Text Size: A+| A-| A   |   Text Only Site   |   Accessibility
Information Security
Oregon Department of Human Services

Common Phish Sense

"Phishing" is the act of sending an email to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The email directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The website, however, is fake and set up only to steal the user's information. Phishing, also referred to as brand spoofing or carding, is a variation on "fishing," the idea being that bait is thrown out with the hopes that while most will ignore the bait, some will be tempted into biting.


How to Spot A Phishing Scam


At first glance, it may not be obvious to the recipients that what is in their inbox is not a legitimate email from a company with whom they do business. The "From" field of the email may have the .com address of the company mentioned in the email, and the clickable link may also appear to be taking you to the company's Web site, but will in fact take you to a fake Web site. Looks can be deceiving, but with phishing scams the email is never from who it appears to be!

 
Phishing emails will contain some of these common elements (see email sample, above):

  1. The "From Field" appears to be from the legitimate company mentioned in the email. It is important to note, however, that it is very simple to change the "from" information in any email client.

  2. The email will usually contain logos or images that have been taken from the Web site of the company mentioned in the scam email.

  3. The email will contain a clickable link with text suggesting you use the inserted link to validate your information. In the image you will see that once the hyperlink is highlighted, the bottom left of the screen shows the real Web site address to which you will go. Note that the hyperlink does NOT point to the legitimate Citibank Web site URL.

    In this instance the text you click is "here", however this may also state something like "Log-in to Citibank" or "www.citibank.com/secure" to be even more misleading. This clickable area is only text and can be changed to anything the sender wants it to read.
Additionally, you may spot some of these elements that did not appear in this particular scam such as:

  • Logos that are not an exact match to the company's log;
  • Spelling errors;
  • Percentage signs followed by numbers or @ signs within the hyperlink;
  • Random names or email addresses in the body of the text; or even,
  • Email headers which have nothing to do with the company mentioned in the email.

Who Is Behind the Phishes & Why


The people behind phishing emails are scam artists. They literally send out millions of these scam emails in the hopes that even a few recipients will act on them and provide their personal and financial information. Anyone with an email address is at risk of being phished. This is why phishing is profitable for scammers; they can cheaply and easily access millions of valid email addresses to send these scams to.

Hopefully after reading this far, you will be able to spot a phishing email without too much difficulty. The email represented above is just a sample; phishing emails can appear to be from any bank, PayPal, eBay, credit card companies, an online retail store - basically from anywhere a person may have registered for an account, and usually would have supplied financial information when registering.


Avoid Being "Phished"


The golden rule to avoid being phished is to never ever click the links within the text of the email. Always delete the email immediately. Once you have deleted the email then empty the trash box. If, for some really odd reason you have this nagging feeling that this could just possibly be a legitimate email and nothing can convince you otherwise, you still need to adhere to the golden rule and not click the link in the message. For those truly worried that an account may be in jeopardy if you do not verify your information, you should open your browser and type the web address and log on to the Web site as you normally would (without going through the email link as a quick route). This will provide you with accurate information about your account and allow you to completely avoid the possibility of landing on a spoof Web site and giving your information to someone you shouldn't.

 
Page updated: September 21, 2007

Click here to go to the Oregon Dept. of Veterans' Affairs outreach contact form

Text Only | State Directories | Agencies A to Z | Site Map | About Oregon.gov | Oregon.gov|
File Formats | Oregon Administrative Rules | Oregon Revised Statutes | Privacy Policy | Web Site Feedback|

Get Adobe Acrobat ReaderAdobe Reader is required to view PDF files. Click the "Get Adobe Reader" image to get a free download of the reader from Adobe.