Tricks that abuse trust |
| 1. |
Establishing credibility via trusted brands
The emails purport to be from a credible company with which the
recipient is most likely familiar, such as eBay, PayPal, Citibank,
or Earthlink. |
| 2. |
Stealing logos, fonts, and color schemes
Many fraudulent emails look similar to the site of the real company
by using the company logo, similar fonts and color schemes. |
3. |
Using legitimate URL contact points as camouflage
Some fraudulent emails and Web sites include links to pages on the
real site. |
4. |
Using legitimate email contact information as camouflage
Sometimes the email uses one of the company’s email addresses,
or at least the extension (e.g., @ebay.com, @paypal.com) |
5. |
Using obfuscated reply addresses
In some fraudulent emails the reply appears to come from someone
in a credible company, but the email is actually coded to reply
to a completely different email address. |
6. |
Referencing secure servers and SSL without using either
Some fraudulent emails and Web pages assure the recipient that the
information they are submitting is secure, even though SSL and secure
servers are not being used. |
7. |
Using stolen HTTPS certificates and servers
A URL that begins with “https” (instead of http) indicates
that information is being transmitted over a secure server and the
company has been issued a security certificate. Some fraudulent
sites have acquired an https URL to appear as a legitimate business
site. Other email frauds link to hacked secure servers run by legitimate
businesses. |
Tricks that prey on consumer fears and expectation
|
8. |
Using Fear Tactics
The emails often try to play off of the recipients’ fear of
identity theft and claim that the information is needed for security
purposes. |
9. |
Using Call to Action Tactics
Many fraudulent emails claim that you must reply soon or your account
will be terminated. |
| 10. |
Making requests for long lists of personal information
Some phishing emails only ask for your user ID and password, while
others ask for more information than any legitimate service would
ever ask for when updating or verifying your account. |
| 11. |
Using delay tactics
The fraudulent emails or Web pages claim that it will take them
a while to update your account and tell you to wait a specified
amount of time or to wait until you receive a follow up email before
trying to access your account. This allows fraudsters time to use
the stolen information before their fraudulent activity is detected. |
Tricks that attempt to deceive outright
|
| 12. |
Providing links which differ from the actual URL
Often the links in the fraudulent emails appear to be sending you
to a credible company, but the URL actually sends you somewhere
completely different. |
| 13. |
Encoding fraudulent links
Fraudulent links are often hidden by URL encoding. |
| 14. |
Finishing Up at a Legitimate Site
After submitting information, a few of the fraudulent sites send
you to a real company’s Web site. |
