This is an example of a real phishing message. Hover over a link to expose the actual destination before clicking. Someone that is tricked into opening the Google Docs link below would have instead been directed to a malware infected site, "radiobenemerita.com":
- Major vendors and organizations will never use scare tactics in E-mails. They will call you if critical issues must be addressed.
- You should NEVER share critical personal information, like credit/store card or account numbers, social security numbers, etc., via E-mail.
- Always hover of links in e-mail before clicking to ensure the destination is legitimate (see image below)
- If the E-mail requires you click a link to enter your information, instead type the company/website information into your Internet Browser manually and navigate to the proper area. E-mail links can be deceiving, and not necessarily lead you to the site or page disclosed.
- If the sender, subject, or E-mail content contain improper English grammar or punctuation, be aware.
- If you receive an unsolicited message from a company/organization/individual you do not ordinarily work with or have never heard of, be aware.
- If a friend or relative sends you any type of message that appears out-of-character, contact them and delete the message. Some types of malware, like viruses, are able to send mass E-mails and social networking messages from infected computers, masquerading as a legitimate message in an attempt to infect additional systems.
Determining the Validity of a Message
Believe it or not, e-mail is very similar to physical mail in several ways. One such way is just as you can specify ANY return address on an envelope, so you can also easily disguise who an E-mail is from. Therefore, when dealing with a messages that requires validation, further steps should be taken to ensure the message is legitimately from who it claims.
Every e-mail message has hidden information, called the "header", which shows the exact path a message took before it reaches you. If you've received a message from a company disclosing information that you may need to act on, it's best to contact the company directly via the phone or their website first. In the meantime, you can determine the validity of the message by looking at a header. Please check with your mail program's help documentation to discover how to view message headers.
I received a message from Google, and upon looking at the message header, I can verify that it indeed did come from Google:
The blue outlines the actual server sending the message; this CANNOT be forged, just as you can't forge the postmark on a real mail envelope. The information highlighted in Green - Date, Subject, From - CAN be forged and must be matched up against the area in blue to establish validity.
The following message is an example of a real-life phishing E-mail, where we were supposedly sent an invoice with a link to log-in and review this invoice. The message was considered suspicious because we did not recognize the sender. Further examination of the message header confirmed this. The link in the e-mail, if clicked, would have redirected us to a website attempting to infect the computer with a virus.
The area surrounded by Yellow - which is customizable - shows the message is from "montannasskys.net". However, the area that cannot be forged, in Red, clearly shows the message came originated from "...jino.ru". .RU signifies the system sending the message resides in Russia; therefore this message was not opened but rather rejected.
Transmitting Sensitive Information
E-mail is not a secure method of communication, and should NEVER be used to send personally sensitive information. If information of this nature must be sent, the preferred method is to encrypt it, such as within a password protected PDF.
Electronic "Spam" is any message you receive that is not legitimate. Examples include:
- Messages that contain unreadable, non-cohesive, or irrelevant content - such as a random book excerpt.
- Advertising, newsletters, or informational notices that you didn't sign up for.
Spam and phishing messages can often times be similar, therefore it's best to treat all spam as potentially dangerous. When dealing with spam:
- Avoid opening Spam. Messages containing images may track when/where you open the image and therefore confirm your email address is active, potentially increasing the amount of spam you receive.
- NEVER click links within spam, unless the message is from a legitimate, reputable party, such as a large clothing chain, etc. In this case, the message will contain a legitimate unsubscribe link that should be used.
- Mark messages in your Inbox as Spam when they are received to increase the accuracy of your mail program's Spam filtering.
- Do not sign up for random content or contests on the Internet, unless from reputable sources.
- When signing up or creating an account that requires an E-mail address, read the fine print, ensuring to uncheck any boxes that represent your consent to send advertising and/or newsletters.
More so than ever, e-mail accounts are being compromised and used maliciously to send messages to other users, often times those users within the account's address book. If you receive one of these questionable messages from another person, make sure to alert them immediately and share the following information:
- Change e-mail and chat program passwords frequently, at least once or twice per year.
- If you believe your e-mail or chat account has been compromised, change your password immediately and run an anti-malware (or anti-virus) scan on personal computers. If you're not able to log into your account to change your password, notify the service's customer support immediately.
- To prevent your password from being compromised follow the password tips on this page.
- Don't auto-save your password on your computer (this includes Internet Browsers, E-mail Applications, and Chat Programs). Using this tip will also increases your privacy if other users access your computer.
- Do not use third-party chat programs unless you are certain they are reputable.
- When entering your username/password online, ensure the website is secured.