The other day I received an urgent email from my Mexican bank warning me that my account had been frozen in order to prevent any fraudulent activity taking place. The email looked entirely genuine and would have fooled even me except that I am always suspicious of any email I receive.
When I scrutinized the email closer I noted that there was a link that said “Click here to log into your account.” I never click on links in emails, and the advice I give to everyone is to never, never, ever click on links in emails. There is rarely any way to tell a valid link from a malicious link, and so there is no way to ever make it safe to click on links. When I hovered my mouse over the link in my email, I could see in the lower left of my screen that the link connected to:
http://bancomer.com.mexio.cc/
I fired up my test computer, the one that has none of my personal information on it. When I opened that web page above, what I saw was the Bancomer web page I expected to see, except that my network packet sniffing software started vociferously warning me that Bancomer was silently installing a keystroke logger and other malware on my computer. Now my friends at Bancomer would never do such a thing, so what was going on? Look closely at the URL above for the answer. When I clicked on that link I did not connect to “bancomer.com” in Mexico but to “mexio.cc” which was a fake site in Cocos (Keeling) Islands, a fake copy of the Bancomer web site. Anyone who enters their username and password into that fake site would probably have their real bank account emptied by the crooks in minutes. Do not bother trying that address; I reported it and the site is already taken down. Besides, most of these scams keep the fake site up for only 48-72 hours before vanishing.
Let us take a look at another URL. This one appears to be a login for Yahoo, but a closer examination shows it is not that at all:
https://api.login.yahoo.com.WSLogin.V1.unlink.scam.ru/offers-intl=us
The Top Level Domain (TLD) such as .com or .net or a county such as .de (Germany) or .mx (Mexico) almost always follows the last period and is itself followed by a slash. The domain in the example above is “scam.ru” meaning that if you clicked on that link you would be taken not to yahoo.com but to a malicious site in Russia.
Now let us dissect a more complicated URL. If you buy at Costco you might be tempted to click on the link in the email you received, the one that says you have a refund coming to you and all you have to do is claim it. Here is the link:
https://refunds.costco.com.customer.service.include.phpc.oZzopP.24O1OaeNVwy2DvlOnS49.md/eyumKsRFPrz74qbOIbRor4=
Looking at that URL above you might be tempted to think it is “refunds” at “costco.com” or something to do with “customer.service.” In reality this address connects you to “24O1OaeNVwy2DvlOnS49.md” which is a web site in Moldova (.md). I am not aware Costco has a refund department there, but Moldova is seen by many as a hotbed of online fraud.
As explained earlier, when you receive an email with a link, you can usually see where a link will take you if you hover your mouse over the link without clicking. Look in the lower part of your screen to see if the URL is visible when you do this.
A better, easier and safer solution is to do what I do: Never, ever click on links in emails!
Charles Miller is a freelance computer consultant with more than 20 years IT experience and a Texan with a lifetime love for Mexico. The opinions expressed are his own. He may be contacted through his web site at SMAguru.com.