I was very surprised to hear from a couple of clients just recently that they didn’t really know a sure fire way to spot a ‘Phishing’ email. If you don’t already know, a Phishing email is one that arrives looking like it’s from a trusted source, but takes you somewhere else to try and milk your personal information from you. Historically, they’re been pretty easy to spot, with Phishing examples typically being PayPal imposters and other well know ecommerce portals. Written in pretty lousy Pidgin English and using email templates that are obviously designed in an internet cafe in a third world country, some used to be quite entertaining. But the Phishers have been investing in Rosetta Stone courses and have learned how to use spell check. Their English skills and web design ability is improving.

So how do you spot Phishing emails? They often use quite accurate replications of emails you’ll be used to receiving from your trusted sources and when you’re busy, the idea is that they’re easily overlooked. The two biggest ways to spot them are by knowing which tools you already have to dig below the surface with just the click of a mouse. First warning, don’t believe the email address of the sender. It’s easy to make an email appear to have come from anywhere. Your email program will have a way to examine the real details of the email address. Sometimes, you just need to mouse over the address and pause. If it’s not legitimate, you’ll see some obscure email. Avoid.

Mouse over and see the real URL... Phishing examples
Typical Phishing examples. Mouse over and see the real URL…

The second way is to take that same tool and hover over a link you’re being asked to click. You’ll see the real location you will be sent to if you click. Now, here is where WordPress based website owners might recognise something. Take a look at the screen grab here. ahead of the first ‘/’ you’ll see ‘wp-admin’ or ‘wp-content’. They’re the folders that all of your plugins and themes live, plus your admin settings. It’s a breeding ground for hackers. People set up WordPress blogs then forget about them. They don’t keep them up to date and, above all, they don’t know how to make them secure. The ‘wp-content’ folder can be hacked, especially if old plugins are not updated or removed. This allows the Phishers to use your site as a host to launch these campaigns.

So, what do you do it you receive one? Well you could simply mark it as spam and move on. If you’re feeling public spirited, eBay and PayPal both have an email address you can send the content to. It’s simply spoof@ and the respective name. They’ll appreciate it, as it gives them material to work with to hunt down the campaigns.

Meanwhile, be every vigilant and if you’re not sure, go to the ecommerce site in question and manually log in, just so that you know you’re in the right place.