If you see an email with links you can click on what should you do? Well, I will tell you what you should not do. You should not click on them unless you know what you are doing. I will give you an example from the real world. This comes from my very own email inbox. First, I will tell you that the sender of the email was “PayPal” (not the real one) and the message was this:
Dear Valued Member of PayPal, A very unusual activity has been detected that was linked to your PayPal account. It appears that someone gained access to your account without your consent. This intrusion have led us to restrict your account access. In order for you to have full access to your account again, please follow these two simple steps. (1) Download the attachment provided by our Security Team. (2) Open the attached file (in your Web Browser) and fill in the required fields. After you have verified your account by following these steps, our automated security system will add layers of protection to your account. We would like to thank you for your serious attention. Sincerely, PayPal Account Review Department
What do you think was the first thing I did about this? If you cannot guess, I will tell you that I opened a separate browser and logged into my account. No problems at all. The account was just fine. Now the first thing you should notice about this email is that they are asking you for personal and sensitive information by downloading an attachment which in this case was an html file. No legitimate company will ever ask you to click on anything which might compromise your privacy. That should be your first clue that this is a scam email. Your second clue should be that they are referring to you as if they have no clue what your name is or any reference that they know anything about you. Which is exactly what one might expect from a mass mailing designed to scam people. Your third clue is the bad English – “have led us” should be “has led us” because “intrusion” is singular and present tense, at least in my opinion though this might be arguable. I’m not an expert in English grammar but this just sounds awkward to me.
The senders email address was email@example.com which is very similar to a real PayPal email address (firstname.lastname@example.org). Granted there are many many large departments within any organization like PayPal so there are many email addresses that they use. I say to that, if in doubt, open a new browser, go to the main web page yourself and find out who to contact regarding an email they allegedly sent. But don’t under any circumstances reveal any personal information from within the email. In fact, don’t reply to it at all. Go directly to the real web page by typing in the address yourself. As an aside, if you get an email asking if you want to change a subscription status (such as a newsletter) do not, like some of my clients have done, reply to an email hoping to get taken off an email mailing list, especially if you are unfamiliar with the sender. If you do that, all you’ve accomplished is to verify that your email address is a legitimate one and can be sold. Go directly to the web site in question where you will almost always find links to remove yourself from any mailing lists.
Note that often you forget a password when you want to log into your favorite site so you click on the “Forgot Password” link, which sends you an email with a link you can click on to reset your own password. This is legitimate and an action which you yourself have initiated so it is OK in this case to click on the link. However, it is still better in my opinion to copy the link and paste it into a new page on your web browser anyway. You may as well make it a habit.
If you see a link in your Internet browser, or in your email program, you can check its validity by merely hovering your mouse over the link without clicking on it. For example, here is a link I have created that links to the web site Google.
Now hold you mouse over the link and you will see the real URL of the link. By the way, the term “URL” stands for “Uniform Resource Locater” which is a geek way of saying “Internet Address”. You will see the real URL appear in the bottom bar at the lower left of your browser window. In Firefox, this is true and also in Internet Explorer and even in the Google Chrome and Safari browsers. The real URL always appears in the lower left when you hover your mouse over the link.
Here is another example:
Now hover your mouse over this link and check out the real URL in the lower left bar of your browser window. What do you see there? Anything suspicious at all? (This is not a real web site so do not try to click on it it will just open an error page). The point is that if you were to click on this link you would be taken to a web site that looks legitimate but is designed to steal your stuff. It is incredibly easy to fake a web site that looks like the real thing. All you have to do to cover your nasty data thieving web site code is to copy and paste a picture of a real web site. Looks like the real thing, but it does things you don’t want to have done to you.
I have not tested all the possible email programs out there, but of the email clients I have tested (Outlook, Outlook Express, Windows Mail, Windows Live Mail) and also in web based email programs such as SquirrelMail they work in a similar way except that when you hover your mouse over a link the real URL appears in a balloon pop-up right beside your mouse cursor.
So I will now post another real email I got just to demonstrate something to you. This is from the real PayPal:
Hello Jar Media Ltd.,
You recently attempted to transfer funds from your bank account to
your PayPal account.
Your bank declined the funds transfer on Dec 16, 2011.
We have charged your credit card, which you choose as your backup
funding source, to complete your payment to email@example.com.
Transaction Type: Instant Transfer payment to xxxxxxxxxxx.com
Transaction ID: xxxxxxxxxxxxxxx
Transaction Date: Dec 10, 2011
Transaction Amount: $xxx.xx CAD
Item number: xxxxxxxxxxxx
PROTECT YOUR PASSWORD
NEVER give your password to anyone, including PayPal employees.
Protect yourself against fraudulent websites by opening a new web
browser (e.g. Internet Explorer or Firefox) and typing in the PayPal
URL every time you log in to your account.
Please do not reply to this email. This mailbox is not monitored and
you will not receive a response. For assistance, log in to your
PayPal account and click the Help link in the top right corner of
any PayPal page.
Copyright © 1999-2011 PayPal. All rights reserved.
I want you to notice four things about this legitimate email. The first is that I replaced real number and email addresses with xxx’s because they are none of your business, frankly. The second thing I want you to notice is that they addressed the company account Jar Media Ltd., not some random impersonal “valued member”. The third thing is that they never once asked me for any personal information. Finally, the fourth thing I want you to notice is that paragraph they included under “PROTECT YOUR PASSWORD”. By the way, the problem was a bank mistake and not that we are shiftless losers, ha ha! The account was fine but a glitch caused the transaction to not be approved in time hence the fall back to the credit card. Notice they did not ask for my account number, they did not publish in the email any account information whatsoever.
In future posts, I will talk about on-line security when shopping. I will also address how you can protect yourself from bogus software pop-ups when browsing the Internet. You know, the ones that pop up to tell you your computer is infected by a virus and you should click on the perfect anti virus program? For now, I’ll just say you should never take the bait. That way I won’t have to carry your dead computer carcass home to disinfect it.