"Phishing" - pronounce as "fishing" - is a practice on the Internet in which swindlers try to obtain personal information.
How does it work?
The victim receives an email which, at first glance, looks like it has been sent by a financial institution, a company, an online store, a government agency or the own employer or educational institution.
In that email they explain why the message is sent you, but basically it comes down to the following: there is some kind of problem and they expect that the victim takes action, and if the victim does not do so, the access to the service that the victim uses will be revoked in a very short time.
To allow a victim to respond, several methods are used: the victim can respond either by email, by visiting a website indicated in the email or in some cases the victim is asked to make contact by phone.
DO NOT LET SUCH EMAILS FOOL YOU!
By responding to such an email, you will provide the swindlers with valuable information that will allow them to take advantage of the information given for their illegal activities.
So never provide any personal information this way: no bank account numbers or credit card information, no information about your identity, no email addresses, passwords, when you are home (or on holidays), of which financial institution you are a client, who is your employer, at which educational institution you are studying,...
How to recognize a phishing email?
Phishing messages sometimes are very realisticly drafted and even the website to which you are redirected has all the features of the official website of the targeted institution. But don't be mistaken: it's all fake!
There is no easy way to actually recognize a phishing email. We can only advise you to use your common sense when receiving certain (strange) email messages.
Here are a few pointers though.
1. Institutions and companies will never request to send back any personal information by email. NEVER!
2. Institutions and companies will never send you an email with instructions to go a website on which you have to fill out personal information. Never!
3. Pay attention to the language in which the phishing mail is drafted. Really look at details in the choice of words, typing errors, construction of sentences. Any errors are usually an indication that there's something "fishy" with the message.
4. Anonymity. A lot of phishing email never indicate a name and firstname of the recipient, not in the email itself, nor in the "To". Frequently the recipient is addressed with "Dear customer" or "Dear user", or "Dear [email]". The "To" field frequently contains a group of recipients "Undisclosed recipients".
5. If you nonetheless have clicked on a link in a message, look at the web address in the address bar at the top of the window in your browser, and compare the address with the official web address of the targeted institution.
Do not assume that the website is legitimate because it it looks exactly like the real site. In that case, it is an exact replica to fool you into thinking that the website is the real deal, which it is not!
So look closely at the web address in the address bar in your browser.
6. Verify that the connection with the website is encrypted (https - look for a small lock near the web address). A lot of phishing websites do not use an encryption connection.
Never log on onto a an-secured website from a wireless network.
7. If you are asked to reply by email, look closely at the email address where your reply will be sent to. Do not be fooled by the text accompanying the sender's address (From) or the answer's address (Reply-To).
A lot of phishing emails have an address with a public email provider (gmail, hotmail, yahoo,...) and not with the institution itself.
8. Accounts of private persons are also abused for sending phishing emails. Their personal email address is used as the sender of such emails.
9. If you have the slightest feeling that there's something weird with a message you have received, stick to that idea and not respond!
And certainly do not assume that it will be OK after all, because in those cases it usually isn't!
If I have received an email for which none of the above elements applies, is the message real then?
Certainly do not
assume that. Chances are rather that the message you have received is not
legitimate, it is then just a well made phishing email.
Have you any doubt about a message you have received? Then contact the ICT-Helpdesk for advise.
What if I have responded nonetheless?
If you have communicated any information linked to your financial activities (bank number, credit card number, checksums,...), immediately
contact your financial institution.
If you have communicated details which include any of your passwords, change your passwords immediately
and contact your system administrator.
How could the provided information be abused?
When you have communicated financial information, the abuse is obvious: the swindler will plunder your bank account or use the complete credit of the credit card with online purchases or through the use of a (fake) duplicate of the card.
If you have communicated access codes for email, the third party will have access to your personal emails, and the account will be used to send unsolicited emails and phishing emails, or the access data can also be used to access restricted information, such as a local Intranet or research data.
In some cases, swindlers will send an email from the abused account to all contacts in the address book, fabricating a story that you are abroad and have lost all your personal document and money. They will then ask to send money through wire transfer. All those who mean you well and send money, will never get their money back.
Some examples of phishings
You will find a number of examples of recently received phishing emails in the Links
at the bottom of this article.
Some examples of "wrong" addresses:
When clicking on the link, you will not arrive on a VUB website, even if the address indicated is a VUB address.
Do not be fooled by the fact that the address contains vub.ac.be
in it. In reality the site is hosted on vubmail.myhost.com
which certainly is not
a VUB server, in spite of the name vubmail
being part of it.
If you respond to a message with the following sender details
From: Vrije Universiteit Brussel <email@example.com>
Reply-To: Vrije Universiteit Brussel <firstname.lastname@example.org>
From: Vrije Universiteit Brussel <email@example.com>
your reply will be sent to firstname.lastname@example.org
. It will not arrive with someone at the VUB.
The sender's address email@example.com
has also been faked by the swindler to give you a (false) feeling of security.
And no, the address firstname.lastname@example.org
is not managed by the VUB, in spite of having the name "vub" in it!
Here's another example:
From: Vrije Universiteit Brussel <email@example.com>
Reply-To: firstname.lastname@example.org <email@example.com>
From: firstname.lastname@example.org <email@example.com>
You may think you are replying to firstname.lastname@example.org
, but in reality you will send your reply to email@example.com
In the next example, don't be fooled because the subject says Vrije Universiteit Brussel
, or because the email seems to have been sent from a VUB email address, or because the link seems to point to a VUB web address.
Subject: Vrije Universiteit Brussel veiligheidsdiensten
Update your account on webmail.vub.ac.be
All these elements are intended to gain your trust, but only so that you can fall into the phishing trap.
So you need to stay alert for these messages. But honestly, you should by then already know that it's a phishing email.
A final note
Don't try to be smart or curious. By responding to a phishing email, you will provide more information that you would expect.
Some unsolicited emails - phishings and others - are also drafted solely to install malware when you visit the site.
So even by clicking on an link in such an email, there is a chance that something is downloaded and activated on your computer without you being aware of it, which will allow cybercriminals to gain control over your computer. If that happens, they will also obtain access to all information that is stored on that computer, including saved passwords.
For additional details on phishing, see the Links at the bottom of this article.
BTW, email is not the only method by which criminals will try to contact you. In recent cases, victims were also contacted by phone, with the criminal pretending to be representing the institution of which the victim is a client.
If you have received phishing mails that concern you, contact your financial institution or your system administrator for confirmation.