By now, chances are you’ve heard the preaching about how important it is to have good, strong passwords – and how your passwords should contain at least twelve digits and be peppered with special characters whenever possible. You’ve also probably heard you should have a different password for each and every account or website you frequent. And let’s just assume you’re heeding that advice.
Regardless of how long, strong, or clever your passwords may be, none of that matters if you share your passwords with the wrong person. So it goes without saying that you wouldn’t willingly or knowingly give your password to just anybody. In fact, as wise as you are, you probably wouldn’t share any of your passwords with someone else. However, in spite of your prudent intentions, you might do just that if you’re not extremely careful.
With today’s sophisticated “phishing” and “spoofing” tactics, you could easily be duped into providing your login credentials for a website by typing your user ID and password into what you think is the real website, but in actuality, it’s a very convincing fake. These lookalike or “spoof” websites appear to be the real thing, so much so that you could easily be lulled into providing your username and password without batting an eye.
It’s important to understand how and why you might end up on a fake website in the first place. Often it starts with a phishing email message you receive. The email is fake and comes from an online scam artist posing as a credible organization that you trust and with which you normally conduct business. The emails can truly seem authentic, containing believable imitations of the company’s logo. But because they are contacting you, and through email no less, you should put your “suspicious” shoes on, even if nothing appears amiss. Here’s what to do if you receive an email likes this:
First, if the message is seems overly suspicious, don’t open it at all – just delete it.
Secondly, assuming you’ve opened the message, take a look at the actual email address of the sender by hovering your mouse over the sender’s name/address, right-click your mouse to display a menu, then left-click on “Properties” to see if the message is really from who it purports to be from. In other words, if the email says it’s from Chase Freedom, the email address should end in “chase.com.” (NOTE: Just because the email passes this test, doesn’t guarantee you’re in the clear. It’s easy for hackers to spoof a legitimate email address, so don’t rely solely on this check for verification.)
Spoof emails usually contain links within the body of the message that take you to other websites. DO NOT click on them! First, check for fake links. Move and hover your mouse over the link in the email message and study the URL, which is usually displayed in your system tray at the lower left portion of your screen. If it looks suspicious, don’t click it. Spam (phishing) emails are geared to redirect you to a spoofing website where they’ll ask you to enter your personal information. Never respond to emails asking for your account related information, such as account number, user ID, and/or passwords. If you want to be sure you’re visiting the authentic website of a particular organization, it’s safest to open a new browser window and type the URL yourself, such as www.chase.com.
If you have clicked on a link and landed on a website, be sure to verify it’s not a spoofing website – even if everything else looks exactly like the real deal. It’s possible you’ve been redirected to a webpage resembling the login screen for the business in question. BUT WAIT! Slow down, take a minute, and think. Spammers (aka “cyber criminals”) hope you don’t hesitate or take the time to think. In fact, that’s exactly what they’re counting on! They want you to just plow ahead on “auto-pilot” and enter your user name and password when prompted, without thinking twice. But if you do and the website is not the “Real McCoy”, they’ve got what they wanted — your information!
To prevent this, anytime you are prompted by a website to enter information specific to you, whether a login, password, account number, or any other piece of information, make sure you verify you are really on the actual website and not a fake one.
- Study the website URL in the address bar. For example, make sure it is really “twitter.com” and not a deceivingly close “twiter.com”. Close doesn’t cut it. If it’s not exact, it’s not the site you want.
- Some fake websites will insert a false address over the actual, evil address, making it appear as though you’re on a legitimate website. Just because a URL contains the name of the business in it, doesn’t mean it’s legitimate.
- Also, look for a secure lock icon in your browser where it normally would appear, such as immediately to the right of the address bar if you’re using Internet Explorer. Check to be sure it isn’t a fake icon placed somewhere else on the page just to fool you.
- Look for “https” before any website address (URL) where you’ll be entering personal information. The “s” stands for secure. If you don’t see “https” you’re not on a secure website and you shouldn’t enter any personal information.
- Never respond to any online forms or popup windows asking you to login, change or update your user ID or passwords, or provide any other sensitive personal information. Only do this if you’ve initiated the visit to the company’s website yourself by typing the URL directly into your browser’s address bar.
Some of the more commonly spoofed organizations for emails and websites include financial and banking institutions like Chase, Citibank, PayPal, social media outlets, escrow service providers, as well as online commerce websites like eBay.
The intent of spamming and spoofing is to trick you into handing your personal information over to online dirtbags. They are identity thieves, plain and simple, and they’re hoping you’re not paying attention. Make sure you slow down and scrutinize the emails you receive and verify the websites you visit. It will be worth it!