut69 on Thu Sep 3, 2009 9:43PM EDT Report Abuse

    Be aware of so-called lotteries, or contests. If they were for real, I would be the luckiest man alive, So far Ive won the grand prize from Coca Cola, and Pepsi (both spelled wrong in the emails), and have won lotteries for practically every country in Europe. Not sure if they are phishing scams per say, but they are definitely scams. After letting you know you have "won", they ask for all of your personal information so that they can send you your "prize". I have never done it, and I would highly recommend that no-one else does. Also beware of fake profiles on any personals site, on e-bay, auto-trader... I could go on forever, these are just a few I have had personal experience with scammers. Use your common sense, If it seems too good to be true, It probably Is!! For example, If you get a wink from someone on Yahoo Personals who looks like a supermodel, and wishes to be your true love forever, no offense, but chances are your being solicited. Bottom line... if you dont feel comfortable doing something online, or have any doubt whatsoever, DO NOT DO IT!! I love the internet, and dont know how I would live without it, but I also know I have to be careful. My advice is to do the same. Good luck!! :o)

  • 12 Posted by donaldhild@sbcglobal.net on Thu Sep 3, 2009 3:46PM EDT Report Abuse

    Your article said not to click on an e-mail that appears to be phishing and delete it. In order to delete any message, you have to highlight it which means you are looking at that message. Attachments to e-mails I never click on. I've also been getting a lot of these e-mails lately. How can I stop this? I have been forwarding them to spam@uce.gov. I have also been advised by Yahoo to mark it as "spam" from which I can delete it. It still has to be highlighted to do that. This is a pain and I would just like to eliminate them altogether.

  • 13 Posted by pfpelican on Thu Sep 3, 2009 8:08PM EDT Report Abuse

    The best policy is to assume all emails and all of what you see online is a lie, including this.

  • 14 Posted by n2jdj on Thu Sep 3, 2009 7:32PM EDT Report Abuse

    I always check "properties" by right clicking on the subject line and view the real address behind the fake address. Fortunately, my email client software converts everything to text and automatically disables all links within the "phishmail". However, occasionally one or two phishmails will get through the "sniffer" program, as they are getting very good at scamming people!!! Ebay and Paypal always duplicates their emails to clients on the client's account, if it isn't there it's FAKE! You should alwats forward then to spoof@ebay.com or spoof@paypal.com and report them!

  • 15 Posted by judyh03@sbcglobal.net on Thu Sep 3, 2009 4:43PM EDT Report Abuse

    Two days ago I received a phishing email from "Online Banking - Bank of America". The subject line was "Your online banking account has been suspended". I opened the email, recognized it was a Phish and of course didn't reply with all of the personal info the email requested. I immediately forwarded it to the Bank of America's abuse dept. Upon forwarding the phish email, I received an immediate acknowledgement message back thanking me for the forward. The wierd thing is the reply came from an address "Abuse@yahoo.com". Why would Bank of America use an address like a yahoo address? Did I have malware put on my computer just by opening the email phish? Please help me and how can I check and remove malware? I ran a scan and my spyware and it came back negative.I am not very computer savvy.

  • 16 Posted by k_meacham1960 on Thu Sep 3, 2009 4:55PM EDT Report Abuse

    gina the article came out 1 day to late for me, i got an email saying that someone in france tried to use my paypal account from france and i should check my account to insure it was still in working order, apon clicking the link (like a dummy) it went to a real looking site, but thank the lord my sbc security kicked in and let me know it was a phishing scam also trying to down load a virus, i deleted it right away ,only hope i got it in time, only time will tell.

  • 17 Posted by ginisue@sbcglobal.net on Thu Sep 3, 2009 4:09PM EDT Report Abuse

    I frequently get e-mail with subject looking like alphabet soup. B#L$I%O*P or something to that effect. I don't open any e-mail from anyone or anything I don't recognize and I never order online or belong to Paypal although I did get an e-mail from Paypal. I knew it wasn't legit, so I ignored it. You'd think if someone was smart enough to figure out elaborate scam schemes, they would have made it big in the corporate world in legitimate enterprises, wouldn't you? Some people are simply born to do wrong no matter how they were raised. How sad. Thanks for letting me give my two cents. Clotilde

  • 18 Posted by shoajr on Thu Sep 3, 2009 9:21PM EDT Report Abuse

    Wow! I'm in trouble! I got very poor scores on both quizzes. I'll be very careful in the future when opening emails and I will NEVER click a link on an email again. Thank you Gina, very valuable information!

  • 19 Posted by cyboarg on Thu Sep 3, 2009 3:33PM EDT Report Abuse

    The same thing happened to me as happened to tiffanyshearing. I have reported the phish to PayPal, FBI and local news station. I consider myself an aware Internet user and I came close to giving all my info away in this scam. It was the little things that caught my attention and threw up the red flags. I did have to go into my PayPal account and change my password. I want to know how someone got all our PayPal email addys anyway.

  • 20 Posted by thecassfamily@sbcglobal.net on Thu Sep 3, 2009 10:03PM EDT Report Abuse

    I had never had a problem with phishing until I posted a comment to a news story about fighting in the Middle East. Within a few days I was bombarded by phishing emails. They were all from PayPal. I am not very computer savvy, but I have also never had a PayPal account so it was a no-brainer. I deleted the email and reported the abuse to Yahoo and contacted tech support to see if there was anything else I could do to protect myself since I was getting spammed as well. Because tech help was outsourced there was a serious communication problem and none of my questions really got answered. Thank you for the article - it really helped.

  • 21 Posted by sunshine51817 on Thu Sep 3, 2009 9:48PM EDT Report Abuse

    Sign OUT of email and independently check home page of ANY company sending unsolicited email is a GREAT idea. Hope everybody saw that. Thank You.

  • 22 Posted by slooprobert on Thu Sep 3, 2009 9:28PM EDT Report Abuse

    I got 50% right...I checked all of the examples as fake. Also none of the url's had the "S" so I figured they were faked.

  • 23 Posted by sinbad_sailor@sbcglobal.net on Thu Sep 3, 2009 9:23PM EDT Report Abuse

    Gina, great topic. Question. When I get a suspicious e-mail, usually an unknown name, and I open it, if I gently "roll" over the links in the mail, if they all indicate the same URL and it's always a long bunch of numbers and garbage, you know you should never go to any of those sites. IS THAT A GOOD INDICATOR? I have seen ones that say, "to eliminate e-mail from this site, click here" that also has the same location. I would love to see you provide an even better breakdown of how these scammers try to trick you. As a retired Financial Advisor, I am paticularily aware of the penny stock scams that pop-up all the time which always have some english gibberish attached. Is that because they come from an international site and the language translation doesn't really work that well? DO I DO MYSELF ANY HARM BY OPENING THE EMAIL BUT NOT GOING TO ANY OF THE LINKS????

  • 24 Posted by sinbad_sailor@sbcglobal.net on Thu Sep 3, 2009 9:23PM EDT Report Abuse

    Gina, great topic. Question. When I get a suspicious e-mail, usually an unknown name, and I open it, if I gently "roll" over the links in the mail, if they all indicate the same URL and it's always a long bunch of numbers and garbage, you know you should never go to any of those sites. IS THAT A GOOD INDICATOR? I have seen ones that say, "to eliminate e-mail from this site, click here" that also has the same location. I would love to see you provide an even better breakdown of how these scammers try to trick you. As a retired Financial Advisor, I am paticularily aware of the penny stock scams that pop-up all the time which always have some english gibberish attached. Is that because they come from an international site and the language translation doesn't really work that well? DO I DO MYSELF ANY HARM BY OPENING THE EMAIL BUT NOT GOING TO ANY OF THE LINKS????

  • 25 Posted by rxnelson02@sbcglobal.net on Thu Sep 3, 2009 8:57PM EDT Report Abuse

    Apparently not all major banking institutions use the secured login web page as suggested in Gina's article. At least based on the testing I did. For example, I went to the login page of Bank of America and Meriwest Credit Union, and neither of them had the "https" designation noting a Secure Socket Layer. However, Yahoo as well as Sears both displayed the "https" designation. Also, the Sears web page had the pad lock icon but neither of the banks. So Gina, does this mean that we are exposed to risk when logging onto these particular bank sites?

Post a Comment

Sign In to Post a Comment

My Tech

Please enable your browser's cookies to activate the My Tech column.

Also on Yahoo! Tech

Computers Home Office Wi-Fi & Networking Phones & PDAs Cameras & Camcorders TV & Home Theater Portable Audio
 

Site Map | Tour | Subscribe to Yahoo! Tech

Question and Answer content at Yahoo! Tech is written by Yahoo! users at Yahoo! Answers. Yahoo! does not evaluate or guarantee the accuracy of any Yahoo! Answers content. For more information, read the Full Disclaimer.

Opinions expressed by the Advisors are their own and do not necessarily reflect the views of Yahoo! Inc. Yahoo! receives no compensation from any manufacturer or distributor nor does it compensate any Advisor for the coverage of any product or service in any Advisor's content.