Beware of login links in emails
Date: Dec 14, 2015
Guest Post: Paul Ducklin, Sophos.
You’ve heard of phishing.
It’s where crooks “fish” for personal details you wouldn’t give them if they asked outright – information such as date of birth, ID number, login name, password, bank account number and so forth.
Most phishing happens by email, and the process is surprisingly simple and effective.
The crooks send you a lure, such as free stuff (like an iPhone), or a warning (like suspicious activity on your bank account), or a scare (like an invoice for an iTunes purchase you know you didn’t make).
The email’s goal is to get you to take action right away…
…and it handily provides a clickable link for the purpose, which takes you to a signup page (to register for the iPhone), or a login screen (for internet banking), or an account summary page (to contest the fraudulent purchase).
So you willingly, if imprudently, enter your personal details, your password, and so on, and click [Submit].
Only then do you find out that you just submitted the web form to a bunch of crooks instead of to the real site.
With a bit of care, you can usually spot a fake web page fairly easily, for example because the website name in the address bar will be wrong, or the web page will be unencrypted (no padlock), or simply because it “looks a bit dodgy.”
But here’s an even easier way to protect yourself: don’t click login links in emails in the first place!