Take this Phishing Quiz and see how the bad guys try to trick you. Use a desktop computer or an iPad for the best experience.
I received an email this weekend that appeared to be from my friend Pat. It definitely came from her email account, and it had her usual email signature at the bottom. The body of the email read:
Check out this Foreclosed properties good for investment, CLICK HERE and log in with your email.
xxx xxxxxxxx x
xxxxxx xxx xxx, xx
(Here, I’ve replaced Pat’s real info with a bunch of x’s to protect her identity.)
Because I’d seen that same email from someone else earlier this week I was instantly suspicious. I checked out the link and found that it led to what looked something like the Remax real estate site, but as you can see from the picture below, there were clues that this wasn’t the Remax site at all. (Note: in this screen shot, I’ve already clicked the “Gmail” button near the bottom of the web page.)
The first clue is in the URL. The thing to notice is that the “.com” part is preceded by something called “matchellen” rather than “remax”. That means that this is “matchellen.com” and not “remax.com”. It doesn’t matter that the word “Remax” appears in the URL. What matters is the part attached to the .com. So, that’s clue number 1.
Another clue is that the titles of the page is “Remax – Secure Login”. Any site that claims to be “secure” should start with “https” rather than just “http” so you can see that this is not a secure site. There are plenty of sites that ask you to sign in without being secure, but the fact that this site claims to be secure when it obviously is not tells you there’s something funny going on here. Another clue is the lousy English– Pat’s better than that.
There’s one more big clue: “Remax” is asking for my GMAIL PASSWORD. Why would Remax need that? The answer, of course, is they don’t. Remax does have its own username-and-password requirements for logging in, and it happens that the Remax username is your email address… but when the Remax login screen asks for a password, it’s not asking you for your actual email password. They’re asking you for the password you created when you signed up for a Remax account. They ought to be different.
Unfortunately, Pat wasn’t as suspicious as I am and she “signed in” and gave the bad guys her email address and her email password. And then the bad guys sent out hundreds, maybe thousands of pieces of mail, using Pat’s account, telling us about the “foreclosures” asking us to “log in with your email.” Pat may as well have handed the bad guys the keys to her house. “Come on over and rob me! You won’t even have to break in. Just use the key.”
You might wonder why anyone would go to the trouble of trying to fool Pat this way– after all, what’s to be gained by reading her email? Turns out that reading her email gave the bad guys a pretty good idea of who Pat is, who her friends are, and who she banks with. The bad guys found a chain of correspondence that Pat had had with someone at the bank, and they sent him an email– from Pat’s account, with Pat’s email signature– to wire some money out of Pat’s account and into their own. Fortunately, the bank was suspicious and didn’t send the money.
The first thing to do in a case like this is to quickly change your email password, and “quickly” is the key. If you’re slow about it the bad guys may change it to suit themselves, locking you out of your own account. They don’t usually do this because a password change is something you’d notice because your Mac, your iPhone, and your iPad would not be able to get mail and you’d probably figure out that something was up. The bad guys would rather you remained unaware.
The second thing to do in a case like this is to contact me so we can go over what happened. Connecting the dots, I can figure out whether you were hacked surreptitiously or simply made a mistake and handed someone the keys to your email (as was the case here).
I checked with “whois.net” to find more info on “matchellen.com.” I found out where that site was hosted and contacted the people providing the service there, and they shut the site down quickly. Here’s what it looks like if you click the CLICK HERE link today:
(Click anywhere on the picture to go to Google’s explanation of phishing. Worth a read.) Note that while a warning has been placed on the “matchellen.com” site the bad guys will simply move to a new server. And, keep in mind that the warning doesn’t keep you from clicking “Ignore Warning” and going to the site, even now. Advice: if you see a warning like the one above, leave that site. If on a Mac I’d go as far as restarting it. If on a PC I’d shut down completely and then turn it back on. Take these warnings seriously!
If I Were You
I would not use my email password for anything but my email account. If I had two email accounts I would use different passwords for each. I know it’s a pain but so is giving someone a master key to everything– email accounts, shopping sites, online banking, etc. It will take some work to change your passwords but it’s for your own good and it’s definitely worth it.
UPDATE: see my article about using OpenDNS to filter out phishing sites.