A little while ago, a client sent me this message:
“Hi. I just received an official looking e-mail from my small business payment processor that looked suspicious. It said that the company noticed fraudulent activity on my account and wanted me to log-in to verify that the account was mine. For my protection, it said, the account would be on hold until I verified the account. I have a lot of clients paying me online through that processor and can’t afford to have my account suspended. I clicked the link in the e-mail. The company’s homepage and a form popped up asking me to enter my ATM card number, user name, password and social security number in order to verify and unlock my account. I was hesitant to put all that information in there, so I took another look at the e-mail. The e-mail address sending the e-mail was from my payment processor, but there were a lot of spelling errors in the e-mail. It also said ‘Dear Sir.’ Usually e-mails from this company say ‘Dear Company Name.’ I don’t know if it’s really official, but I don’t want to lose my online payment privileges. What do I do?”
Have any of you received similar e-mails? They appear to be from your bank, payment processor or credit card company, but something always seems suspicious. Well, you are right to be wary of those e-mails. The practice of using an “official” looking e-mail address to gain client information is called spoofing or phishing and is a type of online scam. Read on to learn how to protect yourself from these fraudulent e-mails.
According to the Anti-Phishing Workgroup, a group of people dedicated to stopping these e-mail scams, “phishing attacks use ‘spoofed’ e-mails and fraudulent websites designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, social security numbers, etc. By hijacking the trusted brands of well-known banks, online retailers and credit card companies, phishers are able to convince up to 5% of recipients to respond to them.”
With a little knowledge, you can recognize a spoofing or phishing attempt and not be fooled.
– Beware of any e-mails asking for personal information. Banks and online retailers rarely, if ever, ask clients to change personal information via a link in an e-mail. Instead of following the e-mail link, call the company on the phone or log-in directly by typing the web address into your browser.
– Be wary of any “official” looking e-mail that does not address you personally. Most spoofed e- mails address you in general terms, such as Dear Sir or Madam, or even by your e-mail user name. Legitimate banks and retailers will have your name on file and address you by your first and/or last name.
– Always make sure the browser is secure before entering personal information. The URL should read https:// if it is secure, not http://.
– Check the destination of the URL before you click it. You can do this by running your cursor over the URL. In most e-mail programs, a little yellow box will pop up showing you the destination. Other times you can check the left of your browser’s status bar. That is the gray bar at the bottom of the web browser. If the URL says anything except https://www.yourbankname.com, there is a problem.
–Do not download suspicious looking attachments. Even if it looks to be from your bank, most likely it is a computer virus.
If you’ve received a spoofed e-mail, report it to the real company. Citibank, for example, has an e-mail address where they accept forwards of all phished e- mails using the Citibank name.
What if you’ve already clicked the link and given out your personal information? You could likely be the victim of credit card fraud, bank account theft, or even identity theft. Visit Anti-Phishing.org for some tips on what to do if you are in this situation. Overall, be suspicious of any e-mail asking for your personal information. With the appropriate knowledge, you will not be fooled.