Sometimes sorting out valid emails from phishing emails can be very confusing. “Phishing,” for those of you who have been under a rock for the last few years, is the practice of spammers sending emails that appear to be from legitimate sources. These emails usually state that there is something wrong with your account and that you need to take a certain action to correct it. They provide the means to make this correction, either by telling you to respond directly to the email or by directing you to a web site, but in any case it is a direct connection to the spammer rather than the apparent sender of the email.
This can be particularly disconcerting when the email has all the appearance of really coming from an organization such as your bank, PayPal, UPS or Federal Express, or even the government. The emails may carry the actual logos of the company involved and may even warn you about spam right in the email. When you click on a link to their web site, it too can look for all the world like a legitimate site from the organization. So how do you tell the difference? Here’s a few ideas, as well as some suggestions on how to avoid the emails in the first place.
First and foremost, if the email you receive asks you to reply to the email with your user/account name and password, it’s spam, plain and simple. No legitimate company will ask for this information through an unsecured means such as email. So you click on the link in the email and it takes you to a web site that looks legitimate and it asks you to sign in – should you do so? Hell, no – you’ll just be giving the spammer your log-in information! If it is a company that you normally do business with, instead go to that business’s regular web site where you usually log into your account. If they need something from you, odds are that they will tell you as soon as you log in. If the email really, really looks legit and you don’t get any notice when you log into your real account, call the organization (and don’t use a phone number that came with the email) and ask them if they need anything from you.
Normally, you can spot illegitimate web sites by their URL’s. If you hover the cursor over a link in an email the web site address may be seen. A web site address should contain the company’s real web address as part of the base address. In other words, if a link takes you to something like “http://www.hytrremb.paypal.com” it is probably legit. Note that the “paypal” part has to be next to the “.com” part. If the address reads “http://paypal.hytrremb.com” it is NOT linking to PayPal, but to the “hytrremb” domain. Don’t click on it. This can sometimes be difficult to determine, though, because spammers create links that are meant to disguise the true URL.
Unfortunately, even legitimate companies use newsletter services, polling companies, etc., that do not link directly to the company’s home web address. Also, really clever spammers can make links look like you are going one place while the link actually takes you elsewhere. You take a risk clicking on those links, but as a rule if you are not asked for personally identifying information just clicking on the link is ok. Note – I said “as a rule.” THIS IS IMPORTANT! There are web sites designed to automatically download malicious software, viruses, etc., if you merely visit the web site. You may not see anything happening and the web site may look legit, but you can get really screwed if this happens. I strongly suggest that you never click on a link that comes in an email. Always go directly to that company’s web site to take care of whatever issue is involved. If you chose to do otherwise, I hope you have a really good computer condom on.
How can you sort out the spam from the legit emails? Other than the above, I have a pretty effective system. Since I have my own web site and my hosting company lets me create up to one hundred email addresses, I have one main address that I use for most of my public contacts, such as signing up for mailing lists, advertising, etc. This is the account with the most public exposure and where I get the most spam and phishing emails.
I then create special email addresses for each important web activity. For example, all financial matters may go to higgle@hytrremb.com. I can even create an email address for each individual account, if I want. Then, if I receive any email from one of the companies that has that address I can be pretty sure it came directly from them. If I receive any email from them addressed to the main address I am sure that it is not legitimate and I can ignore it. Was that clear? In other words, if PayPal sends an email to the email address I set up for them, it’s most likely valid, but something that appears in my main email address purporting to be from PayPal is almost certain to be a phishing attempt.
Usually your ISP (Internet Service Provider) will let you set up more than one email address. Even if it is only as few as five or ten this can still be an effective system. Also, you can use Gmail, Hotmail, or Yahoo mail for the same purposes. Yes, it can get to be a hassle dealing with all those email addresses, but with an email client on my computer like Thunderbird (Mozilla’s email solution) or Outlook, I don’t find it onerous at all.
In the end, suspicion is the key. Never believe what ANY email says. Deal directly through the supposed sender’s verified web site – one you have visited before – and you will save yourself a lot of trouble.