While at lunch today, I received an e-mail that was purportedly from Chase — but it wasn’t. This isn’t a particularly noteworthy occurrence in that I (like most of you) receive credit card phishing attempts all the time. But this one slipped through the spam filters and it looked quite real.
The message state that our account had been temporarily limited — a standard thing in fraud prevention — and that I needed to login to confirm my account details. It looked real enough (on my phone, anyway) that I called my wife to see if she had used the card for anything out of the ordinary. She hadn’t.
Once I got back to work, I opened the message on my desktop and saw right away that it was a fake. For starters, the “from” address (not just the name) is plainly visible without drilling down on the desktop version of Gmail but not on the mobile interface. I was also able to hover over the link and see that it pointed to a website other than Chase.com.
But even if I hadn’t noticed it was a fake, I would’ve been fine. Why? Because I never (ever!) click links that in e-mails. Instead, I go to my browser and type it in directly (or visit from a bookmark). Or I call. Either way, I know where I’m going and who I’m talking to.
Had I clicked the link, I likely would’ve been presented with a real looking login screen and I may have punched in my account details, thereby handing the scammers the keys to the proverbial kingdom.
So what can you do to protect yourself? For starters, never (ever!) click links in e-mails, no matter how real they look. Also pay attention to whether or not the e-mail contains any personally identifying information. Did they include a part of your account number? If not, be very suspicious. But even if they did, you’re not necessarily safe.
What about the from address? If the originating e-mail address doesn’t match the supposed sender, beware. But even if it does match, you’re not necessarily in the clear.
What about the links? In most cases you can hover over them and your browser or e-mail client will show you the underlying address. If it’s not familiar, steer clear. But once again, even if it looks vaguely familiar, it might not be legit. For example, something like chase.myawesomecard.com doesn’t point to Chase. It points to a subdomain at mysawesomecard.com — which I just made up, but could very well belong to a scammer.
Another thing to look at (in Gmail, at least) is whether or not the images in the message are loading. While you can click a link to tell Gmail to always load images from a certain sender, phishing messages typically come from domains from which you haven’t previously received e-mail so the images won’t automatically load.
But really, the best defense is to either call the number on the back of your card or go to your web browser and punch in the address directly. Like I said above, if you do this you’ll know exactly who you’re dealing with.
2 Responses to “Avoiding Credit Card Scammers”
I get those all the time – both from banks I already work with, and from those who don’t. They sound official, and look tempting, but usually are either spam or scams (guess there’s really not that much of a difference). Sometimes your real bank sends real email, but require a login to access your account. Always be careful when it comes to emails!
Time to contact Chase and tell them to start supporting SPF (Sending Policy Framework) and/or DKIM (Domain Key Internet Mail).
These are transparent to you but allow your ISP’s mail server to authenticate that mail purporting to be from a sender (Chase) is actually the sender. In the case of DKIM it also allows your ISP’s mail server to verify that the message has not been modified.
My take is most (all?) large companies don’t use these technologies because they themselves want to be able to outsource email campaigns to third parties. So basically because (insert name of your favorite bank) wants to easily spam you they make it easy for phishers to spam you too.