If you receive an email from a web site or company urging you to provide confidential information, such as a password or Social Security number, you might be the target of a phishing scam. The tips below can help you avoid being taken in by phishers.
Important: To be completely safe from phishers, do not click links in emails. If in doubt, close your browser, reopen it, and type the web address for the site you want to visit directly into the Address bar.
You should consider several factors when deciding whether or not an email is authentic. This example email has some telltale signs of a phisher at work:
1. Unofficial "From" address: Look out for a sender's email address that is similar to, but not the same as, a company's official email address. Fraudsters often sign up for free email accounts with company names in them (such as "email@example.com"). These email addresses are meant to fool you. Official email from Yahoo! always comes from an "@yahoo-inc.com" email address.
Note: Fraudsters can forge the "From" address to look like a legitimate corporate address (like "@yahoo-inc.com"). Because of this, the "From" address is just one factor to consider when deciding if an email is trustworthy.
2. Urgent action required: Fraudsters often include urgent "calls to action" to try to get you to react immediately. Be wary of emails containing phrases like "your account will be closed," "your account has been compromised," or "urgent action required." The fraudster is taking advantage of your concern to trick you into providing confidential information.
Note: Legitimate companies will never ask you to verify or provide confidential or financial information in an unsolicited email.
3. Generic greeting: Fraudsters often send thousands of phishing emails at one time. They may have your email address, but they seldom have your name. Be skeptical of an email sent with a generic greeting such as "Dear Customer" or "Dear Member."
Note: Sophisticated fraudsters can get your name from public records and target you directly, so even if an email includes your name, it may not be authentic. Whether an email addresses you generically or by name is just one factor to consider when deciding if an email is trustworthy.
4. Link to a fake web site: To trick you into disclosing your user name and password, fraudsters often include a link to a fake web site that looks like (sometimes exactly like) the sign-in page of a legitimate web site. Just because a site includes a company's logo or looks like the real page doesn't mean it is! Logos and the appearance of legitimate web sites are easy to copy. In the email, look out for:
- Links containing an official company name, but in the wrong location. For example: "http://www.yahoo.com:login&mode=secure&ib35" is a fake address that doesn't go to a real Yahoo! web site. A real Yahoo! web address has a forward slash ("/") after "yahoo.com" — for example, "http://www.yahoo.com/" or "https://login.yahoo.com/."
- Masked links that look like they go to the real web site, but don't. In the sample email, the link says "smallbusiness.yahoo.com," but if you place your mouse pointer over the link, you can see the real address (in the yellow box) — "http://18.104.22.168/yahoo/accountupdate." You usually can see a link's real destination by placing your mouse pointer over it.
Note: All Yahoo! sign-in pages are served over SSL (Secure Sockets Layer), a standard used to encrypt data transmissions. A genuine Yahoo! sign-in page always starts with "https," such as
"https://login.yahoo.com."However, the presence of "https" should be only one factor to consider in deciding if a web site is trustworthy, because some phishing sites illegitimately use SSL.
Learn about the other ways to recognize a phishing web site.
And look for these other indicators that an email might not be trustworthy:
- Spelling errors, poor grammar, or inferior graphics.
- Requests for personal information such as your password, Social Security number, or bank account or credit card number. Legitimate companies will never ask you to verify or provide confidential information in an unsolicited email.
- Attachments (which might contain viruses or keystroke loggers, which record what you type).
It can be very difficult to discern a phishing email from the real thing. Remember that if you have any doubt about the authenticity of a web site, close your web browser, reopen it, and type the web site address in your browser's Address bar.