Phishing Lures - A Tutorial On How Not To Get Caught By Them

RevenuePilot.com - Premiere Online Advertising Network
Attention Webmasters: Monetize your traffic. Get paid up to $2 for each unique click-through. No monthly limits, no conversion rates and no service charges. Receive your money by check or paypal anywhere in the world at no extra charge.

Phishing is an attempt by people to obtain information illegally by pretending to be a company or organisation that you trust (e.g. PayPal, eBay or your bank). You will typically receive an email that looks like it has been sent by the organisation in question (e.g. it will have all the right logos and fonts), but it is actually an attempt to get you to log on to what you believe to be the genuine website when, in fact, it is a bogus website that will capture the logon details that you enter so that they can then use this information to access your real account and rob you.

All of the responsible financial organisations will always tell you that they will never ask you to do this sort of thing, and they will never ever ask you for your password. I worked for a major UK credit card company for nearly 20 years, and I know this to be true, so no matter what the email says, do not type in your password unless you have 100% confidence that you are using the genuine website.

So, if you receive an email that looks like it's from a company you trust, what should you do?

Well, here's a few tips that I've developed over the years, and I'll use an email that I received today as an example, which looks as though it came from Barclays Bank:

Firstly, never click on any link in such an email until you have checked it out thoroughly. Even if you get to a bogus website and then decide not to enter your user name and password, you can still get a nasty virus, worm or Trojan Horse on your computer simply by visiting that website.

Secondly, try to remember if you actually have an account with the company in question, as, sometimes, you will get such an email from a company such as eBay or PayPal that you regularly use, but other times, it may come from some bank that doesn't ring a bell at all. If you really think you don't have an account with the company, delete the email immediately! As it happens, I know I have an account with Barclays, so I'm not done yet.

A give-away can sometimes be the email address to which the email was sent. Notice that on this email, it was sent to "magicmonitor".

If, as in this case, the actual email address isn't shown (i.e. it's only a "nickname), then you can see the actual address to which is was sent by looking at the Properties of the email (select File / Properties if you have the email open, or right-click on the email if you're looking at the list of emails in a folder and then select Properties from the context menu that appears). Once you have the Properties window open, you should select the Details tab, and somewhere amongst all the technical details will be a line that looks something like this:

Here, you can see that the actual email address this email was sent to is "magicmonitor@markfarrar.co.uk". This email address has actually been scraped off my personal website (I know, I should make my contact details spam-proof, but I just haven't got around to it yet), and is never one that I would use to sign up for an online banking service.

So, I could probably stop checking at this point, being confident that it's not a genuine email.

It's also worth checking what email address was used to send the email. You can find this out, if it's not shown in the email itself, by checking the email's Properties, as above. If I look at the email we're discussing, then I found the following:

This looks like it could be a valid email address for Barclays, but sometimes you'll see emails that purport to come from a major company being sent from a Hotmail address or a Yahoo address, and this too is a pretty good sign that it's a phishing email.

But assuming that the email addresses look OK, then the next thing you should try is to see what URL (or website) the email is trying to get you to visit.

Be careful here, because the website address shown in the email may not be the one that you end up at!

What you need to do is, firstly, see if a URL is displayed in the status bar at the bottom of the email, as this may show you the actual destination. In the sample email we're using for this tutorial, here is what is displayed in the status bar of the email:

How do I know this, because it looks as though it's a Barclays domain name, doesn't it? After all, it begins with http://www.barclays.co.uk.

Actually, a URL is made up of many parts, and you need to check most or all of the URL before you can decide if it's genuine or not.

Most URLs should begin with the letters "http://", although they are not always present.

The bit known as the top level domain is one of a strictly controlled set of identifiers, with ".com" being the most well known, but there is a slowly growing number of these (e.g. .info, .biz, .net, .org, and ones for most countries in the world too). In the sample email we're looking at, it's that ".info" that we want.

The part before that final identifier is known as the second level domain and is, in this case, "dllinfo", so the domain name that this person has bought is "dllinfo.info".

Everything after the "www." and before the "dllinfo.info" is what is technically known as a "sub-domain", and you can more or less create whatever you want here. In this case, the person sending this phishing email has used "barclays.co.uk.customercare.goto."

So, this person has created a very long URL that, at first glance, looks like a genuine Barclays one, but in reality, it isn't.

So, once more, I could have stopped checking at this point, but what if this still shows a URL that looks genuine (which is possible)?

Don't click on anything yet, as there is still one more thing you should try to check about that URL.

You need to view the source code of the email itself. To view the source code, there may be an option on the View menu at the top of the email or email program (such as Outlook Express), in which case you can select that, and the contents of the email will be opened up in a text editor (such as Notepad). If this option is not present (e.g. in my version of Outlook Express, it's not), then you need to do something else first: you should save the email using the File / Save As menu option, and make sure you select the Save As Type HTML option. Save the email, in HTML format, to somewhere on your computer. Once it has been saved, you need to open that file using a text editor such as Notepad; do not open it in your web browser (e.g. Internet Explorer, FireFox).

Once you have it opened, you can begin the next check, and if you don't know HTML (the language in which websites are typically written), don't worry.

What you need to do is use the Search or Find feature (it's usually on the Edit menu) and look for the word "href". (This is the HTML word that indicates a link to a website.)

When you find each occurrence of the word "href", see what follows it - it will be a website address (or URL). Here's an example from the sample phishing email we're discussing. The URL I found in the source code of the email was:

The same rules apply here as they do when checking the URL that is displayed in the status bar and, in this sample email, the URL shown in the source code is exactly the same as is displayed in the status bar, but note that this may not always be the case.

Another dead give-away is if the entire email is made up of an image, as genuine emails are rarely composed in this manner (i.e. they're usually a mixture of text and images).

You can't see from the image of the sample email above, but if I move my mouse pointer anywhere over the email, the mouse pointer is displayed as the hand symbol (which usually denotes a link to a website, and which are often, but unfortunately not always, displayed in blue and underlined) rather than the arrow that is usually seen.

This is about the third clue in this particular email that points to its bogus nature.

The last indication you might get from the email itself is concerned with the quality of the English and the presentation. Generally speaking, genuine emails from real companies won't use bad English (e.g. poor grammar, incorrectly spelled words), although, sadly, this isn't always the case. But a "poor" email should at least raise a flag that something may be amiss.

If you really think the email may be genuine, you still shouldn't click on any link. Instead, go to your web browser and go the website yourself. This will involve either typing the URL in manually, if you know it (e.g. I know that Barclays' online banking website's address is https://ibank.barclays.co.uk/), or searching for it in a search engine (e.g. Google).

When you get to the website, and if it belongs to a financial institution, it should be "secure". This means that you should see a closed padlock symbol near the bottom of your web browser.

You can also check to see if the website has a "certificate". This is a tightly controlled system to ensure that secure websites really do belong to who they say they do. To find out if a website (or page) has a certificate, right-click on some blank part of the website and, on the context menu that pops up, select the Properties option. When the Properties window opens, there should be an option somewhere called Certificates, and if you click that, you will get details of any security certificates that are in effect. The Certificate should show to whom it was issued, and this should match the website address you are at, and also a Valid From date range, as certificates need to be renewed by the company on a regular basis.

I know that all of this seems like a lot of trouble, but which would you rather do - spend a few minutes checking that the email is genuine, or potentially having somebody rob you of lots of money, or misuse your eBay account leaving you with the problem of resolving the issues that arise?

Finally, it is well worth investing in a good anti-spam program, as these will trap most of these phishing emails (as well as other spam trying to sell you all sorts of things that you don't want). The one I happen to use is Cloudmark Desktop (and you can see in the image above that Cloudmark did correctly identify the sample email we've been discussing as spam), but there are plenty to choose from.

Well, I hope that this proves useful to you, and if it saves only one person from losing loads of money, then it's been worthwhile.

(Note that I am using Outlook Express, so some of the menu options and commands above may be different if you are using a different email program.)

Mark Farrar has been building websites since 1997, both for personal and business use, and is the co-founder and webmaster of www.WealthyTeddy.co.uk, incorporating www.AllKindsOfShiznit.com, amongst many others.