“You have a payment of $500 waiting in your PayPal account! All you have to do is click here!” – sound familiar?
According to a(PDF), email phishing attacks — strangers contacting you pretending to be a bank or some other legitimate company — increased 87% from 2011 through 2013. This increase is despite the fact that rates of spam email — where legitimate companies send you advertisement-style emails — dropped from 2012 to 2013.
We could speculate that this shift from spam to phishing represents that phishing emails are more effective in getting email users like you or I to click on a link and give up our private information to these scam artists.
Here at MUO, we’ve covered phishing quite a bit, considering that it’s such a significant and growing security threat. In 2011, Matt wrote up a great article describing phishing and how you can recognize it. Throughout the years, we’ve provided updates on new phishing vulnerabilities like the recent Google Login Page phishing effort in early 2014.
Be Vigilant Against Fake Emails
If there’s a single message to keep in mind here, it’s this — the number one defense against phishing is education. If you’re educated on simple ways to spot a phishing attack or some other email fraud, you will be able to fully protect yourself. There’s no software that’s going to do this for you. Nothing that will prevent you from clicking a link in an email, downloading a file, or logging into a fraudulent log in page. You are your only last defense against these threats.
In the past, we’ve described ways to use technology like DNS services and setting up a browser phishing list as safeguards against phishing, but in addition to that technology, there are certain aspects of incoming email you can keep an eye out for to identify and delete dangerous emails.
Email scam artists will prey on human emotion to get you to click on that email link. The most common emotions used are greed, guilt, kindness, lust, and fear. The first sort of phishing emails I would like to focus on involve greed.
Up until now, these were also the most common forms of phishing emails.
Usually these involve some sort of legal “beneficiary” arrangements where someone needs your help paying a beneficiary out of country. You — being lucky enough to live in a part of the world that allows for such safe financial transfers free from government corruption — get to be the middle-man in a simple financial transfer. For your efforts, you’re promised a very comfortable fee as payment.
These emails often look pretty official, with a footer signature mentioning some huge organization that couldn’t possibly be involved in such a fraud, right? This is true — but the problem is, the person isn’t really from that agency. This is the age-old fraud known as the Nigerian 419 scam. The number 419 referring to the Nigerian criminal code for fraud.
This scam just requires you to email the person back and once you do, they’ll start weaving a long and convincing story, eventually culminating with you providing your bank account information.
Not all of these specifically mention the country of Nigeria by the way. Such phishing emails roll into email accounts across the world mentioning assistance needed with transferring money out of China, the Middle East, and other regions.
These are real people — not bots — who will respond to you when you email them. They may even sound quite convincing. Rest assured, they are criminals hoping for some sorry sap to reply to one of these emails. When you see this, quickly press the delete button. If you respond, the only thing that will be transferred is money out of your bank account.
People that fall for this aren’t stupid. Just check out this ZDnet video where vicim “Jill” admits to losing over $300,000 over four years.
Email scammers don’t just prey on negative human emotions. If you’re a nice person, they’re targeting you too. One common approach is to email you posing as a charity. Most of the time these are charities that you’ve never heard of — not usually a major national or international one — because in that case the email address would need to be associated with that agency.
Instead, scammers mention some important cause that they’re “funding”, and need your support. The email address is usually of some free email service variety.
An even more common email scam is that of the account hijack and mass email. This is where one of your friends or contacts with an email account that’s not very secure, ends up having their email account hijacked.
The hacker will then send out emails to everyone on that person’s contact list telling a sob story about being stranded somewhere, and needing money.
They wait for an email reply, string out the story a little bit longer, and then they’ll ask you to send money via some service like Western Union or some other wire transfer service. I’ve even heard stories of people having phone conversations with these scam artists. One elderly lady convinced that her nephew was stranded somewhere in France, and almost sent him $3,000 before her family convinced her otherwise.
Your Poor Memory
You’re busy. You can’t remember half of the stuff you signed up for online last week, let alone last month. Some email scammers are counting on your lack of memory when they send out those phishing emails informing you that your application has been approved, or that you’re the winner of some contest that you don’t remember entering.
One of my favorites is the “Your application has been approved” email, because it’s just so brilliant. It’s especially effective against very busy people who might be very active online. You won’t recall applying — but your curiosity may get the best of you, so you go ahead and click that link. The rest is history.
Even more common are the “You are a winner” emails. Everyone loves to win prizes, and sometimes the amounts are so exciting that it’s very hard to resist replying to that email and “accepting” your prize.
The way these usually work is that in order to receive your alleged winnings, you need to provide your bank information for “direct deposit”. What ends up happening is a direct withdrawal instead!
These phishing emails are particularly effective because who doesn’t want to believe that they’ve finally won a prize?
Here’s a word of advice to protect yourself from these scam artists. If you can’t remember signing up for something, the odds are pretty good you didn’t. Don’t click that link. Press “Delete” instead.
Looking for Love
You know how they say in marketing that “sex sells”? Well, unfortunately in the email scam artist’s world, the same rule applies. Every day, countless emails go out to mostly unsuspecting men that are allegedly from women looking for a boyfriend, a date, an affair and everything in between.
These scam artists count on you either clicking on the link (usually a tinyurl type link), or responding to the email itself, asking to see those photos or starting a conversation.
What you end up in these cases is usually a scam artist (not even usually a woman, by the way), responding to you and dragging you along into eventually either signing up for some silly online dating service in order to “continue the conversation in private”.
Even worse, there are cases where the scam artist will pretend to be in some sort of financial crisis or in some kind of danger, eventually convincing the unsuspecting victim (you) to send money in order the help this poor, defenseless woman who is just looking for a man to take care of her.
It should go without saying that you should ignore these emails. Unfortunately, the fact that they even continue to exist means that their success rate must be especially high. If you are looking for love, I definitely recommend putting your best foot forward on dating websites, but responding to these emails won’t get you love. They’ll just give you an empty wallet.
Using Fear Against You
The last most common fraud email is one that I’ve dubbed the “Shock and Awe” approach. Basically, this is similar to the age-old tactic of faking an email from a legitimate organization like Paypal or Facebook, but in this case the organization is some non-profit or government agency in charge of protecting public safety.
The email will warn of something shocking that will catch your attention, such as a warning that local loan interest rates have hit rock bottom (“click here to get your low rates now!”), or more recently, an alert that a sex offender has moved into your neighborhood.
We’ve advised about this before and we’ll advise it again — don’t click on links inside of emails like this! If you really are concerned there’s a warning, hover over the link and check the URL in the status bar on your browser. If you can’t find the URL in the status bar, then right click on the link and choose to copy the link address.
Paste the URL into Notepad to see where the actual link will take you.
What you’ll discover is that it goes to some silly dot-com URL that you probably won’t recognize, not some .org or .gov URL like you’d expect if it came from a legitimate agency.
The truth is that the single most effective way to protect yourself from phishing emails and frauds that prey on human emotions like this is to remove all of these emotions when you’re dealing with your email inbox. Most online email services these days are pretty effective at recognizing most of these emails and moving them to the spam folder, but when they don’t, your own common sense and caution will go a very long way toward protecting you from the rest.