The Rules of Phishing Avoidance

Today’s post is a simple one about security.

We start with the premise that there are scoundrels out there who want to do you harm. And, no, this is not The Four M’s (Marilyn Manson and Michael Moore) arguing that the corporatocracy ruling the land wants all of us to live in a constant state of fear because it’s good for business — there really are scoundrels out there (perhaps riding the wave The Four M’s describe . . . ).

To keep things narrow, today we focus on a single slice of scoundrel-hood out there — the phisher.

* * *

Phishers phish; they go phishing.

Phishing is like fishing, but rather than being the act of seeking fish, phishing is the act of seeking information — personal, confidential information, like passwords or, worse yet, passwords to places like banks and brokerages, places in which real money is housed, real money which, using your password, can be removed to gosh only knows where, i.e., stolen.

A friend recently received an email, purportedly from Craigslist, which read as follows [warning: do not click on the link in this block indent]:


Important Craigslist Information


We reserve the right, at our sole discretion, to change, modify or otherwise alter your account at any time. Therefore your account will be blocked.

To avoid deletion of your Craigslist account please Sign In:

Click here to confirm your Craigslist account. <>

Putting aside the obvious grammatical, non-sequitur’ing nature of the request (hallmarks of most, but not all phishing email), what do you see?

Is this a request from Craigslist? And will the link take you to Craigslist to “confirm your account” (whatever that means)?

Gosh no.

This is a phishing email put together by a scoundrel and sent to perhaps hundreds of thousands of people, knowing that at least, say, 1% will have a Craigslist account, and that perhaps, say, 1% of those folks will click on the link and follow through with providing all “account confirmation” information requested.

Why, if the email went out to 1 million people, that’d be 100 people, coming to the scoundrel and leaving behind, on the scoundrel’s website, their passwords and other personal information. All in a day’s work, that, don’t’ch’ya know, this hurting people thang . . .

* * *

Now it so happens that this friend forwarded the email to me via her Blackberry, and I suspect that the Blackberry changed the formatting of the link (Blackberries tend to strip out a lot of formatting of forwarded emails). And, in doing so, it showed the actual location of the website you would go to if you clicked the link, whereas most well-done phishing emails cloak the actual destination underneath language which is much more inviting, e.g., here, the link might say “Craigslist.”

And do you see that, even uncloaked, as it appears in the block indent above, the link does indeed have the word “Craigslist” in the address? That’s so that anyone who uncloaks the link (which, as described below, is easy to do) sees something which is inviting, rather than offputting.

But do you see what comes before the “.com” in the address? It says “summit-construction” and that is the destination of the link: the destination is some page maintained on the Internet by someone who happens to own something called “” and who is likely a scoundrel (or at least the victim of a scoundrel) — and who is definitely not Craigslist.

So this is a key to understanding Internet addresses: for our purposes here, the only thing that really matters in an Internet address is the language that comes before the left-most “.com” (or “.net” or “.gov” or “.biz,” etc.). For techno-wonks, this is the “domain name.”

And it just so happens that the way addresses work on the Internet is that all the other words in the destination — everything other than the domain name — can be anything whatsoever that the people setting up the website want them to be. So the word “mail” at the beginning of the destination address, together with everything after the left-most “.com” in the destination address, can be easily changed by the person controlling the destination to be anything — including “”

In fact, if they wanted to phish using my business identity, they could just as easily have set up a destination at

Neither Craigslist, nor I, could have much to say about it.

And, yup, this does indeed mean that every www. or dub-dub-dub-dot or triple-w-dot you ever dealt with was superfluous.

* * *

Now I haven’t clicked on the link in the block-indented phishing email above to find out what lies at the other end (maybe-bad conjugation of the word “lay” and resulting pun intended) — and I strongly advise you to not go there either — but you can pretty much guess that, when you arrive at that page, the page is going to ask you to input a password, your name, etc., all so that the fishing scoundrels running the site can commandeer your identity insofar as you have an identity with the Craigslist website.

And then once the phishing scoundrels have that info, gosh only knows what they will do with it.

Given that the main nefariousness with which CL has been alleged to be a part is the sex trade, though, we can guess that one possibility is that your own good name would be put to use to further the sex trade.

Sounds bad, eh?

* * *

Now we come to the never-ever rules.

The 1st rule of phishing avoidance is to never, Ever, NEVER, EVER! click on a link in an email that is from someone — a human being — whom you do not know personally and well, and whom you do not know for a fact to be trustworthy.

The 2nd rule of phishing avoidance is to never, Ever, NEVER, EVER! click on a link in an email from a non-person. Any business that wants to contact you can do so by calling you up, and this is especially true when it comes to financial companies. They will never, Ever, NEVER, EVER! send an email to you requesting that you log onto their site. If there is a problem (which there never is), they will call you (which they seek to never do, because that costs money).

The 3rd rule of phishing avoidance is to never, Ever, NEVER, EVER! click on a link in an email without first seeing where that link will take you — without de-cloaking it, rather like a Romulun Bird of Prey for all Star Trek fans out there.

This, too, is important: the language you see on the surface of a link has nothing to do with the destination address underneath — the guts of the link that actually tell your computer where to take you.

For instance, you know that link in the block indent, up above? The one that I strenuously told you to not click on because it was dangerous? Well, I changed it (for many reasons including the reason that saying, Don’t touch this, it’s hot, makes a human being consider touching it . . . ), so that, now, as changed by me, if you click on the link you will be transported to Wikipedia’s entry on phishing.

* * *

So who’s to know? Who’s to know what the cloaked destination is?

You are, that’s who.

Email readers just about always have a way for you to see the underlying destination address embedded within a link without you having to actually click on the link.

For instance, most Windows-based email readers allow you to scroll over the link (i.e., put the mouse pointer on top of the link) to see what’s what. In Microsoft Outlook, when you scroll over a link a little bubble-up will bubble-up showing you the address to which the link will take you. Thunderbird works similarly, but rather than doing the bubble up, when you scroll over the link T-Bird puts the destination address into the status bar (the lower left hand corner of the window).

Those are the two email readers I have on my machine; if you use some other type of email reader, why then you’ll either need to figure it out on your own, or, more easily, you can ask the nearest young person to show you. Just ask them, Oh wise (insofar as computers go) one, without clicking on a link in an email, how can I tell on my computer where the link will take me?

* * *

Of all the ideas above, the one that is most important to your continued financial health is to never, Ever, NEVER, EVER! click on a link that looks like it’s from a bank or a brokerage or any other financial company.

It be a scoundrel, cloaked in a facade of authenticity, and typically, but not always, clothed in bad grammar, non-sequiturs and other things that hopefully make you scrunch up your nose and say, wuh?

‘Til tomorrow, then, here’s to your financial health, and may it continuously improve . . .


Leave a Comment