« Fun and Games (With Help from my Friends) | Main | Comments from Earlier VC Post »

February 08, 2006

Don’t be a Phish

Phishing is a nasty way of stealing your account IDs and passwords.  This post is about how NOT to be a phish and contains some secrets about how you can be fooled on the Internet.  The email below is an actual illustration of phishing email Mary received.


Note that the email claims to have com from PayPal and shows a return address of [email protected]. Secret #1: Anyone can put any return address he wants on email.  Return address is absolutely NOT an indication of where email came from.  This one DIDN’T come from PayPal.

Note the link that says Click here to verify your account and the other link which says https://www.paypal.com/us. If you clicked on either one of those, they would take you to a site which pretends to be PayPal.  It ISN’T.  “But surely,” you say, “I can see where the second link is taking me.  It does go to PayPal.” Secret #2: What is visible in a link and where it actually goes DO NOT have to have any relationship to each other. In fact, in the actual email (but not in this post) both of these links would take you to a bogus site whose address is  I haven’t gone there.  I suggest you not go there either.

This site will look like PayPay.  It will ask for your ID and Password.  It may even ask for some other personal information.  Now someone else knows how to get into your PayPal account.  You’re a phish.

Just to show you how easy this scam is, if you click on https://www.paypal.com/us or the other link in this post, they will take you to site of my book hackoff.com, not PayPal.  But I don’t think I’ll resort to phishing for readers.

Once you know these two secrets, it’s easy not to get caught on a phish hook.

You already know that you can’t trust either the from address or any link to be what they appear to be.  You can see what a link actually goes in Outlook email by hovering your mouse over it without clicking it but that’s not the way to handle security.  The simple rule is this: Never, Never click on a link in an email to go to any site where you will be asked for your name and password. Never.  Don’t do it.

So suppose you get a letter like this and think it may be real, what do you do?  First of all, be skeptical.  Organizations like PayPal know about phishing so they don’t ask people to click on a link to get to the signin page.  But some other vendor might be really dumb.

If you think the email may be real and you do want to get to your account, simply type the login URL – in this case “www.paypal.com” – into the address bar of your browser.  Then you know you are going where you think you’re going. DO NOT click on a link in email to get to a signin page.  DO NOT copy the link from the email and paste it into your browser; even if it appears to read right, it may have a tiny difference that gets you where you don’t want to go.  Type the URL into your browser or use favorites that you have set up in your browser to get there.

That’s all you need to do to safe from phishing.

One note: suppose a friend sends you an email with a link to an interesting website.  Should you go there?  Well, you won’t get phished if you don’t supply any account number or password.  But you also can’t be sure the email is really from your friend unless there is a personal note with content no one else would write.  And some websites can be dangerous – particularly to Windows users – even if they don’t have phish hooks. Be careful following links.

| Comments (View)

Recent Posts

An AI Debate

I’m Gonna Be MAGA-Canceled

English is Now the Most Powerful Programming Language

A Cease Fire in Gaza Will Not Make Hamas Go Away

How Not to Control Disease


TrackBack URL for this entry:

Listed below are links to weblogs that reference Don’t be a Phish:


blog comments powered by Disqus
Blog powered by TypePad
Member since 01/2005