Email Safety – avoid Phishing Attacks
** MALWARE ALERT ** August 11, 2021
In recent weeks, The Well has been the target of many phishing attempts. Phishing is a variety of malware that presents a threatening message and asks you to click on a link. The message might say that your email security is at risk, you’ve neared or exceeded your quota, your password is expiring, etc. The link would take you to a page asking you to enter your login credentials, or, like other phishing attempts, it could install malware on your computer.
Many of the links in recent attempts are crafted to look exactly like the Zimbra login page, and in fact will redirect you to Zimbra after they harvest your credentials.
Once the attackers have your credentials, they will use your account to send out large amounts of spam, literally tens of thousands of messages in few minutes.
Please read the rest of this page for more details on phishing and how to identify it. If you do click on a link OR enter your credentials on a forged page, please report it immediately to firstname.lastname@example.org, so we can head off any attempts to use your compromised account.
Unfortunately fake email has become the main vector for spam and malware distribution. The most common method is known as “phishing” (or “spear-phishing”).
Phishing attempts are designed to have you click on a button or link. The click could install malware on your computer, or it could take you to a page that asks you to enter a password or other sensitive information.
This page describes common characteristics of phishing attacks, and how to determine whether the email is legitimate.
Detecting phishing attempts
The typical characteristics of phishing email are:
1. Faked FROM: lines in the email. They will often appear to be from trusted organizations, such as your bank or credit card company, Amazon, friends of yours, or even from a Well address like Helpdesk@well.com itself or an affiliate like “Zimbra.com”.
2. An alarming subject line. It could contain phrases like “WARNING”, “Account over Quota Limit!”, or “Mailbox Failure”. It might even address you by name (“Ernie, your account needs attention”), or mention your Zimbra account (“Your Zimbra is over quota”).
3. In the body of the email, a button or link, asking you to click on it to “Confirm”, “Update” or some such action. Your default action should be to NEVER click on such links or buttons.
Actions you can take
Follow these actions to determine the email’s authenticity. The examples are from actual phishing attempts we’ve received.
You can detect fraud by using your mouse to hover over (not click!) some parts of the email.
FROM: LINE. The FROM: line might obviously not be from the sender, as in this phishing email claiming to be from Amazon Prime:
While it says it’s from “Amazon Prime”, if you look carefully you’ll see that the address is actually from an ijarp.com address:
Sometimes when you hover your mouse over a faked email address the real underlying email will be visible in a pop-up. In this next example, the ‘well.com’ email was spoofed but in fact came from a forged email account, “email@example.com”.
Here’s a more sophisticated example. It claims to come from “info@Zimbra.com”,
the Well’s affiliate email provider, and uses a mash-up of both Zimbra and Helpdesk.
But the actual email address shown inside the angle brackets is
<firstname.lastname@example.org>, a Japanese domain. In other cases, it might read “email@example.com” or “firstname.lastname@example.org”.
LINK OR BUTTON. If you hover your mouse over the link or button, you’ll see the actual URL that it points to. It will never be a Well address (or your bank’s, or your friend’s), if the attack appears to originate from them.
In this example, hovering the mouse over the “Click Here” link shows
that it would take you to
where you would probably be asked to enter information such as user name and password.
Better yet, treat all emailed links as suspicious, and use a browser either to go to the apparent address, or if it seems to be from some organization you have a relationship with, like a bank or vendor, go to their website directly. If you do accidentally click on such a link, DO NOT enter anything on the page that comes up. In some cases, the attackers will have forged an entire login page that looks exactly like the one for your bank or other business associate, or even the Well’s.
There can be other clues that the email is a forgery:
- Non-American date formats claiming to be from a US company. North America uses MM/DD/YYYY, but elsewhere it’s commonly “DD/MM/YYYY”. In British Commonwealth countries, they often say “1 November” instead of “November 1”.
- Bad grammar, misspelled words. The syntax and word choice might be awkward, as if it were from a Google translation
- Nonstandard phrasing. Sometimes, phrasing can seem to violate English written style. For example, it might start off with something like “Hello WELL USER!”, which a native speaker would probably not use.
There are only a few cases where the Well will send email containing links.
- If we determine that your account has been compromised, we’ll send an email to your off-Well address asking you to change your password. There will be a link to the Billing Information Center at https://bic.well.com.
- If you forget your password, we’ll send an email that will contain a link to a page where you can reset it. The email will come from “email@example.com”, and the link will be to “https://people.well.com/cgi-bin/newpass/newpass.pl“, with some trailing characters.
For additional summaries, visit these sites from the FTC or Tarleton University:
If you have concerns or questions, please email firstname.lastname@example.org to ask for advice.
Thanks for keeping the Well community safe!