Software

How to get that phishy smell out of Outlook


I can't think of any industry that sucks up as much creative energy as online scams. Perhaps if evildoers put their creative efforts to good, we might all be living in a golden age of technology. Instead, we inoculate ourselves almost daily against the menace that preys upon us.

As Microsoft fills and covers Outlook's security holes, you'd think the evildoers would slowly melt away. Not on your life! They just work smarter. I'm referring to phishing -- those e-mails that lure people into sharing personal and financial information. My gmail account receives a dozen or so of these messages every week.

The problem is, phishing works. The evildoers go to great lengths to convince you that their request (or demand) is legitimate, and a lot of them make it past Outlook's junk filter. You can't really blame Outlook, though. The messages arrive with professional-looking logos and legalese that's convincing or scary. In an effort to cooperate, all you have to do is click the handy-dandy link they've so graciously provided. How kind they are!

Clicking the link takes you to an equally professional site that then asks you for credit card numbers, bank account numbers, your social security number, and so on. Unfortunately, a lot of people fall for the evildoers' schemes. At the very least, a click confirms that your e-mail is valid and working, and the evildoer sells it, over and over again.

The only real solution is to be wary of all links, even when an e-mail message looks official. If you receive a message asking you to visit a Web site, find out who's behind the message by checking the sender's e-mail through WHOIS, before you click anything! Here's how:

  1. DO NOT CLICK THAT LINK!
  2. Hover your mouse over the link and copy the domain for the address that Outlook displays. It's impossible to click inside the address box and highlight it. Just copy it down on a piece of paper. The domain is the component that precedes dot com. For instance, the domain for http://www.techrepublic.com/ is techrepublic.
  3. Point your Web browser to http://www.whois.net.
  4. Enter the domain from the e-mail's link in the WHOIS Lookup control and click Go.
  5. WHOIS will display details about the site, including the company or person who registered it.

If your e-mail's supposedly from a bank or charitable institution but is registered to some obscure company, or worse yet, an individual, out of China, India, or the moon, you'll know you've been phished. Congratulate yourself for not taking the bait.

If, after reading the registration information at WHOIS, you're still not certain, you can always call the company the e-mail is supposedly from and ask. Better yet, use a search engine to find their legitimate Web site and forward the e-mail to them.

At the risk of repeating myself, if you believe an e-mail is phishing, follow these simple guidelines to protect yourself:

  • Never open an attachment, even if it looks official.
  • Never click the provided link.

I hope no one minds this detour from my usual Office tips. Phishing's been around for a while, but it doesn't seem to be going away anytime soon. I think checking WHOIS is a good way to protect yourself when a message smells phishy.

About

Susan Sales Harkins is an IT consultant, specializing in desktop solutions. Previously, she was editor in chief for The Cobb Group, the world's largest publisher of technical journals.

20 comments
ssharkins
ssharkins

InfoWorld has a new article on the subject, with some interesting statistics and a new tactic.

Snak
Snak

The best way to protect yourself is by remembering that NO LEGITIMATE COMPANY WILL EVER ASK FOR YOUR PASSWORD ONLINE. Also, you should only ever type in bank or credit card details if YOU have initiated the transaction. For example, if you're buying something YOU have looked for and found. Like turning away doorstep salespeople, you should never respond to an unsolicited email from anyone requesting such personal detail AT ANY TIME. If you DO spot something you may be interested in that appears in Spam, as a previous poster said, DON'T respond to the email. Go to their site.

ajay.kumar.t
ajay.kumar.t

Hey tnx for the useful information.On a side not you wrote: If your E-mail???s supposedly from a bank or charitable institution, but is registered to some obscure company, or worse yet, an individual, out of China, India, or the moon, you???ll know you???ve been phished. Congratulate yourself for not taking the bait! I am not really sure what you meant??

The Scummy One
The Scummy One

to deal with these emails is, as you say do not click on the link. But, I think there is a better way to determine if it is phishing. If you receive something from ebay, paypal, bank, etc., instead of clicking the link, go to the site from your normal means (shortcut, favorites, typing it, etc.). If something needs to be changed, or there is a problem, logging into the site itself will tell you about it. But, as you mention in the article, DO NOT ever use the link provided in these types of emails. For me, this is the best practice that I use. Doing the 'whois' can be confusing for many. Especially if the result returned is a company name, then one needs to find out if that company owns the company sending the email.

2rs
2rs

Thank you, susan. I am providing your article to all of my users.

Tig2
Tig2

Unfortunately, this cannot be repeated often enough. And it gets worse by the day. Timely article, Susan! Thanks!

The Listed 'G MAN'
The Listed 'G MAN'

"NO LEGITIMATE COMPANY WILL EVER ASK FOR YOUR PASSWORD ONLINE" Every time I visit Amazon and alike the site is asking for my PASSWORD - HELP!!!!!

ssharkins
ssharkins

I mean that a legitimate company or charity in your country probably isn't going to be registered to an individual on the other side of the world. I know in our modern world of global enterprise that this isn't an absolute statement. Also, it won't always be helpful, but it's a good place to start and it's easy. It only takes a minute to check. If the WHOIS check isn't helpful, the next step is to contact the company directly, via their legitimate web site or a phone call. Frankly, that takes more time, but it is the next logical step, if you have to take it. Most phishing expeditions can be avoided without any check by simply checking the message very carefully. If the grammar's bad or you find a typo -- it isn't legitimate. The second clue is your own response, "I didn't know I had a bank account with...." YOU DON'T!!!!!! :)

Tig2
Tig2

That some countries are identified with phishing as it taints the perception. But the fact remains that China and India are indeed a source for many scams. But you can add Russia and Nigeria to the list and many more. This is not intended as a reflection on the general population of those countries. And I think that it is a problem that will iron out in time. Until then it must be acknowledged. I get a lot of legitimate mail from India. I have many friends that either live there or visit for extended periods. But the fact is that many scams originate there. Despite the great numbers of good people. This will change in time, most likely.

ssharkins
ssharkins

I'm glad the topic's useful to you. Thanks!

ssharkins
ssharkins

Unfortunately, you're right -- we just have to be vigilant and keep repeating the same warning.

ssharkins
ssharkins

You're absolutely right, I'm glad you thought to add that to the discussion. Thanks!

Snak
Snak

Of course - where you have an online association only, your username/password combo is your way in. I meant (as ssharkins pointed out) that companies you deal with offline (banks, telephone companies and their ilk) will not (or should not) ask for the password online.

ssharkins
ssharkins

I think they meant outside the context of your normal business dealings. Yes, when you visit a site and conduct business as usual, you sometimes must enter a password. However, that company won't send you an email and require you to visit their site and enter your password and other information to continue doing business with them. We're talking about phishing E-mails, not normal business transactions.

ssharkins
ssharkins

It reflects more on us because the scams work. :(

unhappyuser
unhappyuser

It's almost preaching to the choir BUT it's a good article for IT people to pass on to their users. There's not a lot of techno-mumbo-jumbo that will get users lost (and they can get lost quite easily!). Good article. EMD

Tig2
Tig2

It pains me to think that people I know well and cherish are painted with the perception that they cannot be trusted based on their country of origination. But somehow, we never think to take ourselves to task for our gullibility. That is exactly why articles like this are so valuable. I've printed it off to be included with my Christmas cards for the less savvy on my list. It stands as a reminder that the internet is a big place and there are some not so good people out there.

ssharkins
ssharkins

I'm really glad this short tip is going to be put to good use -- thanks for letting me know.

Editor's Picks