While at lunch today, I received an e-mail that was purportedly from Chase — but it wasn’t. This isn’t a particularly noteworthy occurrence in that I (like most of you) receive credit card phishing attempts all the time. But this one slipped through the spam filters and it looked quite real.
The message state that our account had been temporarily limited — a standard thing in fraud prevention — and that I needed to login to confirm my account details. It looked real enough (on my phone, anyway) that I called my wife to see if she had used the card for anything out of the ordinary. She hadn’t.
Once I got back to work, I opened the message on my desktop and saw right away that it was a fake. For starters, the “from” address (not just the name) is plainly visible without drilling down on the desktop version of Gmail but not on the mobile interface. I was also able to hover over the link and see that it pointed to a website other than Chase.com.
But even if I hadn’t noticed it was a fake, I would’ve been fine. Why? Because I never (ever!) click links that in e-mails. Instead, I go to my browser and type it in directly (or visit from a bookmark). Or I call. Either way, I know where I’m going and who I’m talking to.
Had I clicked the link, I likely would’ve been presented with a real looking login screen and I may have punched in my account details, thereby handing the scammers the keys to the proverbial kingdom.
So what can you do to protect yourself? For starters, never (ever!) click links in e-mails, no matter how real they look. Also pay attention to whether or not the e-mail contains any personally identifying information. Did they include a part of your account number? If not, be very suspicious. But even if they did, you’re not necessarily safe.
What about the from address? If the originating e-mail address doesn’t match the supposed sender, beware. But even if it does match, you’re not necessarily in the clear.
What about the links? In most cases you can hover over them and your browser or e-mail client will show you the underlying address. If it’s not familiar, steer clear. But once again, even if it looks vaguely familiar, it might not be legit. For example, something like chase.myawesomecard.com doesn’t point to Chase. It points to a subdomain at mysawesomecard.com — which I just made up, but could very well belong to a scammer.
Another thing to look at (in Gmail, at least) is whether or not the images in the message are loading. While you can click a link to tell Gmail to always load images from a certain sender, phishing messages typically come from domains from which you haven’t previously received e-mail so the images won’t automatically load.
But really, the best defense is to either call the number on the back of your card or go to your web browser and punch in the address directly. Like I said above, if you do this you’ll know exactly who you’re dealing with.