Don't fall for it - Phishing SCAMS are on the rise

Jul 28, 2008 at 12:51 PM

Hi - 

I've blogged about phishing emails before, but since I've seen a massive increase lately in phishing (SCAM) emails that supposedly come from "Google AdWords" but DO NOT, I want to make sure all of you know some basic facts.

1. ANY email address can be faked. I could easily send you an email today that says it is from:

  • elvis.presley@heaven.com
  • account-management@your-bank.com
  • adwords-noreply@google.com 
  • yo-mamma@dissing-you.com
  • any_email_at_all@any-domain-I-want-to-use.com

(if you don't believe me, go ahead and email me asking me to respond from any address you want. I will!)

So, NEVER use the return address or the "sent from" info as a trust factor.

2. A clickable link is easy to fake. We do it all the time, to pretty them up. Any link can have any text.  

en.wikipedia.org

Google Search - use it!

www.pretending-to-be-something-else.com

All of the above links actually go to Google search.

Hover over any of them and you'll see (down in the information bar at the bottom of this window) that it actually links to Google Search.

So, NEVER trust the text in a link. It has NO requirement to match where the link goes.

In the case of a phishing email, the link says it goes to "www.known-safe-site.com" but it actually goes to "http://www.criminal-organization.com". 

While your browser tries to help you stay away from known phishing sites, they are a BILLION dollar industry and growing.

3. Find out where EVERY link goes before you click it.

Here is how. (I'm using a photo I took of a REAL PHISHING EMAIL I got today - one of hundreds gotten in the last 24 hours. I manage hundreds of email addresses and almost all ofthem are getting this particular email, with hundreds of phishing sites at the other end.)

Email arrives saying it's from a known safe entity. Email looks EXACTLY like every single other email you've ever gotten from this known safe entity. Email may even have logos and "verified safe" notices and "trust us" seals that look just like ones you're used to seeing.

Here is one I just got (email changed to protect my clients).

Looks normal enough:

Then I hovered over the link (NEVER CLICK!!) and saw...

It does contain the right domain to all appearances, and if you only read the beginning, you'd see "adwords.google.com..." and think, A-OK. Right?

WRONG!

Keep reading until you see the part right before the first slash -- that's the real website.

And so you can see that this really went to a phishing site in China. (The actual website it went to has been removed from this blog post because ANY mention of the URL will probably get the post banned now that I've reported the phishing website. But the URL is usually a random string of letters, and a foreign TLD, like ghsaytd.ru -Russia - or df5ascx.cn -China- or something like that.)

Don't EVER follow a link from an "official" sounding email. EVER EVER EVER. If your banking institution actually sends you emails with links to click on in order to access important information - NEVER follow them. There will be a way to access the info after you go to the website directly by typing it into your browser.

If you follow any such link, even if you NEVER gave them any personal information other than your log-in details, they can easilyrob you blind.

Someone I know once gave an email like the above one nothing but their Google AdWords login email and password. They thought they were safe because they hadn't given their account info over. And guess what?

Even though there is no way to log in and steal the credit card info at AdWords, the thieves still managed to create new campaigns that used up I think over $40,000 in one weekend of the poor guy's MONEY - selling god-only-knows-what -- probably pharma drugs or other sleazy stuff. 

I'm sure they would have spent more but the card on the account reached it's limit. And so Google shut down his campaign. It took ages to handle the hassle of not having to pay for the clicks - and there is NO CERTAINTY that Google will agree and refund the "oops" charges.

And all through that he wasn't able to advertise his own wares -- because his account was shut down.

It's far worse if they break into your bank account or into your paypal account. 

Even if the thieves only break into your facebook and myspace accounts, they can wreck your credibility. I've had to delete several friends from myspace who didn't realize that their usernames were hacked -- I got sick of getting constant alerts from those friends about SLEAZE and RINGTONES and DRUGS and all that other crud.

Plus these accounts usually contain an address book and your date of birth - that's awfully sensitive data as far as YOU are concerned. Isn't it?

So start playing it safe and remember what I said above.

ANY email address can be faked.

NEVER trust the text in a link.

2 comments

  1. Liberty Says:

    I can't figure out how to add you :( help!

  2. Kat Says:

    Thanks for this. I didn't know about the links in emails from my bank. I also get emails with links for most of our credit cards and other bills, and click those to sign in and pay them. So...thanks.