E-Mail Dangers - Phishing

Phishing (pronounced 'fishing') is a technique used to try to obtain financial details from you by sending you an e-mail pretending to be from your bank which then leads you to a web site where your security details are captured as you think you are logging in as normal or confirming security details for your bank's web site.  Here is a typical phishing e-mail, they can look very convincing as they pick up the bank's own graphics from the real bank's web site.

There are several things to consider when you get an e-mail that could be phishing for your security details:

  1. Your bank will never ask you for your security details by e-mail

  2. Look at the language, notice the sentence above 'Our new security system will help you avoid frequently fraud transactions', surely your bank would use better English than that!

  3. Be suspicious, phishers may try to obtain your details for other secure facilities like e-Bay, PayPal, etc.  Don't believe everything you read.

Here is one technique you can use if you really aren't sure whether an e-mail is a scam.  Double-click the e-mail so it opens in its own window.  Scroll down to the very bottom of the e-mail message and then highlight all the contents of the e-mail from the bottom upwards.  If it is a scam then you will most probably see some strange words somewhere in the e-mail body (at the bottom in the example shown below).  These are added by the phishers to try to fool spam filters, if you see something like this treat the e-mail as a possible scam and, at the very least, spam and delete it.

How does phishing work?

There are there are three main techniques phishers have used to trick recipients of their e-mails:

1.  @ sign in URL

This technique no longer works if you have the latest patches for Internet Explorer (this is why it is important to keep Windows updated).  Previously, if you typed something like '' into the Internet Explorer address bar it would ignore everything up to the @ sign and take you to the domain '', i.e. this web site.  This was useful to help people who could not understand the difference between e-mail addresses and web addresses but the phishers used it so that they could write addresses like this would not take you to the Barclays web site but to the site at (this part of the address would often be encoded using character codes such as %20%22%30 etc so you could not recognise what it represented).  The site you are taken to could either be a fake that looked like your bank's real web site or this site could provide you with a pop-up box and then direct you back to your bank's real web site together with the phisher's pop-up box.  This happens so fast that you don't see the site that provides the pop-up box, you assume you are logging in as normal but the details from the pop-up box are sent back to the phisher's web site and your details are stolen.

2. HTML coding in e-mails

If the e-mail you are sent contains an image that you click on to go to the site as invited then you will not even see the URL that you are using (although you can examine the HTML code of the e-mail if you right-click on the message body and chose 'View Source').  You may then be sent to a dummy site which provides a pop-up box as for method number 1 and you are duped into completing your details.  One way to protect yourself is to use a pop-up blocker such as those available with toolbars like the Yahoo toolbar.  You can set the pop-up blocker to allow pop-ups that really do come from your bank's web site (if that's the way your bank gets you to log in) but any others should be blocked, protecting you from this method of phishing.

3. Trojan horse address spoofing

With the Internet Explorer patches and pop-up blockers making it harder for the phishers to succeed, some phishing e-mails now install a trojan horse program on your computer if you click the link in the phishing e-mail.  You are taken to the phisher's web site which is designed to look like your bank's real web site, the trojan horse overlays your bank's URL on top of your browser's addresss bar so you cannot see that you are not really at your bank's web site and you log in as normal.  A good antivirus program should alert you to these trojan horse programs, but not all of them do!

Most banks are now saying that it is your fault if you are taken in by a phishing e-mail and they will not compensate you for any losses.  The simple message is - if an e-mail looks like it comes from your bank (or any other financial service) there is a 99.9% chance it does not if it is asking you to log in.  After all, the only e-mails these companies are likely to send you are ones trying to sell you something!

Click here to return to the Outlook index.