Email_Header_Insight_3

Protecting Your Banking Information

(Pointers on how to recognize and neutralize phishing scams)


Many mischievous schemes have been concocted by callous criminals to steal other people’s hard-earned money. In our modern world, crooks no longer have to use force to acquire other people’s assets. They are much more subtle. At times, the victims don’t even notice money left their accounts unauthorized. Criminals find ways to access banking and investment information and then impersonate the victim. It’s easy; you don’t even have to look like the victim once you acquired confidential electronic access information.


One method that arose in the 90s to get to confidential information is called “phishing.” When using this method, a criminal sends out an electronic message, such as an email or a text message, that pretends to be coming from a trustworthy sender, for example the recipient’s bank. The criminal tries to get the recipient of the message to then share confidential information such as access codes to a bank account.


In a typical phishing example, an email informs an individual that there is a problem with the individual’s bank account. Since resolving the issue is of absolute urgency and in the best interest of the individual, the email conveniently offers a link to the bank’s login portal. When clicking the link, the person is taken to a website that looks like the bank’s website, but in reality is a fake. When the individual enters the login information on that fake website, the criminal can now see the confidential username and password of the individual.


Many times, these phishing attempts have been relatively easy to spot because of giveaways like misspellings, faulty grammar, otherwise suspicious text, or the spam filter blocked the target website because it recognized an illegitimate site. Phishing criminals are getting more and more sophisticated. Some sophisticated cyber criminals hack into a legitimate website and use that website’s credentials as their fake landing page. That way, the landing page looks legit and does not raise red flags.


These emails often play on people’s fears by pretending to protect the recipient from criminals. They may even include good advice such as urging the reader to keep anti-virus software up-to-date and to immediately report phishing scams.


To help you avoid falling victim to such phishing scams, here are some useful tips:

  • Do not click on links in emails

    In order to protect its customers from phishing scams, most banks will no longer email links to their website. So if you receive an email from your bank that urges you to click on a link, chances are the email is not from your bank. A link can look legitimate, such as “mybank.org,” but the link can be configured to take you to a completely different site, such as “we-will-steel-your-money.com.” So even if you recognize the correct link in the email, it is safer to copy and paste the text of the link into the browser’s address bar instead of clicking on the link itself.

  • Ensure “https” precedes the address

    Once you are on your financial institutions website, before login in, make sure the link in the address bar at the top of your screen starts with https. The “s” at the end is very important and tells you that the site is secure. You may also see a padlock in the address bar. By clicking on the padlock symbol, you could also compare the name on the certificate with the address bar to ensure that you are really on the right site. After all, even secure sites can get compromised.

  • If in doubt, pick up the phone

    If there is even the slightest doubt on whether an email is a legitimate communication from your financial institution, pick up the phone and call to verify.

  • Get in the habit of double checking

    Every time you are asked to enter sensitive data, like a password or your social security number, you should double check whether everything looks legitimate. As a starting point, review the points above.

  • Use a simple check

    This simple check may not always work. But if you are concerned that a financial institution’s website may be a disguised phishing site, purposefully type in the wrong password. Typically, the legitimate website will let you know that the password is incorrect. A fake website may accept the password before informing you of some type of technical difficulty that prevented you from login on successfully, but you should come back later and try again. They may even have a link that urges you to try again. When clicking on the link, it may now take you to the legitimate website. That way you won’t suspect that you just fell victim to a phishing scam. So if the fake password is accepted, you know you are on a fake site.

Remember to constantly guard your electronic access information. It is an acquired frame of mind. We don’t pretend to be experts in this field, but wanted to share a few pointers that have helped us in the past.



Source: Paul Ducklin, Anatomy of a phish - how crooks hack legitimate websites to steal your details, nakedsecurity, January 28, 2013.