The Anti-Buzz: STOP, this is a SCAM
I received the following e-mail very recently …
Dear Email Owner
You have exceeded the limit of your mailbox set by our IT Service, and from now you cannot be receiving all incoming emails and also some of your outgoing emails will not be delivered and LASTLY, your account will be ‘DE-ACTIVATED’ within 24 hours from now. To prevent this, you are advised to click on the link below to reset your account. Failure to do this, will result to limited access to your mailbox while your account will remain IN-ACTIVE within the next 24 hours.
Thanks for letting us serve you better!
I almost fell for it! Looking at it now, it seems so obviously fake. I wrote up some personal security tips recently, so I may be returning to this well a little early, but I also don’t control when scam artists are going to send me e-mails, and this seems like a great example to pick apart. As stupid as the above e-mail is, it actually had me fooled for a brief moment when I first read it. I picked this one up on my new university e-mail account, a domain where I am not completely sure of the policies. For all I knew, maybe I had exceeded some storage limit! And worse, the idea that I might be missing incoming mail on this account was absolutely intolerable. I needed to spring to action!
The suggested course of action was that I needed to click on a link and give all of my information to a stranger. *game show buzzer* This is not a particularly convincing e-mail, but if a scammer can get you to drop your guard for even a few seconds against a bad phishing attempt …click more for some tips and giveaways that will help you stop a scam.
Fear is the mind killer
Most scams prey on your emotions in some way. The most common approaches are fear, (such as the above), or joy, (such as when you win a free iPad 2). Whenever an unsolicited e-mail gets you worked up in some way, you should count this as your first red flag. These scams only need you to have a lapse in judgment long enough to give them what they want, and digging at your emotions is the easiest way to do that.
On the other side, laziness is another thing these scams can prey on; casual computer users develop the habit of ignoring messages and just “clicking through” whatever pops up on their screen. This might be less of an issue in e-mail, but a lot of us do develop the habit of “Yeah yeah, click the thing, type in my stuff. Click the thing, type in my stuff.” This is understandable, but akin to taking your eyes off the road when driving.
The first thing you can do is read the e-mail out loud. Fear can keep us from noticing the obvious, which is that this e-mail was probably not written by a native English speaker. Not all scams are so obvious, but extending this idea, you should examine the credentials of your suspect. Who is the e-mail from? I have omitted it here, but the name attached to this e-mail does not match any of the known support staff at my university.
Many scams are careful to get non-suspicious e-mail addresses that sound official, posing as government or high-profile corporations or generic IT staff; but not always. Even if the sender seems legitimate, their address will usually unravel on closer examination: Why does “IRS Bank” have an email account with Yahoo? That sort of thing.
Similarly, credibility can come unraveled in their method. In the example, the link I am supposed to click goes to a Google doc. Google docs are great, but I doubt any IT staff has ever used them to manage client information. These details matter.
Staff will never ask you for your user name and password
Absolutely every service you will encounter on the Internet will warn you that their staff will never ask for your user name and password. If you have never seen this before then you are likely guilty of “clicking through” notices and warnings. For any online service, your password has exactly one purpose: to log in to your account. There is nothing about your password that enables any staff to serve you better. They will never need it. They don’t want to know it because it compromises their integrity. The upshot of this is that you can safely assume that absolutely every single e-mail you receive that asks you for a password is bogus. All of them. Some scams get really convincing, to the point where they even mimic the login page of a web service that you actually use. If you received an e-mail with a link in it, and you clicked that link, and that link asked you for your password for something, stop immediately.
Why do they do it?
This question alone could be another article, but the summary answer is this: because they only need a few people to fall for it. It does not cost any more to send an e-mail to 1000 people than it does to 10. The easy scalability of electronic information is precisely why spams and scams are so prevalent – they can afford to have a tiny success rate because there is no risk in failure, and I would wager that all of us know somebody who might fall for the above scam.
Until next time, careful clicking.