A client forwarded to me a suspected phishing email she’d gotten that looked like this:
This one has many of the earmarks of a phishing email. The From field reads “WordPress”, but is a link to some other email address which I won’t publicize here. The subject line reads “Error with your installation” which is vague and yet contains the emotional trigger word “Error”. The body of the email tries to look legitimate by including the WordPress logo and has a link which reads “Please install this security patch”, another emotional trigger and a techie-sounding reference to a “patch”.
Hopefully, it’s pretty obvious that this is bogus. Just like your bank, WordPress is never going to email you and provide a link to a software patch. This one doesn’t ask for a password or provide a bogus login form or anything like that, but there’s enough about it that could qualify it as phishing.
No, I didn’t click the link to see where it goes. I did, however, hover over it to see what showed up in my browser’s status bar. Any time I get an email with a link in it that’s the least bit suspicious, that’s the first thing I do. Very often, the status bar will show that the link goes to somewhere other than the link text indicates.
In this particular case, the link is a tracking link produced by the sender’s autoresponder service (which I also will not provide with any free publicity). I’m sure you’ve all seen links from AWeber and other autoresponders that look something like this:
The purpose of these links is to provide the sender with statistics as to how many people opened their emails and clicked on links in them. All autoresponders produce such links and they are very useful for the sending parties. They can, however, be faked pretty easily because aside from the domain name, the balance of the URL is usually encoded with a tracking code that means something only to the autoresponder’s computers. It wouldn’t be a great trick to disguise a malware link with something that looked fairly legitimate.
In the case of the above email, the links at the bottom look legitimate as they are fairly standard autoresponder links to manage your subscription, unsubscribe, report abuse, etc. Hovering over these links shows the same autoresponder’s domain with appropriate pages and tracking codes.
Abuse and Autoresponder Terms of Service
Since the autoresponder in question is real, I clicked the Report Abuse link to see where it would take me. It brought up a form which contained the tracking code from the URL which would identify the email and presumably the sender, as well. The form also provided a box for comments, name and email address. The latter two are optional, which I found only slightly reassuring. There was no logo or anything else that identified the autoresponder service, which I found a bit off-putting. I didn’t complete the form, but did suggest to my client that she do so.
After analysis, this looks to be the work of an idiot marketer who doesn’t have a clue how to go about their business. The autoresponder service in question is popular with beginning Internet marketers because it’s less expensive than many others and allows marketing of affiliate products and other such staples of Internet marketing. As a result, I don’t think there is any malicious intent with this email, just misguided action by a clueless individual. Nonetheless, deceptive practices such as this are abusive and contrary to the terms of service of any reputable autoresponder service.
This email, albeit fairly harmless, provides a good example of what to look for in phishing emails and how to protect yourself from them. Since most email is HTML these days, the link text won’t necessarily tell you where the link will actually take you. Hovering over the link will display the real link in your browser’s status bar, usually in the lower left corner of the window. You can often get an idea just from the link URL what its purpose is.
How To Verify Shortened URLs
So, what if it’s a shortened link from bit.ly or tinyurl.com or a similar link-shortening service? Firefox has an add-on that will decipher the shortened link for you and display a popup window showing the landing page. There is also a website into which you can paste a shortened URL and see what the real URL is: http://longurl.org
Most link shortening services have a way to preview the expanded URL without actually visiting the site. For example, a bit.ly URL can be expanded simply by adding a plus sign (+) to the end of it:
To preview a tinyurl.com URL, add the word “preview” ahead of the domain name as follows:
Other services have similar methods of checking the links before actually visiting them. Google “preview shortened links” for a list of ways to do it.
Think, Then Click
In short (pun intended), be careful out there! There are any number of bad guys and unethical marketers out there hiding behind HTML and shortened links. Take a few simple precautions before clicking a link in an email and stay safe.