Identify fraudulent e-mail and phishing schemes

Applies to
Microsoft Office Outlook® 2003
Microsoft Outlook® 2000 and 2002

Detective Con artists have been around since time began, and now that we are in the Internet Age they are on the Web preying on unsuspecting online consumers. Online fraud is on the rise, and the techniques for creating deceptive e-mail messages and Web sites are getting more sophisticated. Learn more about what you can do to help protect yourself from online fraud.

What is online fraud or phishing?

Phishing (pronounced “Fishing”) is an online fraud technique used by criminals to entice you to disclose your personal information. Phishing is the fastest rising online crime method used for stealing personal finances and perpetrating identity theft.

Phishers use many different tactics to lure you, including e-mail and Web sites that mimic well-known, trusted brands. A common phishing practice involves "spamming" recipients with fake messages that resemble a valid message from a well-known Web site or a company that the recipients might trust, such as a credit card company, bank, charity, or e-commerce online shopping site. The purpose of fake messages is to trick consumers into providing the following personal information:

Criminals use this information in many ways for financial gain. For example, a common practice is identity theft, whereby the criminal steals your personal information, takes on your identity, and can then do the following:

  • Apply for and get credit in your name.
  • Empty your bank account and max out your credit cards.
  • Transfer money from your investment or credit line accounts into your checking account, and then use a copy of your debit card to withdraw cash from your checking account at ATMs around the world.

For tips on how to avoid being the victim of online fraud, see the Best practices to help protect yourself from online fraud section later in this article.

Examples of phishing schemes

Some examples of phishing schemes include:

  • Fake e-mail messages from what appears to be from a company you do business with warning you that they need to verify your account information or your account will be suspended.
  • A combination of auction fraud and fake escrow sites. This occurs when items are put up for sale at a legitimate online auction to lure you into making payments to a fake escrow site.
  • Fake online sales transactions, whereby a criminal offers to buy something from you and requests that they pay you an amount well over the price of the item they are buying. In return, they ask you to send them a check for the difference. The payment to you is not sent, but your check is cashed, and the criminal pockets the difference. Additionally, the check that you send has your bank account number, bank routing code, address, and phone number.
  • Fake charities asking you for money. Unfortunately, many criminals take advantage of your goodwill.

There are many more phishing schemes out there. For an up-to-date report on phishing schemes that authorities have uncovered, visit the Anti-Phishing Working Group Web site.

How can I tell if an e-mail message is a fraud?

Unfortunately, as phishing attacks become more sophisticated, it is very difficult for the average person to tell if a message is fraudulent. That is why phishing schemes are so prevelant and successful for criminals. For example, many phony e-mail messages link to real company logos of well-known brands. However, their are things you can be on the lookout for:

  • Requests for personal information in an e-mail message    Most legitimate businesses have a policy that they do not ask you for your personal information through e-mail. Be very suspicious of a message that asks for personal information even if it might look legitimate.
  • Urgent wording    Wording in phishing e-mail messages is usually polite and accommodating in tone. It almost always tries to get you to respond to the message or to click the link that is included. To increase the number of responses, criminals attempt to create a sense of urgency so that people immediately respond without thinking. Usually, fake e-mail messages are NOT personalized, while valid messages from your bank or e-commerce company generally are. The following is an example from a real phishing scheme:

Dear valued bank member, it has come to our attention that your account information needs to be updated due to inactive member, frauds, and spoof reports. Failure to update your records will result in account deletion. Please follow the link below to confirm you data.

Masked link

  • Be aware of URLs that include the @ sign. In the following example, the URL would take you to the location that comes after the @ sign, not to Wood Grove Bank. This is because browers ignore anything in the URL that comes before the @ sign:

https://www.woodgrovebank.com@nl.tv/secure_verification.aspx

The real location, nl.tv/secure_verification.aspx, could easily be an unsafe site.

  • Another common technique that has been used is a URL that at first glance is the name of a well-known company but on closer scrutiny is slightly altered. For example, www.microsoft.com could appear instead as:

www.micosoft.com

www.verify-microsoft.com

www.mircosoft.com

Microsoft has recently won several lawsuits against individuals who have used these types of URLs to spoof legitimate Microsoft properties. However, the practice remains pervasive and is often protected by national boundaries.

Other kinds of images placed in e-mail messages can be linked to a spammer's server and act like Web beacons (web beacon: An embedded object in a webpage or email message usually connected to a graphic that might be invisible to the user. It can be used to verify that your email address is valid because when you view the message, images with the web beacon are downloaded from a tracking web server.). When you open the e-mail message the images are downloaded and information is passed back to the server. This information is used to verify that your e-mail address is valid and so you might be spammed again. Outlook by default automatically blocks these kinds of external images. For more information see About protecting your privacy by blocking automatic picture downloads.

How can I tell if a Web site is a fraud?

Similar to fraudulent e-mail messages, faked Web sites contain convincing logo graphics and Web links. This makes it hard to tell if they are fraudulent. The best strategy is to not click on links in suspicious messages. Some things to look for that legitimate Web sites should have are as follows:

 Important   Note that https:// is sometimes faked in links, such as in the "masked link" example shown in the Fake Links section.

certificate

To learn more about the certificate, click the Details tab. If you're not sure whether a certificate is legitimate, don't enter any personal information. Play it safe and leave the Web site. To find out more ways to determine if a site is secure, read How Internet Explorer helps keep your data safe.

Best practices to help protect yourself from online fraud

  • Never reply to e-mail messages that request your personal information    Be very suspicious of any e-mail message from a business or person that asks for your personal information — or one that sends you personal information and asks you to update or confirm it. Instead, use the phone number from one of your statements to call; do not call a number listed on the e-mail message. Similarly, never volunteer any personal information to someone who places an unsolicited call to you.
  • Don't click links in suspicious e-mail    Don't click a link contained in a suspicious message. The link might not be trustworthy. Instead, visit Web sites by typing their URL into your browser or by using your Favorites link. Do not copy and paste links from messages into your browser.
  • Use strong passwords and change them often     If your account allows them, strong passwords combine uppercase and lowercase letters, numbers, and symbols, which make them difficult for other people to guess. Don't use real words. Use a different password for each of your accounts and change them frequently. It's hard to remember all those passwords. For tips on creating strong passwords and how to remember and store passwords securely, see Creating stronger passwords.
  • Don't send personal information in regular e-mail messages    Regular e-mail messages are not encrypted and are like sending a post card. If you must use e-mail messages for personal transactions, use Outlook to digitally sign and encrypt messages by using S/MIME (S/MIME: Secure Multipurpose Internet Mail Extensions (S/MIME) is a specification for secure email messages that uses the X.509 format for digital certificates and uses various encryption algorithms such as 3DES.) security. Outlook Express, Microsoft Office Outlook Web Access, Lotus Notes, Netscape, and Eudora all support S/MIME security.
  • Do business only with companies you know and trust    Use well-known, established companies with a reputation for quality service. A business Web site should always have a privacy statement that specifically states that the business won't pass your name and information to other people.
  • Make sure the Web site uses encryption    The Web address should be preceded by https:// instead of the usual http:// in the browser's Address bar. Also, double-click the lock icon Lock icon on your browser's status bar to display the digital certificate for the site. The name that follows Issued to in the certificate should match the site that you think you're on. If you suspect that a Web site is not what it should be, leave the site immediately and report it. Don't follow any of the instructions it presents.
  • Help protect your PC    It is important to use a firewall, keep your computer updated, and use antivirus software, especially if you connect to the Internet through a cable modem or a digital subscriber line (DSL) modem. For information on how to do this, visit Protect your PC. For additional information on virus protection, see Best practices for protection from viruses, and Best practices to help prevent spam. You should also consider using anti-spyware software. You can download Microsoft anti-spyware or use a third-party product available from the security software downloads and trials site.
  • Monitor your transactions    Review your order confirmations and credit card and bank statements as soon as you receive them to make sure that you're being charged only for transactions you made. Immediately report any irregularities in your accounts by dialing the number shown on your account statement. Using just one credit card for online purchases makes it easier to track your transactions.
  • Use credit cards for transactions on the Internet    In most locales, your personal liability in case someone compromises your credit card is significantly limited. By contrast, if you use direct debit from your bank account or a debit card, your personal liability frequently is the full balance of your bank account. In addition, a credit card with a small credit limit is preferable for use on the Internet because it limits the amount of money that a thief can steal in case the card is compromised. Better yet, several major credit card issuers are now offering customers the option of shopping online with virtual, single-use credit card numbers, which expire within one or two months. For more details, ask your bank about perishable virtual credit card numbers.

How do I report online fraud and identity theft?

If you believe that you have received fraudulent e-mail messages or have been the victim of online fraud, you can report the problem to the following groups:

  • FBI    The FBI: Internet Fraud Complaint Center (IFCC) works worldwide with law enforcement and industry to promptly shut down phishing sites and identify the perpetrators behind the fraud.
  • FTC     If you believe that your personal information has been compromised or stolen, you should report the circumstances to the FTC: National Resource for Identity Theft and visit their site to learn how you can minimize the damage.
  • Attach and send fake e-mail messages to authorities     Reporting fake messages to authorities helps in the effort to combat phishing schemes. There’s information buried in the header of an e-mail message that technical experts require in order to flush out fraud or abuse; without it they may be unable to pursue an investigation. Follow the steps below to send the full, original header of the message you want to report. Some e-mail addresses you can use to report suspicious mail are:

reportphishing@antiphishing.org goes to the Anti-Phishing Working Group, an industry association.

spam@uce.gov goes to the FTC.

abuse@msn.com goes to MSN.

abuse@microsoft.com goes to Microsoft.

In these steps, you copy the headers from the problem message into a new message. You also attach the problem message to the new message.

  1. In Outlook, right-click the suspicious message you want to report, and then click Options on the shortcut menu.
  2. To copy the full headers, right-click inside the Internet headers box, and then click Select All on the shortcut menu.
  3. To copy the full header, press CTRL+C, and then click Close.
  4. Open a new message, and type the e-mail address of the company to whom you are reporting the problem message — for example, reportphishing@antiphishing.org.
  5. If Microsoft Word is your e-mail editor, click the down arrow Button image next to Insert File Button image, and then click Item. If Microsoft Word is not your e-mail editor, on the Insert menu, click Item.
  6. Click the message you want to report, and then click OK. This attaches the problem message to the new message.
  7. In the Subject line, type I am reporting suspicious email, or whatever you think is best to describe what you are doing.
  8. In the body of the new message, to paste the header you copied in step 3, press CTRL+V.
  9. Click Send.

Tips on safer online shopping and banking

If you want more information from Microsoft on ways to help safeguard your personal information while shopping or banking online, visit the Online Fraud Web site. Keep in mind that not all identity thieves are high-tech hackers. Some use low-tech methods, such as dumpster diving, to swipe personal information. Buy a shredder and destroy bills, pre-approved credit offers, and other documents with personal information before throwing them away or recycling them.

How Outlook 2003 helps to protect you from phishing schemes

For specific information on how Outlook 2003 helps to protect you from phishing schemes, see the article called Block suspicious messages and phishing schemes.

 
 
Applies to:
Outlook 2003