Phishing is the practice of faking emails from legitimate companies in order to trick the recipient into divulging passwords, usernames or account details that can then be used to defraud.
Phishing emails are extremely common and most people who have an email address will receive these from time to time. They can be quite cleverly done and for the uninitiated they can be very convincing. As it's currently Cyber Security Awareness Week, now seemed like a good time to take a close look at some examples and point out how to spot a fake email.
At first I thought I would have to canvas my workmates for examples of phishing emails from their inboxes but in fact most of the examples below I harvested from my very own spam folder. That most of these get trapped by spam filters is great but even so occasionally one slips through so it's good to train yourself to spot them.
An important consideration when assessing the legitimacy of an email is where it purports to come from. Phishing emails often mimic those from banks and online payment processors (like PayPal). Social media accounts and email providers are also popular targets for impersonation but really any organisation or company that operates online customer accounts may be used this way.
So let's look at some examples.
At first glance this email looks okay. It has the bank logo after all, but it's important to remember that logos are extremely easy to find online and this one could just be copied from the bank's website.
What's more important here is that I don't actually have an account with ANZ so they really shouldn't be sending me any messages. But if I were a customer of theirs they would have all my details, particularly my name. Use of a generic greeting might iindicate that the person sending this email doesn't actually know who you are (other than a potential victim).
There are also some grammatical errors. This sort of thing is much more common in fake emails than in legitimate ones.
Finally, the email is signed but the name isn't identifiable and therefore not verifiable. Have you ever received a business letter where there was a signature but no printed name underneath? Standard practice in business correspondence is to always include a printed version of someone's name. It's no different with emails.
This email is very similar to the first one but has slightly better grammar, however banks will pretty much never provide you with a link from within an email that leads to an online banking login page. This is because they've got wise to what phishing emails look like.
Again, this email looks reasonable enough though it's lacking in specific detail - no customer name or account number is mentioned. And They Seem Really Keen On Capitalising Things, Don't They? Let's look a little bit closer at this one:
Here we can see where that "log in" link is actually going, and it doesn't look like it's at all affiliated with the bank in question. If in doubt about a link inside an email, investigating where the link goes without opening it is an option (as is deleting the email to be on the safe side). Try right-clicking for options like "copy link location". You can then paste the link somewhere and look at it. Chances are if you suspect it's dodgy then it probably is.
As I mentioned earlier, it's not just bank emails that can be faked. This message is pretending to be from email provider Yahoo but as with the earlier examples there are some telltale signs. In particular this fraudster hasn't bothered to create a fake Yahoo email alias so it's fairly obvious the sender isn't a Yahoo employee.
The above examples show that the telltale signs that an email isn't on the up and up can actually be quite subtle. But the more of these you see, the easier it is to spot them.
Not all emails from banks are suspect though. Let's look at what a real bank email looks like.
A while ago I was shopping around for a mortgage and interacting with a number of banks. Even though I didn't go with Westpac in the end, they still sometimes send me emails about mortgage rates, like the one below.
Even though I don't have a mortgage with Westpac, as part of the pre-approval process I gave them some of my details. This is how they have my email and... surprise, surprise, my actual name.
Banks also like reminding their customers that they don't behave like phishing emails. They're also happy to provide a legible name of someone you can contact because they do actually want to interact with you.
Hopefully these examples have given you a better idea of what does and doesn't belong in your inbox.
If you do find any nasties there that shouldn't be, many banks have email addresses that you can forward suspicious emails to. This helps the banks know what sorts of fake emails are circulating and if necessary warn their customers about them. You can usually find this info by going to your bank's website and searching for "phishing".
The Department of Internal Affairs also has an Electronic Messaging Compliance team who keep up-to-date lists of email scams, some of which involve phishing.
More information about phishing:
- Department of Internal Affairs - Email scams
- Netsafe blog - How to spot a fake banking website
- Security Central - Phishing, social engineering and online scams
- NetGuide - Spear-phishing: Don't be the 'Catch of the Day'