A week doesn’t go by now that I don’t receive a fishy e-mail. An e-mail that appears to be from my e-mail service or bank that carries an anxiety-inducing message. At tax time, I even got an e-mail that looked like it came from the IRS, but it was not.
These are all email phishing scams.
Merriam-Webster’s definition of phishing: a scam by which an e-mail user is duped into revealing personal or confidential information which the scammer can use illicitly.
A month ago I received a phone call from Switzerland. It was a student of mine. I don’t want to reveal his identity, so let’s call him Barnaby. Barnaby uses Yahoo as his web-based e-mail service. He went to the expense of making an international call to me because he could no longer access his e-mail account and suspected he knew why, but wanted my advice. It all started with an e-mail he opened that looked like it was from Yahoo. The real problem is that Yahoo did NOT send this e-mail.
It was a “phishing” e-mail. Much like fishing, with an “f” not “ph,” the person who sent the e-mail is trolling to see if he (or she) can fool anyone to click on a link in the e-mail. If you click through, the next page asks you to type your screen name and password or even your social security number.
But you aren’t verifying your e-mail or bank account for security—you are revealing your password or private information to the scammer!
You may not be able to tell the difference between what you might normally fill out on a website and an email phishing scam—except for one very important detail: your e-mail service or bank will never ask you to confirm your password in an e-mail or through a link in an e-mail.
Let me say that again. Your e-mail service or bank will never ask you to confirm your password in an e-mail or through a link in an e-mail. So no matter how familiar or scary an e-mail may look, do not ever confirm your password in an e-mail or through a link in an e-mail.
Unfortunately, Barnaby did just that. He typed in his e-mail address and his password. The next time he went to sign into his account, he wasn’t able to access his e-mail. Within a few hours, an e-mail written by the “phisher” was sent from Barnaby’s hijacked Yahoo account to everyone in the address book. The e-mail, appearing to come from Barnaby, stated that he, while traveling, had been robbed and was stranded without his wallet. It asked the recipient(s) to please send money using Western Union.
Now I know you’re saying, “Who would fall for that?” Truth be told, many could and do. And each phishing e-mail is different—one more compelling that the other.
Your first line of defense is to never confirm your password in an e-mail or through a link in an e-mail. (I promise I won’t say it again. You get the point.)
If you discover that you’ve unwittingly succumbed to an email phishing scam, you can forward the e-mail to: firstname.lastname@example.org. Antiphishing.org is a volunteer organization devoted to helping people identity and avoid scams.
You can imagine a phishing scammer’s glee when they discover that your e-mail password is the same as your bank PIN. Your bank password should be used exclusively for the bank and not for anything else. For tips on how to choose safe and memorable passwords, see my Choosing a Safe, Memorable Password article.