Email Safety – avoid Phishing Attacks

Unfortunately fake email has become the main vector for spam and malware distribution. The most common method is known as “phishing” (or “spear-phishing”).
Phishing attempts are designed to have you click on a button or link. The click could install malware on your computer, or it could take you to a page that asks you to enter a password or other sensitive information.

This page describes common characteristics of phishing attacks, and how to determine whether the email is legitimate.

Detecting phishing attempts

The typical characteristics of phishing email are:

1. Faked FROM: lines in the email. They will often appear to be from trusted organizations, such as your bank or credit card company, Amazon, friends of yours, or even from a Well address like Helpdesk@well.com itself or an affiliate like “Zimbra.com”.

2. An alarming subject line. It could contain phrases like “WARNING”, “Account over Quota Limit!”, or “Mailbox Failure”. It might even address  you by name (“Ernie, your account needs attention”), or mention your Zimbra account (“Your Zimbra is over quota”).

3. In the body of the email, a button or link, asking you to click on it to “Confirm”, “Update” or some such action. Your default action should be to NEVER click on such links or buttons.

Actions you can take

Follow these actions to determine the email’s authenticity. The examples are from actual phishing attempts we’ve received.

You can detect fraud by using your mouse to hover over (not click!) some parts of the email.

FROM: LINE. The FROM: line might obviously not be from the sender, as in this phishing email claiming to be from Amazon Prime:

While it says it’s from “Amazon Prime”, if you look carefully you’ll see that the address is actually from an ijarp.com address:

 

Sometimes when you hover your mouse over a faked email address the real underlying email will be visible in a pop-up. In this next example, the ‘well.com’ email was spoofed but in fact came from a forged email account, “noreply@account.com”.

Here’s a more sophisticated example. It claims to come from “info@Zimbra.com”,
the Well’s affiliate email provider, and uses a mash-up of both Zimbra and Helpdesk.

But the actual email address shown inside the angle brackets is 
<r-taka@ur.med.kyushu-u.ac.jp>, a Japanese domain. In other cases, it might read “helpdesk@well.com” or “support@well.com”.

LINK OR BUTTON. If you hover your mouse over the link or button, you’ll see the actual URL that it points to. It will never be a Well address  (or your bank’s, or your friend’s), if the attack appears to originate from them.

In this example, hovering the mouse over the “Click Herelink shows
that it would take you to

“https://zwww.wufoo.com/forms/zyok4bh0xp6o6y/”

where you would probably be asked to enter information such as user name and password.

 

If you do accidentally click on such a link, DO NOT enter anything on the page that comes up. In some cases, the attackers will have forged an  entire login page that looks exactly like the one for your bank or other  business associate, or even the Well’s.

More Information

There can be other clues that the email is a forgery:

  • Non-American date formats claiming to be from a US company. North America uses MM/DD/YYYY, but elsewhere it’s commonly “DD/MM/YYYY”. In British Commonwealth countries, they often say “1 November” instead of “November 1”.
  • Bad grammar, misspelled words. The syntax and word choice might be awkward, as if it were from a Google translation
  • Nonstandard phrasing. Sometimes, phrasing can seem to violate English  written style. For example, it might start off with something like “Hello WELL USER!”, which a native speaker would probably not use.

There are only a few cases where the Well will send email containing links.

  • If we determine that your account has been compromised, we’ll send an email to your off-Well address asking you to change your password. There will be a link to the Billing Information Center at https://bic.well.com. 
  • If you forget your password, we’ll send an email that will contain a link to a page where you can reset it. The email will come from “helpdesk@well.com”, and the link will be to “https://people.well.com/cgi-bin/newpass.html“, with some trailing characters.

 For additional summaries, visit these sites from the FTC or Tarleton University:

https://www.consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams

https://www.tarleton.edu/technology/tech-spot/phishing.html

If you have concerns or questions, please email helpdesk@well.com to ask for advice.

Thanks for keeping the Well community safe!