Friday, April 11, 2008


[Click for larger version.]

When I saw the subject line of this e-mail — "Slight error regarding your account," I knew that someone was going phishing. I was curious enough to open this message and see what it looked like. Look carefully:

The greeting is generic, no name or account number.

The words inability and regularly are misspelled. The word your appears as you.

The odd phrase "address changing" suggests a lack of familiarity with American idioms.

The end punctuation of the numbered items is inconsistent.

The numbered items are out of sequence! (Sheesh! Thes guys ned to proofred.)

The sentence in red is missing a pretty obvious comma. The unnecessary then in that sentence also suggests that the English of this message is a matter of labor.
If I were reading this e-mail in panic mode, I'd be likely to miss these details, just as the dim phishers themselves have. But even in panic mode, mousing over the link to read the URL before clicking is all that would be necessary to determine that this e-mail is a phony. The words in blue point to a Chilean URL that (of course) has nothing to do with Chase. I have no idea what is to be found there.

[Update: A comment on this post suggests that mousing over might not be enough. So even if the revealed URL appears legitimate, don't click. If you suspect a genuine problem with an account, use the phone or visit the appropriate website.]

A phisher who reads this blog post might learn something about creating more plausible-looking e-mails. But that remote possibility is outweighed by the more likely possibility that some reader will stop and think before clicking on a questionable link.

You can check on or report a specious URL at PhishTank. The URL in my e-mail has already been verified as belonging to a phisher. PhishTank also has a page with suggestions about what to look for in a phishing message.

[Thanks to Eustace of The Lock and Key, whose comment prompted me to update this post.]

Related post

comments: 3

Eustace Bright said...

The status bar can be made by a mildly-knowledgeable programmer to display a different address than the true target. In fact, the address bar can even be made to display a false address! (Gmail used to do this, not maliciously of course, but for aesthetics: looks better than;jf;;//adfa;sdjf8pasdfasldjfa;lsdf :D)

Probably the best way to protect oneself from phishing is to never click links from an email, period. If you receive an e-bill or account alert or any other email requiring action, open a clean browser window or tab, type yourself, and follow the links on the site.also be manipulated thus.

Michael Leddy said...

Thanks, Joe. I didn't know that it's possible to fool the status bar — my phisher must be even dimmer than I thought.

Michael Leddy said...

I just revised accordingly, with a tip of the hat to you. Thanks!