How to Spot a Phish
October 17, 2007
Judging from the search terms YourIdentitySafe has gotten on the Citizen’s Bank Phishing email, I think quite a number of other people have received that email. The same guys are still sending out their phishing poles but now they’re using Compass Bank. These are really lame looking but be aware that some do look very authentic and the site they take you can have the exact apperance of the real site.
Perhaps many people don’t understand how to look at a web address and tell exactly what the actual domain name is. At its simplest, this is a domain name: ‘domain.com’ . Sometimes you’ll see www in front of it, sometimes not – that’s really not important.
When you see a ‘/’ after the domain name, anything after that is a page on the website. So: ‘domain.com/folder/info-page’ is a page on the site named ‘info-page’ and it’s in the subdirectory named ‘folder’. A page file can have a lot of different endings like: html, htm, php, asp, or nothing at all.
Now, the important part to telling a phishing scheme is what’s going on before that last part of the url which in our example is ‘domain.com’.
All kinds of words, letters and periods can be added to the beginning. Much like: compassbank.com.domain.com. You see the compassbank.com part and maybe think it’s legit. It’s not. It’s still at ‘domain.com’.
Phishers like to put LONG strings of words separated by periods in hopes that it will confuse you into thinking you’re going to the legimate site. All you have to do is look for the last period. The part right in front of it is the actual domain name.
Usually phishing sites use weird domain names like ‘crs89.net’. That’s the domain my latest Compass Bank phishing attempt is trying to send you to. Here’s the whole address: http://e-access37579210.compassbank.com.ibscompass.cmserver.welcome.default
.verify.cfm.csr98.net/Internet%20Cash%20Management.htm . Wow, that looks totally official – I see ‘compassbank.com’ and ‘welcome’ and ‘verify’ and ‘default’ – it must be a safe and welcoming site!
I got that address by hovering my mouse over the link in the email that looks legit. Then I right-clicked on it and chose ‘copy link location’. I then pasted it into a Word document – any text editor also works for this. The real address showed up. All that gobbledy-gook in front of ‘csr98.net’ doesn’t mean anything.
Hovering your mouse over a link will show the true web address in the little address bar at the bottom of your email window, too.
Learn to look for the real address in any link in emails you receive. The safest way to be sure you’re going to the correct website is to type an address into a browser yourself and not click on links – especially links that say you need to update your account information.