Information Security

 

Avoid email scams

Avoid email scams

Introduction

Every year, criminals operating online use hoax 'phishing' emails to trick millions of people into parting with their passwords, credit card details and other critical personal information. The consequences can be devastating. Depending on the information you give them, they could take money out of your bank account, sell your information on to other scammers, or hijack your social media and email accounts to launch more phishing attacks on your friends. These fake emails and websites can be very difficult to tell apart from the real thing. Here are some useful tips to help you spot and deal with a scam.

Audience:

Everyone

At a glance

  • Never reply to any email asking for your passwords, PINs or other account details. Ever.

  • Make sure you know how to spot phony links and websites.

  • Don't open attachments unless you completely trust where they have come from.

  • If in doubt, always check with your local IT team, the helpdesk or your service provider (e.g. your bank) before responding to anything that looks a bit 'phishy'.

In detail

'Phishing' works because, well, the clue's in the title – it really is like dangling a hook in a big pond and waiting for someone to bite. Phishing emails can be extremely convincing and can easily catch you out, particularly if you're pushed for time and ploughing through a mountain of emails on autopilot.

  • The bad guys can send thousands upon thousands of emails for next to nothing and they only need one or two replies to get a return on their investment.
  • It's dead easy to masquerade as the genuine article when sending an email. Fraudsters can make an identical copy of a bona fide email from, say, your bank or email provider. And they can make links in emails look real.
  • Websites can also be made to look just like the real thing. The only sign it's a scam may be the address in the menu bar.

There are several tell-tale signs that most (though not all) phishing emails exhibit. While these signs do not necessarily mean the message is phony, you should be suspicious of:

  • Emails that ask for a password, PIN or other personal information.
  • Emails that warn you about some problem or imminent threat (such as: "If you don't respond within 48 hours, your account will be closed").
  • Emails containing technical jargon and an incentive to part with your data (an example might go something like: "We are asking you for your password because we are currently refreshing our database to create more space for you").
  • Emails that ask you to open an attachment or make a donation.
  • Emails relating to topical news items and upcoming events in the public domain (for example, tax return deadlines).
  • Poor spelling and grammar.
  • Emails claiming to offer something that is too good to be true.
  • Generic greetings such as "Dear Bank Customer" or "Dear Email User".

There are freely-available online videos showing examples of phishing emails (for Oxford-users only), on Lynda.com.

The key to spotting phishing emails and websites is in the links and website addresses (otherwise known as URLs). Scammers can replicate legitimate sites down to the last pixel. However, while the links and website addresses they use can be deceptively similar, they can’t be identical. Here's how to pick a URL apart:

  • Let's take Barclays Bank for example. Its URL is http://www.barclays.co.uk. The important bit (the domain name followed by the top-level domain, if you want to get technical) is marked in bold. To make matters easier, modern web browsers highlight this bit for you.
  • As long as barclays.co.uk remains intact and is the last thing before the first single forward slash (or at the very end if there is no forward slash), you should be able to trust the URL. Even http://evil-scam-at.barclays.co.uk would still be a genuine Barclays address! As would barclays.co.uk followed by a forward slash, as in http://barclays.co.uk/log-in.
  • However, be wary of dots and/or dashes after barclays.co.uk, as in http://barclays.co.uk.log-in.com/ (the domain is now log-in.com) and of a forward slash at any point before barclays.co.uk (as in http://example.com/barclays.co.uk/login or even http://example.com/login.barclays.co.uk).
  • Don't trust URLs using numbers instead of words (usually, these are domain names in their original IP address form, which effectively anonymises who owns the site). For example, https://147.46.236.55/barclays/login.html. (As you can see here, barclays.co.uk is no longer intact in any case and comes after the first single forward slash, so this would suggest a scam.)
  • Finally, don't let similar domain names trick you – for example, https://www.barclays-real.co.uk/. Remember, barclays-real is no more 'barclays' than 'umbrellas' or 'unicorns'! Look the real website up on a search engine to make sure you know, down to every last character, what the genuine address should be.

If an email directs you to a completely random site, such as a Google spreadsheet for example, never put in your password or other data.

There are freely-available online videos showing how to spot fake links and fake websites (for Oxford-users only), on Lynda.com.

As well as knowing a phony web or link address when you see one, there are several other useful tools and tactics you can employ to protect yourself from phishing attacks:

  • Use the 'junk mail' filter in your email client to block spam. (See how to do this for University email accounts).
  • Make sure the link text inviting you to click through to a website is not disguising a rogue URL (hover over it to display the URL in the bottom left corner of your screen, or follow the guidance here if it's a short URL such as Bit.ly, TinyURL, etc.).
  • Don't follow links in emails that ask you to enter or change personal account information. If you want to verify or perform any requests, go directly to the website in question and log in to your account in the normal way.
  • Don't open attachments that you are not expecting, especially from senders that you do not recognise. These are often used by scammers to hide harmful viruses and spyware.
  • Never trust the sender name or the address in the 'from' field. Unlike true URLs, these are easily forged to mimic a genuine sender exactly.
  • Make sure you have the latest version of your web browser, as the most recent ones can help warn you of known phishing websites.
  • Before submitting personal details on any website, always check for the green padlock icon in the address bar at the beginning of the website address – this tells you that the connection is secure (i.e. encrypted).
  • However, criminals can still create encrypted scam websites, so a green padlock is not a guarantee of safety. You still need to be eagle-eyed about checking the address is exactly what you are expecting it to be (and not, say, bbbc.co.uk, barcleys.co.uk, amaz0n.com, etc.).

If you receive a phishing email that asks for University credentials such as your password, forward it immediately to phishing@it.ox.ac.uk. Remember, the University will never ask for your password or other details, either by email or by phone.

Delete all other phishing emails and/or report them to the organisation they were masquerading as - links are available below for some of the most commonly targeted sites. You can often report fraudulent sites using your web browser (e.g. Mozilla Firefox has the ability to do this) or service provider.

If you've given away a password, PIN, your banking details or other sensitive data, change the password and inform the relevant service provider immediately.

Further information on:

Reporting phishing e-mails to common internet providers: