by Dave Moore, CISSP
08/21/2022
Continuing the theme from last week, let’s look more at spotting fake email, and then, fake websites.
The most dangerous emails you will get will be from your friends; this is because many computer viruses send a copy of themselves to everyone in the victims address book. You’ll get an email from someone you know and the temptation is to open the mysterious attachment it carries. Don’t. A healthy dose of suspicion will serve you well.
What if the email looks like it’s from your friend, but it’s really not? It’s easy for Internet bad guys to spoof the name of someone you might know, but hide the real senders email address behind it. This is one reason why checking email on your phone is such a sketchy proposition, because the phone gives very limited information; iPhones are especially bad in this regard.
What you are looking for is the actual email address a message came from, not just the User Name displayed on the screen. Real email programs like Outlook make this easy. Somehow, the wise beings who designed Apple and Android phones decided to make it difficult for us to know these things. That’s one reason I won’t do email on my phone: I don’t trust it.
For those who insist on using a phone to check email, this may help. On an iPhone, tap “From” at the top of the message. It should turn blue. Tap it again, and it should show you the actual email address the message came from, or, if they’re in your list of Contacts, it should show their contact information. Similar tricks should work on Android phones, too.
If the email address that comes up it not the correct one for that person’s name, you know you’ve just spotted a fake.
Spotting fake websites is a similar exercise; you’re looking for things that don’t look right, or seem “off.”
Start by looking at the actual website address; Look at the address bar in your browser to do this. The address bar is the long, rectangular box at the top of the browser that contains website address, like “https://www.davemoorecomputers.com” Some setups leave off the “https://www” part, but it’s the core part of the address we want to see.
Know the addresses of websites you visit regularly, especially financial websites. Look for anything that doesn’t seem correct. For example, the address of Wells Fargo Bank is wellsfargo.com. If it says anything other than that, like wells-fargo.com, or wellsfargobank.com, or wellsfargo.cn, you know it’s fake.
Look at Country Codes, too. Sometimes, website addresses include Country codes at the end, instead of .com or .net. In the example shown above, you’ll see wellsfargo.cn, with the “.cn” part being the country code for China. I assure you, Wells Fargo does not have it website hosted in China. A simple web search can reveal what other country codes mean, such as .ao is Angola, .es is Spain, .jp is Japan, and so forth.
Bad grammar and bad spelling on websites are big clues they could be fake, particularly on websites of large companies. An occasional typo here and there is not uncommon for many sites, but you won’t find much of that at all on Microsoft’s website.
Website that make “too good to be true” claims are also probably fake. You have not won the European Lottery, or a free iPad, and you don’t want to download any unknown program guaranteed to keep your computer “clean forever.”
A good antivirus program is supposed to catch bad downloads from fake websites, but every now and then, something may slip through. Use your brain, instead of depending on an antivirus program to magically protect you, and you’ll be safer.
Next week: safe computer cleanup.
Dave Moore, CISSP, has been fixing computers in Oklahoma since 1984. Founder of the non-profit Internet Safety Group Ltd, he also teaches Internet safety community training workshops. He can be reached at 405-919-9901 or internetsafetygroup.org