Staying safe on the Internet is challenging. It is technologically easy for nefarious hackers to create emails, web pages, and other documents that look like they are from real, trustworthy entities (e.g., banks, e-commerce sites, or universities).
Be wary of emails or web pages that ask for your username, password, social security number, home address, or other personal information. Check to make sure these requests for information are from legitimate businesses or sources before responding.
Here are some tips for protecting yourself from phishing scams:
- Pay attention to the headers in the email (the to field, the from field, the subject field, etc.). Make sure the email is coming from legitimate locations. Recently, a phishing scam attacked Stanford University – in the header, here was the From: “Computing Services” <firstname.lastname@example.org>. If this were a legitimate email, it would have likely come from “email@example.com” or “firstname.lastname@example.org” or from Matthew Ricks, head of Computing Services personally.
- Never click on a link from within an email. Always open a web browser and manually type in (or copy and paste) the URL yourself. It is easy for “phishers” to make links appear to go one place, but really go someplace else. Just because a link says it’s going to PayPal or some other legitimate location doesn’t necessarily mean it will actually take you there.For example, in the phishing attack that hit Stanford, the phishers used a link that contained part of the real URL (http://axess.stanford.edu), but also contained a number of extra letters and numbers at the end (.student.3hf.be). Pay attention to the URLs in an email and never simply click the link.
- Realize that it is easy to create legitimate-looking websites. Victims of the phishing scam that hit Stanford were sent to a website that looked exactly like the real site that people would have gone to if it were legit. Simply because the site LOOKS real doesn’t mean that it is.Pay attention to the URL in the address bar. Does it contain extra letters or substitutions (e.g., 1 for l) that shouldn’t be there?
For example, these are fake:
This is the real address:
For more tips on protecting yourself from phishing, visit the Federal Trade Commission’s Anti-Phishing tips site: