How to Identify a "Phishing" Scam

"Phishing" scams are some of the worst types of scams, because they look like legitimate emails. A phishing scam (pronounced "fishing") is an email (or even a phone call) where someone pretends they are your bank, doctor's office, credit card company, utility, etc and they try to get you to reveal your personal information. They then use this information to obtain money from your bank account, credit cards, or worse.

I recently received what appeared to be an email from Washington Mutual bank. Although at first glance it looked legitimate, there were a number of things wrong with it that made it recognizable as a phishing scam. In this article I will show you the email I received and teach you how to tell that it was fake so you can protect yourself and your family.

The email, which even contained a Washington Mutual logo, read as follows. I've replaced some text as indicated by [square braces]:

From: "Washington Mutual Security Service"
To: [one of my business emails]

WARNING: CONFIRM YOUR ONLINE BANKING RECORDS

Dear [one of my business emails],

We recently have determined that different computers have logged onto your Online Banking account, and multiple password failures were present before the logons. We now need you to re-confirm your account information to us. If this is not completed by March 5th, 2005, we will be forced to suspend your account indefinitely, as it may have been used for fraudulent purposes. We thank you for your cooperation in this manner.

To confirm your Online Banking records click here:
https://login.[fake Washington Mutual site].com/logon/logon.asp?dd=1&Update&Your&Info

Thank you for your patience in this matter.

Washington Mutual Customer Service

Please do not reply to this e-mail as this is only a notification. Mail sent to this address cannot be answered. Copyright 2005, Washington Mutual, Inc. All Rights Reserved.

Looks fairly legitimate at first glance. Here are the top reasons that I recognized it for a fake:

1. I do not have a bank account with Washington Mutual. However, sometimes a phishing scam might use one of your real accounts, so beware!


2. It was addressed to a business email account that I do not use for personal business.


3. It asked me to confirm personal details. No reputable business will EVER ask you to confirm personal details by email or telephone. They will always send you a letter or ask that you come into their branch.


4. The "Dear:" line didn't have my name, only my email address. If I had an account at Washington Mutual, wouldn't they know my name?


5. They made an unrealistic demand with a threatening tone, "We now need you to re-confirm your account information to us. If this is not completed by March 5th, 2005, we will be forced to suspend your account indefinitely..." No legitimate business would simply shut down your account indefinitely with only a few days notice just to confirm some personal information.


6. A link to a fake Washington Mutual web site was used. This one was very tricky to notice. In the text it appeared to point to a Washington Mutual web site, but my email client warned me "The actual host is different than the host in the link text" when I hovered my pointer over it. Not all email clients are smart enough to do this. Sometimes they'll show you the real address in the status bar at the bottom of the window, but the real address, had I clicked, would have taken me to a different illegitimate site (which has subsequently been taken down). Now be careful; many people are taught that if a web address begins with "https:" rather than "http:" it is a secure site. Do not confuse the appearance of a secure web address with a legitimate web address. The bad guys can use "https:" too.


7. Never trust the "From:" field, it is easily faked. I checked the "Reply-To:" and it listed a different email address at Washington Mutual. I knew already it was a fake address, and a quick email to that address confirmed it. I do not recommend you reply to any email addresses that you suspect might be from a phishing scam!

I immediately notified the US Federal Trade Commission as well as the real Washington Mutual, as recommended by Washington Mutual's security guide. They have a good guide to your online security, well worth a read.

My final advice to you is that if you aren't sure if an email is legitimate, do not reply! Telephone your bank/credit card/utility (whoever they say they are representing) yourself to confirm whether they sent you any emails. Remember to get the telephone number from the phone book or one of your bills, do not use the telephone number in the email!