Phishing email messages are designed to steal your identity. They will ask for personal data, or direct you to websites or phone numbers to call where they ask you to provide personal data.
The emails will purport to come from a legitimate organisation such as a bank or credit card company. They may also appear to come from someone in your address book either a friend or business contact. They might include official-looking logos and other identifying information taken directly from legitimate websites, and they might include convincing details about your personal history that scammers found on your social networking pages.
The email may claim that you have a secure message, that fraudulent activity has been detected on your account or that you need to update your details to continue using your on-line banking facility.
It may well contain a link to a fake version of an organisation's website, with a log-in form asking you to enter your user-name, password and other security information.
It may give a phone number or other contact information.
If you provide the information there is every chance your bank account will be emptied, contact addresses changed and you will run a risk of being a victim of identity fraud.
Another variation attempts to trick recipients into installing a trojan on their computer, either by opening an email attachment or downloading the trojan from a website. The scammers can then use the trojan to collect information from the infected computer.
Scam emails are randomly mass-mailed to many thousands of Internet users in the hope of netting just a small number of victims. The majority of people who receive these scam emails will probably not even be customers of the targeted institution. However, the scammers rely on the statistical probability that at least a few recipients will be.
Phishing messages urge you to click on links in emails and websites, these often contain all or part of a real company's name but these are "masked", the link you see does not take you to that address stated but somewhere different, usually an illegitimate website.
By hovering your mouse pointer on the link but not clicking, will give a pop up box somewhere on the screen that reveals the real web address.
In phishing emails these often show as a string of cryptic numbers.
Cybercriminals also use web addresses that resemble the names of well-known companies. For example, which of these is a correct address? Click to find out.
This is called "typo-squatting" or "cybersquatting,"
where slight alterations are made by adding, omitting, or transposing letters from the real address.
What are the signs that something is wrong
Key points to remember
Pay close attention to the "To:" address, often it will not be directly addressed to you. If it isn't then it may not be a legitimate message from the organisation it claims to be from. Also, if the "To:" address contains multiple addresses this is also likely to be a sign that the email is a fake.
The "From:" address of an email can not be trusted as it is easily faked by the criminals who send out the Phishing emails.
The subject of a Phishing email may give away some small clues to the fact that it is fake. They usually have urgent or exciting claims in the subject line, using words such as "Important Announcement". Be careful of emails like this. Also look out for spelling/grammar mistakes and typos.
Phishing emails will almost always use the correct logo for the organisation they are trying to defraud. The logos are extremely easy for Phishers to re-use, so do not place any trust in the logo of a company within an email - it does not guarantee the message is legitimate.
Phishing emails will usually address their emails in general terms, they won't personalise it to you. So if they are claiming to be from your bank and they have addressed the email to "Dear Customer" use caution as the email may be fake.
Web links appear to be going to the correct website but it may take you to fake website when you click on the link. To be certain, never click a link within an email, simply type the address that you know is correct into the web browser address bar.
All web addresses start with either HTTP or HTTPS. The S signifies that the website is using a secure connection. If you have clicked a link that is claiming to be from a financial organisation, where you are asked for personal information never supply the details unless the address type is HTTPS. Remember though, the Phishing gangs can also use HTTPS security so this is only one part of the address your should check.
A web address may start off looking like a legitimate site, but it can be deceptive.