Smart SpendingSmart Spending

Phishing: A real-life example

It looks like it's from an institution you trust, but it's really not.

By Karen Datko Oct 15, 2009 6:08PM

This post comes from partner blog The Dough Roller.


I recently received a phishing e-mail intended to trick me into divulging confidential banking information. As a follow-up to my LifeLock review, I thought I'd share the e-mail with you. If you're not familiar with phishing e-mail or how to detect them, I'll cover that in a moment. But first, here's an image of the e-mail I received:


What's so suspicious about this e-mail? Here are three things:

  • I don't have an account with this bank.

  • Financial institutions will never send you an e-mail with a link asking you to confirm any information.

  • Wording such as "obligatory activation" is a bit odd.

In this case the phishing e-mail was not all that sophisticated, but they can be. So let's look at what a phishing e-mail is, how to detect a phishing e-mail, and finally, some resources you can check out for additional information.


What is phishing?

According to the U.S. Computer Emergency Readiness Team -- US-CERT -- phishing is a form of social engineering. Phishing attacks use e-mail or malicious Web sites to solicit personal, often financial, information. Attackers may send e-mail seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts.

Phishing e-mail typically includes a link you are asked to follow to confirm or update certain confidential information like your address, Social Security number or mother's maiden name. The link often takes you to a site that looks virtually identical to the legitimate site being spoofed.


How to know if you've received a phishing e-mail?

While a phishing e-mail can be very convincing, there are several telltale signs to look for:


Unsolicited e-mail. Generally, you should be leery of any unsolicited e-mail, particularly those that include links.


Urgency. Most phishing e-mail seeks information from you urgently. They indicate that your account will be suspended or your card deactivated. In the e-mail above, the information was to "avoid account suspension."


Company logos. The e-mail often contains the logo of the financial institution the fraudsters are trying to mimic. Don't be fooled. Anybody can cut and past a logo into an e-mail or onto a Web site.


It's my bank, so it must be legitimate. Sometimes the e-mail will be about a bank or other company where you actually have an account. Did you ever wonder how the scam artists know that you bank at Citibank or carry a Chase credit card or have an eBay account? They don't. They are just playing the odds. For example, they may send out 1 million e-mail messages, knowing that 80% of the recipients don't bank at whatever financial institution they've decided to spoof. But they are counting on some percentage of the remaining 20% to respond to their "urgent e-mail."


Assurances of security. Phishing e-mail often includes statements and images designed to convince you that they are just as concerned about e-mail scams as you are. For example: "Remember: eBay will not ask you for sensitive personal information (such as your password, credit card and bank account numbers, Social Security number, etc.) in an e-mail." The link in the e-mail then sends you to a site that does ask for confidential information.


Links and return e-mail addresses: Scam artists can do a lot of hocus-pocus with the links embedded in the e-mail and with return e-mail addresses. For example, the text in the link can differ from the actual link destination. They can hide the link destination so it doesn't appear at the bottom of your browser when you hover the mouse over the link. They can use the IP address as the destination for the link to obscure the real destination. That's what the e-mail above did.


The unfortunate point to all this is to trust nothing when it comes to unsolicited e-mail. And if you have any doubts about whether an e-mail is legitimate, call your bank or other financial institution using the customer-support number on your credit card, debit card or last statement.


Additional resources

Here are some additional resources, including where and how you can report a phishing e-mail:

  • Phishing IQ Test by SonicWALL. This test presents you with screenshots of 10 e-mails and you decide whether they are phishing e-mail or legitimate.

  • Report Phishing: You can report a phishing e-mail with US-CERT. US-CERT also has a good article called "Avoiding social engineering and phishing attacks." Also check out their reading room for more great articles.

  • Phishing e-mail list: This site tracks phishing e-mail and provides a list of all known phishing e-mail by date. Please note that just because an e-mail you received is not on the list does not mean the e-mail is legitimate. The e-mail I received happened to be on the list, and you can check out the details here.

Related reading at The Dough Roller:

Published June 17, 2008



Copyright © 2014 Microsoft. All rights reserved.

Fundamental company data and historical chart data provided by Morningstar Inc. Real-time index quotes and delayed quotes supplied by Morningstar Inc. Quotes delayed by up to 15 minutes, except where indicated otherwise. Fund summary, fund performance and dividend data provided by Morningstar Inc. Analyst recommendations provided by Zacks Investment Research. StockScouter data provided by Verus Analytics. IPO data provided by Hoover's Inc. Index membership data provided by Morningstar Inc.


Smart Spending brings you the best money-saving tips from MSN Money and the rest of the Web. Join the conversation on Facebook and follow us on Twitter.