Monday, 2 September 2013

50. How to avoid a phishing scam.


Reproduced from PC Tips for Seniors:-

"A couple of days ago I received two slightly suspicious-looking email messages. One was from PayPal, telling me my recent account activity was available to view online and that I could ‘click here’ to log in and view it. The other was from Barclays, telling me that my online banking had been suspended because a third party had tried to log into it several times; it then told me that I should ‘click here’ to log in and confirm my identity.

There were reasons to regard both messages as genuine. I do indeed have a PayPal account, and I do bank with Barclays and use their online banking facility. However, there were reasons to regard them both as scams as well.

To start with, both wanted me to click a link and type my private login details into whatever web page I arrived at. That’s the hallmark of a so-called ‘phishing’ scam – a scam in which criminals set up a clone of a website’s login page to steal the account details of anyone unfortunate enough to be fooled by it.

I don't us my PayPal account very often, so the suggestion that there might be any ‘recent account activity’ certainly seemed suspicious. And in the case of the Barclays message, if they knew it was a third party trying to log into my account (and failing to do so), where’s the sense in blocking my own access to it? Clearly Barclays’ security measures had worked as intended, so no further action should be needed by anyone.

So, were they genuine or were they scams? Well, there was one extra telltale clue.

The PayPal message began ‘Dear Rob Young’. The sender obviously knew my name, and clearly this message couldn’t be sent to thousands of other people as well (unless they were all named Rob Young!).

The Barclays message began ‘Dear Barclays Online Customer’. Obviously the sender doesn’t know my name, whereas Barclays certainly does. The same message could easily have been sent to thousands of other people (and it probably was).

There are several tricks to spotting a phishing email, one of which is: does the story in the message seem at all believable? The Barclays message is full of holes, but the PayPal message seems a bit dodgy too.

The real key is: does the sender actually know who you are? Was this message sent to you personally, including your name and any account numbers or references associated with you?

Companies like PayPal and Barclays are well aware of phishing scams, and they’re careful to ensure that any messages they send are clearly personal. They’ll often do something else, too, as my PayPal message did: they’ll say that if you’re not sure whether or not this message is genuine, you can ignore the link it gives and visit the PayPal website by typing its address into your web browser, thus ensuring you won’t end up at a scammer’s cloned page.

If it had been genuine, the Barclays message would have suggested I type the address of the Barclays website into my browser, or that I pick up the phone and give them a ring, or that I pop into a branch. It didn’t, and of course that’s because it was a phishing scam.”

---------------------------------