Technology Support Center

Administrative Technologies

How to recognize phishing emails

Phishing emails are becoming increasingly sophisticated, which means you need to know what to look for when determining if an email is legit or a scam.

How can you tell the difference between a legitimate email and a phishing email?

At a glance, you might assume a phishing email is legitimate. If it looks real and has an urgent, ominous message, you might be coerced into acting before you think, and that's exactly what the scammers want. No matter how good the disguise, though, phishing emails always have tell-tale signs that something is not right. The signs aren't always easy to spot—you need to look for them.

Since it can be tricky, we'll examine an actual phishing email so you can learn what to look for. Click the article image to the right (Figure 1) to see a copy of a real phishing email. Then read on to find out how we know it's a phishing scam.

  1. PayPal - The example phishing email appears to be sent from PayPal. Of course, if you don't have a PayPal account, that should be a big tip off that this is a phony. Even if you don't use PayPal, the steps to identifying a phishing scam are the same no matter what company logo appears in the email.
     
  2. To: unlisted-recipients - The top of the email shows who it's From: and To:. The email appears to be sent From: service@paypal.com (which is not suspicious by itself), but it is sent To: no To-header on input <"unlisted recipients;">.

    This doesn't jibe with the rest of the email, which is a warning about your personal account. If this was a real PayPal email, we'd expect the To: line to contain your email address, not "unlisted recipients."
     
  3. Ominous Warning - Phishing emails try to incite worry and fear. In our example, the email begins, "Notice of account temporary suspension." It goes on to talk about fraud and ends with a red, time-sensitive warning, "If this situation is not solved in 24 hours your account will be permanently suspended."

    First, you should be skeptical about any "account suspension" warning. This is a trick phishing scammers use all the time to make you worry. Second, you are given 24 hours before your account will be permanently suspended. This doesn't make much sense—businesses like PayPal want to make money and that's hard to do when they ban their customers.

    A more reasonable response to suspected fraud would be to limit or lock the account until the issue can be investigated and resolved—something the email actually mentions. It's the permanent ban that stands out as an unlikely overreaction on PayPal's part which tips us off that this is a phishing scam.
     
  4. Suspicious Links - When you move your mouse over a link, the web address is displayed at the bottom of the window. This is a great way of checking things out before you click. When we move our mouse over the first link, "Travelling confirmation Here," it displays the address, ftp://april:april@209.202.224.140/update.htm, at the bottom of the window.

    There are a couple reasons why this link is suspicious. First, the spelling is odd. In America, we spell it "traveling" with one "L," but in the email it's spelled "travelling" with two "L"s, which is generally more common in England. Second, the link's address is a big clue. It contains an IP address (209.202.224.140) instead of a web address (like www.paypal.com).

    Also, the beginning of the address is "ftp://" instead of "https://". You should be in the habit of looking for signs of security. Any time you are asked to log in or provide your credit card information, you should expect the site to use https://. The "s" in https:// means the site is secure. If you are asked to visit a site that uses ftp:// or http://, you should stop and consider that the site and email might be fraudulent.

    Mousing over the second link, "Re-activate your account Here," reveals the same link address, ftp://april:april@209.202.224.140/update.htm. Why would PayPal include two apparently different links that point to the same address? This is yet another sign of something fishy going on.
     
  5. More Links - There are three other links in the email: TRUSTe Privacy Program, User  Agreement, and Privacy Policy. Mousing over all three links reveals they all point to real web addresses, like http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/privacy-outside. This is a real PayPal link, and if you click it, the web page actually talks about customer privacy.

    This is rather ingenious on the part of the scammers. They included links to the real PayPal website to make their email seem legit. By mixing the truth with their lies, they are trying to make it harder for you to identify the email as a phishing scam. It's ironic that the email also contains information on "How to protect your account," when it is, in fact, a phishing scam that is ultimately trying to trick you into giving away your PayPal account information.

If you were to click the suspicious links in a phishing email, you may be taken to a web page that looks like the real PayPal log in page. But when you enter your user name and password for PayPal, you're not actually logging in at all. Instead, the web page sends your user name and password to the scammers.

You may also be asked to "verify" or "update" your personal account information. Scammers want as much data as you're willing to give them, including bank account numbers, PIN numbers, credit card numbers, your Social Security number, and more.

To avoid getting caught by a phishing scam, you must stay on guard. Look for signs in the email that something just isn't right. If you have any doubts, don't click any links or log in. It's always better to call the company and speak with someone over the phone.