About phishing e-mail

What is phishing e-mail?

Phishing e-mail means e-mail intended to steal people’s important personal information such as credit card numbers or account information (user ID, password etc.) by sending it to people from a false sender and tricking them into opening a fake web site from the fake e-mail.
Recently, there has been a rise in the number of cases of people lured to phishing sites by e-mail sent not only to PCs, but to smart phones.

What is the phishing e-mail MO?

Luring a person to a phishing site with e-mail

The classic MO is to use e-mail that claims to be a notice from a credit card company or bank to skilfully trick a user into clicking a link that takes the user to a prepared fake site identical to a genuine site.
The site urges the users to enter their credit card number or bank account number to steal the entered information.
The phishers’ MO has become steadily more ingenious, as they not only fake the name of the sender of the e-mail and enter a text that imitates plausible text and conveys a sense of urgency, but also design the fake web site the user connects to so that it is almost indistinguishable from the real web site, and in an increasing number of cases, it is impossible to detect phishing e-mail at a glance.
∗ Another technique is to set the URL of the fake site with the alphabetic letter “o” input as the numeral “0”, or the upper case letter “I” entered as the lower case letter “l”, resulting in the viewer misreading or trusting the URL.

How can you avoid being tricked by phishing e-mail?

Pay attention to the URL being accessed

When a user accesses a Web page by entering his ID and password for his financial institution, the user should be careful to either directly enter the URL sent in a notification from the financial institution into his Web browser or register the correct URL of the financial institution as a bookmark on the Web browser he usually uses and always access the Web site from this bookmark.
And the user should always be aware of the domain name, URL etc. of the actual Web site to make sure that he always accesses the correct Web site.

Checking the server certificate of the accessed Web site

Usually, encryption technology called SSL is used for the entry screen used to log in to Internet banking or to enter credit card numbers and other important information.
∗ To access a Web page where important information is entered, always make sure that it uses SSL.
Communicating with SSL can be confirmed by whether the URL display part (address bar) of the Web browser or the operating organization name is displayed in green or a key icon is displayed.
※In a case where SSL is not used on a page that requests that a user enter important information, it may be phishing e-mail.

Wariness when asked to follow an unusual procedure.

In a case where e-mail that has been sent under the name of a financial institution etc., asks you to perform an unusual procedure, you must check with the financial institution without falling for this instruction.

If it is difficult to tell whether or not e-mail is phishing e-mail, try communicating with the company that is shown as the sender of the e-mail.
∗ However, the information about the opposite party entered in the e-mail is not necessarily correct, so before you telephone, be sure that the number you call is a telephone number on the financial institution’s legitimate web site or on paper mail it has sent to you.