Financial institutions will NOT ask you for personal information by email
Have you been a victim of an internet scam of any type? Please contact us with any information you may have.
We have all gotten those pesky emails from what appears to be a legitimate bank telling us that our account information needs to be updated. The email will provide a link telling us that we need to click through, sign into our account, and update. This is called "phishing", which is an attempt to get you to respond with personal information — like fishing with bait on a hook.
Here is an example of a fake email sent to me just this morning. It claims to be from Paypal telling me that my account has been suspended. First off, if I have any doubt, I will go directly to the Paypal website and login. Notice that there is a "Login" link on this email. First of all, Paypal (or any legitimate bank for that matter) would NEVER ask you to click a link in an email and login at the resulting login page. In the email here, that is exactly what the crooks are trying to do.
Tip: Never use Western Union to pay for online purchases or for an advance fee loan.
Login Buttons and Phony Website Destinations
In this screenshot, we have placed the cursor (hand) over the "Log In" link. When you do this (called "mousing over" the link), it displays the link destination in the address bar at the very bottom of the browser. Look at the address displayed. It is fake and does not indicate Paypal. That is an indicator that this is a fraud since Paypal’s website is paypal.com. We also want to mention here that more and more phishers are starting to use similar domains to make you think that it is legit. For example, they may use something that looks similar to Paypal’s website address, with a slight variation that may be difficult to detect. So, under no circumstances should you click any "log in" buttons inside an email sent to you, regardless of how similar it looks to the real website or it’s domains. Once you attempt to login, and you enter your information, it gets sent to the crooks. They then know your login at Paypal or your bank.
Figure 1: Snapshot of a fake email phishing for Paypal login information. Email subject line: Your account has been temporarily suspended.
Poor Grammar and Spelling
Notice in the following example how they make the mouse-over URL look more serious (with "security" in it). Don’t fall for it. Do not click on it. Here, they try to convince you that your billing information needs to be updated. The phishers have not even made the effort to get the grammar correct, though they are normally quite meticulous about making sure it looks authentic. Don’t assume that if an email is perfect, in appearance, grammar, letterhead, etc, that it is legit.
Figure 2: Snapshot of a fake email phishing for Paypal login information. Email subject line: You’re Billing Information (of course this is poor grammar — it should be "Your Billing Information", not "You’re" which means "You are".
When In Doubt, Don’t Click!
If you get an e-mail asking for your account information to update the "company records," do NOT reply and do not click on any of the links. If you do accidently click a link, do not try to login (if the link takes you to a login page — even if it looks professional). That login page is the phishing lure. When you type in your login and password, the phishers will assume that is the login and password to the account you thought you were accessing. They then have all of your account information at their disposal.
Figure 3: Snapshot of a fake email phishing for Chase Bank log in information. Email subject line: Please restore your account.
Notice that our cursor (hand) is hovering over the chase.com link. But the visible link that shown is just visible text. It doesn’t necessarily say anything about where the link is actually taking you. With the cursor hovering, you can see the REAL destination in the bottom of the browser. This should be suspicious from the beginning, as it is NOT a Chase domain or IP. Furthermore, you should already know based on previous examples that you should simply delete this email and not fail victim to its somewhat-convincing message.
Remember, If you need to work in your bank account, just go directly to their website using the published URL/domain, by typing it directly into your browser. You can then login to your accounts and see that everything is most likely just fine. Had you logged in at the fake URL in the email, the phishers would now have your Chase account login information to use along with your personally-identifying information. Whew.
- Do not click on any links in an email sent by someone you don’t know
- If you accidentally click an link in a website, do not enter a requested username or password (even if it looks legit) on an apparent "login" page. This is true for anything that looks like it is from a bank, credit card company, AOL, Paypal, and social networks such as Facebook, Twitter, Instagram, or LinkedIn just to name a few.
- Close the email and click "delete"
- If you have any doubt that your bank account needs "updating", just go directly to their website and login; never do this from an email link no matter how convincing or real it seems.
Some of this is redundant, but it is worth mentioning again!
Simply delete the any emails that seem to encourage you to click a link, or login to an account. If you have to update your account information for an online service that you use, always do it through the master corporate web site, never via an e-mail link. If you have any concern that the email may have been legitimate, simply close the email, and go directly to the bank/creditor website. Or, call the bank and speak to a representative. It is better to be safe than sorry when it comes to your credit.
Legitimate financial institutions will never send e-mails to customer asking for passwords, credit card numbers, or sensitive account information. When your bank sends you an email, the message will have a header at the top with your first name, last name, and the last four digits of your account number, but they will never ask you to type personal information into a pop-up window nor will they send you an email asking you to verify your account information online. Again, just go straight to the corporate website by entering the address directly into the browser and sign in there to make any modifications or view your account activity.
Beware also of a call from a company’s “help desk agent” seeking your logon and password to fix a problem on your system. No legitimate company would ask you for this kind of information this way. There are several computer viruses that can hide in computer software and destroy computer resources. Make sure your computer is protected from viruses and trojans by using a reputable program. Scan your hard drive routinely to check for malicious attacks.
As always, delete e-mail messages from people you don’t know and avoid surfing to inappropriate websites. Do not install software on your home systems that you have not specifically requested yourself from a reliable source. Keys to recognizing malicious e-mail messages are spelling and grammar errors as well as what information is requested. Use your common sense, and avoid opening anything that looks suspicious.
America Online has been providing disclaimers for years that AOL representatives will never ask you for your username (AIM). This rule of thumb should also be applied to banks and creditors. No legitimate bank will EVER send you an email asking you to sign in and update records via a link in the email. You can always go straight to their website and update your account information directly.
Maybe we have gone over board here, but we are trying to grab your attention to this rapidly growing problem. So many people naively click links inside emails and give away their account information. You can go along way toward protecting your identity by using some common sense.