A few days ago, the following cell phone statement was sent to one of our company email addresses:
Although this looked to us like a genuine cell phone statement, before we got out our wallet to pay our bill, we had to wonder: why is an American cell phone service provider sending an account statement to our company in Canada?
This unexpected and nonsensical incident led us to presume that this email was a hoax. To be sure, we hovered (without clicking) over each of the hyperlinks in the email to see the URL’s to which they led, and sure enough—they were linked to websites whose URLs do not suggest any relation to Verizon Wireless. Although this email appeared to be a legitimate cell phone statement from a trusted (albeit American) business, we decided to delete it without paying our bill, even at the risk of incurring late fees.
Emails like the one we received may be the result of an identity theft tactic called phishing. The term phishing, deliberately similar to the word “fishing”, refers to luring techniques used by identity thieves to fish for personal information in a pond of unsuspecting Internet users. For example, we assume that the email we received is used to bait users into submitting their financial information, such as their credit card number. Thinking they’re paying their cell phone bill, these phishing victims are unknowingly giving their sensitive information directly to a cybercriminal to exploit. As with many phishing emails, the links contained within our Verizon bill may lead to a website that actually looks like a Verizon Wireless bill pay website, making it easier to fool the recipient into entering their sensitive information. The links could also point to a website that the tries to exploit the recipient’s Internet browser or plugins to gain access to their computer.
Most phishing scenarios try to scare the email’s recipient in thinking there is a threat to their bank account or credit card that requires immediate attention. Others try to make the recipient think that they’ve won a prize. Regardless of type, the intent of such emails is the same: to trick the recipient into disclosing their personal and financial information. Once received, phishers commonly use the information to exploit the recipient’s existing accounts or to open new accounts under the recipient’s name. The recipients usually do not realize they have become the victims of identity theft until significant damage has been done.
To avoid “taking the bait” of a phishing scheme, Internet users should be cautious of unexpected emails from unknown senders requesting personal, login or financial information. General guidelines with regard to all email include:
- Immediately deleting email that looks like spam or that comes from an unknown sender without opening it;
- Not opening email attachments or following links that are unfamiliar;
- Being cautious of emails riddled with bad grammar and spelling, which is common to phishing emails;
- Hovering over hyperlinks before following them to see the web address the link directs to;
- Reporting suspecious emails requesting personal, login or financial information to the Canadian Anti-Fraud Centre, the Internet Crime Complaint Center (US) , and/or the institution the email appears to be from.
For more tips on recognizing phishing scams and preventing identity theft, visit:
Bytelok provides security solutions that protect businesses from malicious emails and other network threats. For more information, visit our website at www.bytelok.com.