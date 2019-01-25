



The City of Cedar Springs told the Post this week that they were contacted by somebody outside of the city who said he had received a spam email, supposedly from the city’s code enforcer, asking for a cash payment.

“We have checked with our IT department and those emails are not coming from us at all, which unfortunately means there is nothing that we can do about it,” said City Manager Mike Womack. He added that the City would never ask for a payment of any kind via email.

“The city only accepts utility and tax payments online and then only through BSA/Point and Pay which can be accessed through our official website under ‘pay bills,’” he explained.

He went on to say that the Code Enforcer would never ask for any kind of payment. City staff also tries to send out professional emails with a personalized salutation and a signature block with the correct contact information.

Womack noted that the phishing emails that claim to be from the City have many of the typical qualities that spam emails have, and citizens should check the following things for all emails to verify whether they are real or fake.

Check the sender.

Sometimes, cybercriminals will fake (or “spoof”) the sender of an email. If the “from” address doesn’t match the alleged sender of the email, or if it doesn’t make sense in the context of the email, something may be phishy.

An email claims to come from the University, but it’s from “udel@yahoo.com” instead of an “@udel.edu” address.

An email claims to come from your friend John Doe, but the sender is “james@faceb00k.biz.”

Check for (in)sanity.

Many typical phishing emails are mass-produced by hackers using templates or generic messages. While sophisticated attacks may use more convincing fake emails, scammers looking to hit as many different inboxes as possible may send out large numbers of mismatched and badly written emails. If the email’s content is nonsensical or doesn’t match the subject, something may be phishy.

An email has the subject “Important documents,” but the message itself is about your email account running out of storage.

An email has a generic subject like “warning” or “FYI” and the message is a request for you to enter personal information or click on a suspicious link.

Check the salutation.

Many business and commercial emails from legitimate organizations will be addressed to you by name. If an email claims to come from an organization you know but has a generic salutation, something may be phishy.

An email claiming to come from the University is addressed “Dear webmail user” instead of “Dear Jane Doe.”

An email claiming to come from one of your favorite stores is addressed “Dear customer,” but the store’s emails are normally addressed “Dear John Doe.”

Check the links.

A large number of phishing emails try to get victims to click on links to malicious websites in order to steal data or download malware. Always verify that link addresses are spelled correctly, and hover your mouse over a link to check its true destination. Beware of shortened links like http://bit.ly, http://goog.le, and http://tinyurl.com. If an email links to a suspicious website, something may be phishy.

An email tells you to click on a link to “udel.com/passwordreset” to reset your password, but you were expecting a link to a “udel.edu” address.

When hovering over a link to “barnesandnoble.com,” you notice that the link actually goes to “barnsandmoble.com.”

Don’t let them scare you.

Cyber criminals may use threats or a false sense of urgency to trick you into acting without thinking. If an email threatens you with consequences for not doing something immediately, something may be phishy.

An email warns, “confirm your account password or your account will be shut down.”

An email promises a reward to the first 100 takers and urges you to “click now to claim your prize.”

An email tells you to pay the attached “invoice” or “face legal action.”

Don’t give up personal data.

Some phishing emails will ask for your sensitive personal data, such as your account password or your Social Security number. Legitimate organizations will not ask you to provide this information over email. If an email demands sensitive information, something may be phishy.

An email asks you to verify your account by typing in your username and password.

An email asks you to provide W-2s, tax information, or other personal documents.

Don’t open suspicious attachments.

Some phishing emails try to get you to open an attached file. These attachments often contain malware that will infect your device; if you open them, you could be giving hackers access to your data or control of your device. If you get an unexpected or suspicious attachment in an email, something may be phishy.

An email instructs you to open the attached “court summons,” but you aren’t expecting a summons and you know that such a document would be delivered in paper.

An email tries to deliver an attached “invoice” for your “recent purchase.”

Check for poor spelling and grammar.

Typically, official emails from organizations you trust will not be rife with spelling and grammar errors. If an email claims to come from a legitimate organization but contains numerous errors, something may be phishy.

An email reads, “Click to verify now you’re account.”

An email claims to come from the “Univercity of Deloware” and asks you to “open imporant document imediately.”

Don’t believe names and logos alone.

With the rise in spear phishing, cybercriminals may include real names, logos, and other information in their emails to more convincingly impersonate an individual or group that you trust. Just because an email contains a name or logo you recognize doesn’t mean that it’s trustworthy. If an email misuses logos or names, or contains made-up names, something may be phishy.

An email includes the UD logo, but it makes a suspicious request for your account information.

An email claims to come from your bank, but uses an old logo.

An email claims to come from the dean of your college, but the sender is a “hotmail.com” address.

If you still aren’t sure, verify!

If you think a message could be legitimate, but you aren’t sure, try verifying it. Contact the alleged sender separately (e.g., by phone) to ask about the message. If you received an email instructing you to check your account settings or perform some similar action, go to your account page separately to check for notices or settings (e.g., log in to Facebook and navigate to your settings instead of opening a suspicious-looking link that claims to go to your account page).

You get a request from a coworker for files that person doesn’t normally use, so you walk to her office to check whether she really sent the request.

An unexpected email claiming to come from a social media site tells you that you need to change the password to your account. Instead of following the password reset link in the email, you open the site in a new browser tab and manually log in to check your settings.

Forward phishing emails to spam@uce.gov (at the Federal Trade Commission) and to reportphishing@apwg.org (the Anti-Phishing Working Group). The APWG includes ISPs, security vendors, financial institutions and law enforcement agencies that use these reports to fight phishing.

You should also forward the email to the organization impersonated in the email. You can look on the real organization’s website to find the email address to forward the phishing emails. For instance, just this week, the Post got phishing emails from Amazon confirming a supposed order, but not saying what it was, just asking us to click on the receipt. We forwarded the email to stop-spoofing@amazon.com. We also received similar ones recently from Paypal. We forwarded those emails to spoof@paypal.com.

