Broker Check
Online Safety - A Real Life Phishing Example

Online Safety - A Real Life Phishing Example

July 25, 2019

Phishing attacks are becoming more sophisticated - Be careful out there!   

Phishing refers to the exercise of sending out email, pretending to be someone else, in the hopes of fooling the unsuspecting reader into reading an email and clicking on a link.  

In the old days, the attempts were usually rather laughable with poor English, bad graphics, etc.  

Today I noticed a really good phishing email that my spam filter luckily caught and redirected.   

Now - I have a rule.  I don't click on email links to access sites unless I 100% know the source of the email is genuine.  And I almost automatically assume that if the email is coming from a financial institution, and is unsolicited (that is, not related to a transaction I initiated) - then it is potentially fraudulent.  

Here is the text of the email I received:   

Dear Wells Fargo Customer,

We recently reviewed your account, and we are suspecting that your Wells Fargo account may have been accessed from an unauthorized computer. 

This may be due to changes in your IP address or location. Protecting the security of your account and of the Wells Fargo network is our primary concern.

We are asking you to immediately login and report any unauthorized withdrawals, and check your account profile to make sure no changes have been made.

To protect your account please follow the instructions below:

       * LOG OFF AFTER USING YOUR ONLINE ACCOUNT

Please log in your account by clicking on the link below.

https://online.wellsfargo.com/auth/signon

Verify the information you entered is correct.

We apologize for any inconvenience this may cause, and appreciate your support in helping us maintaining the integrity of the entire Wells Fargo System. Please verify your account as soon as possible.

Thank you,
Wells Fargo Security Advisor.
Copyright © 1999 - 2019 Wells Fargo. All rights reserved.

Now, we are all accustomed to getting fraud alerts by text, phone, or maybe even email, so this email is on its surface not raising any alarms.  I happen to be a Wells Fargo credit card user, so I am going to be alert to the potential of fraud on my account.  But because of my distrust of emailed links, here is what I did:   

I hovered my mouse over the link they provided and noticed that the web address displayed UNDERNEATH the wells fargo URL was actually NOT a Wells Fargo website. In the example above I have changed the link they sent me to avoid anyone accidentally clicking on it.

This is the best evidence that an email is a fraud attempt.  What would have happened if I clicked on the link?  Hard to say.  I might download some kind of malware, I might only notify the sender that I am probably a Wells Fargo customer and therefore susceptible to future attacks.  The website I land on might want me to enter certain personal information.   All I know for sure is that a) the email was not sent by Wells Fargo and b) the sender did not have altruistic intent.  

Another reminder to be suspicious of any and all clickable links sent to you by email.  Best rule is never click on emailed links unless you are 100% certain you know the source of the email.  To verify, hover over and inspect any link before clicking on it.  Inspect it very closely - remembering that a really good "phisherman" might just switch one letter of a URL such as "welsfargo.com" or "welIsfargo.com" (switched l with a capital i...). 

Knowledge and a deep distrust of the online world is your best defense,.  Be careful out there.