The DU Lounge
Related: Culture Forums, Support ForumsSomething I don't understand. Re: Phishing schemes.
For the past 20 years or so, we have had it drilled into our heads that we are to NEVER click on a link directly from an email. This is because the sender of the email may actually not be your credit union, or your broker, or Amazon, or whomever. The sender may actually be spoofing the colors, format and overall design of the legitimate organization, and when you click on the link or button provided in an email, it takes you to another spoofed site, where you end up providing your personal information to some unknown entity, who then steals your info.
Last week, I received an email that appeared to be from my broker. It looked perfectly legitimate. I forget what they were asking me to do, but in order to do it, you had to click on a button within the email. I didn't click it, but rather, I phoned my broker to see if the email was legitimate. I confirmed it was indeed legitimate, so I went on a polite rant with the customer service person, and asked him to escalate my complaint up the chain of command. Something like "You guys send me several emails monthly which tell me to be cautious about potential phishing schemes, and then you send me an email that asks me to blindly click on a button, without providing a link. What you should be doing instead is instructing me to sign into my account, and you should provide guidance on what to click on once I'm in my account as to where to find the information you are telling me about in your email".
Exact same thing with my credit union this morning. Loan offer. Click the button within the email. I called them as well, and gave them the same speech.
What am I missing here? It seems that some institutions have started doing this relatively recently.
Phoenix61
(17,006 posts)It doesnt matter what the name is what matters is what shows when you click on the from link.
LuckyCharms
(17,444 posts)that looks legitimate, but it isn't. No?
emulatorloo
(44,131 posts)Your email program has a way for you to see the senders actual email address
LuckyCharms
(17,444 posts)what I am saying is that the email address could look legit, but isn't.
I think a test as suggested by teach1st down thread is a good idea.
emulatorloo
(44,131 posts)Companys real address; whammy.com
Fake address; whammy.net
Phoenix61
(17,006 posts)it shows the e-mail address of the sender.
For example, I got an e-mail
From: Noreply
To : (my e-mail address)
The text has the PayPal logo and under it is a confirmation number and under that is the date.
Some more text thanking me for my order
that I never made.
So I click on the From and its really from gillybenson2@gmail.com .
Obviously not from PayPay.
relayerbob
(6,544 posts)Its quite easy to confirm whether an email is coming from a legit account. I get hundreds of emails a day, and many of them have buttons to click through to something there are trying to do. Being cautious doesnt require freaking out over every button in every email. Nothing new. Check the source, and if it doesnt seem legit, call, or email to check. Otherwise, most major corporations have phishing@companyemailname.xxx places to send crap to. Use them.
LuckyCharms
(17,444 posts)but what I am doing is pointing out some irony.
My broker is not Vanguard, but let's assume it is. Let's say their legitimate web site is Vanguard.com. I receive a non-legitimate email from marketing.vanguard@xxxx.com. I click on a link within that email, which takes me to a spoofed URL of marketing.vanguard.com.
Could that be a legitimate URL? Maybe, maybe not.
Farmer-Rick
(10,185 posts)I got a call from my bank asking for my password. I hung up and called their office number. Turns out they had called me to warn me of some suspicious activity on my card. I told them why I hung up. They agreed that was a smart move, but the next time, they did the same thing.
I will continue to hang up on them and call the number I know. But it's weird that they do what they say they won't do.
teach1st
(5,935 posts)Companies that warn about phishing and then send button links aren't thinking. You mentioned the best practice: companies should tell you to log into your account and then once you're in, should display a prominent link to whatever it is they want you to do. Some do that. Some don't.
If you use Gmail, you can click on the three dots to the right of the reply button near the top. Then choose "Show Original." The full headers of the email show up in a new tab, making it fairly easy to see who the email is really from. In addition, the headers include some security tests like this:
DKIM: 'PASS' with domain washingtonpost.com Learn more
DMARC: 'PASS' Learn more
Exercise caution should one of the tests FAIL, even though that doesn't necessarily mean it's a bogus email. Most email clients allow the user to see the full headers.
LuckyCharms
(17,444 posts)Thanks!
yellowdogintexas
(22,264 posts)spam emails are often long strings of nonsensical numbers and letters. Check the box on the left and hit the spam button.
I sometimes get 2 or 3 daily from McAfee.
Another clue is the font used in the subject line. You might see an assortment of font shapes, bolding etc
grumpyduck
(6,240 posts)is to just go to their web site and log in.
I don't have a clue why some companies do this, but my wild guess is a lack of internal communication or a lack of proper training.
Lettuce Be
(2,336 posts)Do not send clickable links, ever, should be the holy grail of all banking, investment and probably many more companies. When they do, I still refuse to use them, and usually send a comment complaining about it.
malthaussen
(17,202 posts)That's my guess. The security wogs are all exiled to the basement office with no carpets, because they don't create revenue. Meanwhile, those who do create revenue have the plush offices on the 96th floor, and they come up with all the "great" ideas to "simplify" your experience and generate still more revenue. It wouldn't occur to them to run these ideas past the slobs in the basement.
-- Mal
dickthegrouch
(3,174 posts)Put it into the spam or junk folder before opening it. At least Outlook and the Xfinity mail browser reader disable and reveal all links in the mail if it's in that folder. Then you can decide if you like them and move them back to the regular folder if you wish.
For users of the Xfinity mail in a regular browser: there are three horizontal bars which allow "more actions", one of which is "View source". It is very useful if you're sending complaint mail to abuse@domainname to include those headers so they can trace the source and disable the account.
Skittles
(153,169 posts)a contractor complained that none of us had followed instructions in an email - but, we weren't familiar with him, it essentially said click this link and follow directions, there was even a spelling error. EVERYONE deleted.