We’re pretty safe on the internet using OS X, or so we’d like to think. There’s tons of worms, viruses and spyware scams out there in the Windows world to fear but even with OS X, you can still be phished. Viruses and spyware can seriously mess up your computer, but phishing is designed to mess up your life. So protect yourself from identity theft with these eight ways to avoid phishing attempts.
1. Do you do business with this organization?
Always ask yourself this question when receiving emails from banks, PayPal, Ebay, Amazon or any other online business. I routinely receive fake emails from Bank of America telling me that my account needs verification. Too bad I don’t have an account there. This eliminates the majority of phishing attempts that I receive.
2. Is this the right email account for contacting you?
It’s always good to have separate email accounts for separate purposes. One for bills, banking, friends and family, another for online purchases and yet another for public usage (resume, web forms, site memberships, etc). Most likely, the public usage account will get heavily spammed and you’ll know right away that any financial, bank, or credit card email coming to that address is not legitimate.
3. Who is the sender and receiver?
Looking at the To: and From: fields of an email will also give you a clue if it’s a real message or a phishing attempt. If the From: address is something like firstname.lastname@example.org you know it’s not really Bank of America emailing you. Also take a look at the To: field to make sure its been addressed to you. Sometimes the To: isn’t right either.
Note: The To: and From: address fields are very easy to forge. If it’s the right addresses, it doesn’t automatically mean the email is real. Noticing this will eliminate obvious phish attempts.
4. Is the email addressing you by name?
Most companies will address you by either you full name or account number (ending in XXXX). They will never, ever address you as “Member”, “Valued cardholder”, “Account Holder”, or anything other than your full name / account number.
Note: It’s becoming more prevalent that phishing attempts use your name / account number. This doesn’t automatically mean the email is real either.
5. How is the email worded?
Many phishing emails aren’t written by native speakers. Sometimes these emails lack the nuances of proper spelling, grammar and punctuation. This is where grade school english class can save you. Details like this can easily identify fake emails.
Also, is the email asking you to open an attachment/document that normally would be mailed to you via the post office? (Hint: The IRS doesn’t send tax statements in an email attachment.) Does this attachment have an extension other than .doc or .pdf? Something like “statement.exe” is a dead giveaway.
Finally, does the email contain extremely technical language to scare you into action? Examples would be:
- “We’ve included secure socket layer transmission into our website and need you to verify your information.”
- “Our multi port layer seven firewall software requires you to sign in.”
- “The security certificate authority domain registrar has changed and you must register your information.”
Most of these terms either make no sense to someone who understands them or technically describe normal web traffic and functions. Your credit card company is not going to use terms like this to address the general public.
6. What is the email asking you to do?
A legitimate email is never, ever, ever going to ask you for your social security number or any other sensitive data. Companies you do business with have this information and do not need it again. Also, web forms inside an email are not secure transmissions and a real email would never make use of them to send confidential data. Finally, any email wanting you to disclose sensitive information by “clicking here” is fraudulent.
Note: Beware of “vishing”. If the email asks you to call a number to verify data, check the number against their website or your monthly bill. Is it the same? If not, call the real number and ask.
Also Note: Credit card CVV numbers are for authorizing purchases ONLY. They are never asked for in any other case.
7. Where do the links go?
Take a close look at the links inside these emails versus what the status bar at the bottom of your browser says. Do they go to the same place? Note if the links are for http:// or https://. Http:// is not secure and more than likely leading to a phishing site.
Also, it is important to know that the . symbol separates internet domains. Always check that URL, because something like “https://www.paypal.com.check.authorization.info/form.asp” is NOT going to PayPal. In fact, it’s really going to the site “authorization.info”.
Be careful because all the other links in the email could be legitimate with the final “click here” link going to a fraudulent site.
8. Practice Common Sense.
When receiving questionable emails, ask yourself the following:
- Is this something that my bank/site would normally send?
- Is this something I can easily do by calling or logging in on your own?
- If the email references a recent request or call – Did I recently make a request/call?
- Is this email just a notification, and not asking me to do anything? – This one is likely real.
Remember, any company/bank you do business with already knows your information. They don’t need to ask you for it again or verify it. And they would never do it in an insecure manner.
Take the Phishing Test:
Now, that you’ve read this, test your knowledge with SonicWall’s Phishing Test. They will show you ten emails and it’s up to you to decide if it’s real or a phishing message. Good luck!