by Bob Hasenhundl

“Phishing” is the industry term for a method used by scammers to try to get your credit card information, and they usually arrive by email. Phishing emails typically employ scare tactics, with a message along the lines of: “RE: Autopay Failure! – Automatic Renewal Subscription Failure. Document Number: 93582059m.”
You may have seen emails similar to this in your inbox. (If you haven’t, you’re lucky!) That was the subject of a recent phishing attempt I received from “Netflix.”
Here are a few things you can look for to help determine if these emails are legitimate:
1. Is your email address the only address in the “To:” line of the email?
Phishing emails are often sent to many email addresses at once; sometimes those email addresses appear in the “To:” or “Cc” line, but usually, they are “Bcc’d” (Blind Carbon Copied), so you won’t see them (or yours), and instead, the “To:” address will be some made-up email account (e.g. protect.server@mailnetflix.net)
2. Does the email subject begin with “Re:”?
The “Re:” prefix the industry standard for a reply, as in “this email is a reply to one that you sent”. If the subject doesn’t look familiar to you, there’s a good chance it’s a phishing attempt.
3. Does your name appear in the body of the email?
Phishing emails may not be addressed to anybody at all, or they might be addressed to “Dear Customer” – both of these are a good indicator that it’s a phishing attempt.
Phishing emails may sometimes be addressed to your email address (and if your email address includes your first and/or last name, it can be a little misleading), but take a close look to make sure it’s your name, and not just your email address.
Any company you do business with should have your first and last name, and they should address you by one or both of them. There are exceptions to this rule, and the email should have already passed tests #1 & 2.
4. Does your payment information appear in the body of the email?
If they have your credit card on file, they may show you the last 4 digits of it. If the email does contain the last 4 digits of your credit card, it is most likely a legitimate email.
I received one recently that showed: VISA **** **** **** ****, and since it had already failed all of the previous tests, I knew it was a phishing attempt, but this was the first time I had seen that. Sneaky!
5. Is the email really from the company it’s claiming to be from?
The sender’s name may appear to be legitimate (e.g. “Netflix” or support@netflix.com), but the sender’s name is easy to spoof with any email address. If you examine the sender’s email address closely, it’s usually something like sbceq-cnemalgqgoauml1557309@tkeieie.com. To examine the sender’s email address, on your mobile device, tap on the sender’s name once or twice; or open the email on your computer to see the address expanded beside the name.
6. Are you being asked to open a document to read the details of the message?
DO NOT open the attachment.
This is almost guaranteed to be a Phishing email, and/or an attempt at installing a virus on your computer (which might be after your credit card/account info as well).
7. Do the links take you to the website they claim you’re going to?
WARNING: Clicking a link in a Phishing email isn’t necessarily bad, but it may lead to more emails, as it might confirm your address with the spammer. If you click a link in a Phishing email and then enter your information, you may be giving away your credit card information to a scammer!
Clicking on the links is the last resort, which I don’t recommend unless you’re comfortable enough with the internet to know the difference between domains and subdomains… with that said, using the Netflix example:
The URL should begin with https://… The “s” is very important; it signifies a Secure connection (credit card transactions should never be made over an unsecured connection).
What follows the https://, and comes before the next “/” is very important – it should only be www.netflix.com, e.g. https://www.netflix.com/. One trick I’ve seen employed is where they create a subdomain that matches the website you’re expecting, but that just prefixes the name of the actual domain, e.g. https://www.netflix.com.someothercompany.com/, so at first glance to the unsuspecting eye, it looks legitimate, but further analysis reveals it’s not.
More often than not, the URL will be of a website they managed to hack and insert some code that looks like the login page of the company they’re trying to spoof.
On most mobile phones, if you long-press a link in an email, the phone will pop up the domain name and URL so you can examine them and check their legitimacy.
If you’re still not sure, visit the website directly (do not use a link in the email) and either log in to your account and check for a notification message there, or contact customer support via telephone.
Bob is an IT professional at University of Colorado with over 30 years of technical experience. He lives in Firestone with his wife, three dogs, and cat.