Yahoo!7 Mail & Messenger Blog

Remember: Yahoo!will NEVER send out emails asking for your password or account details

February 16th, 2010 Add comment

This is not the first post we’ve written about online account security and I am sure it won’t be the last one either… Unfortunately, this subject matter keeps coming back to us as one of our top drivers in customer feedback. 

I will try to provide more practical info about online scams here. In return, please, please, please be sure to share this post with everyone you consider at risk of falling victim to one of the many scams around. And there are so many people at risk…  According to the NSW Fair Trading website “every year 1 in 20 Aussies fall victim to scams.”

“Scams target everyone regardless of background, age and income and they come in many forms and reach you in many ways – by mail, online through e-mail, telephone and door-to-door. Scams are often designed to trick you into giving away your money or your personal details. Scams succeed because they look like the real thing. Scammers are manipulative – they push the right buttons to produce the response they want.”

The Australian Competition and Consumer Commission run the SCAMwatch website, which provides information to consumers and small businesses about how to recognise, avoid and report scams.  One common type of online scam is called ‘requests for your account information’ or ‘phishing scams’.

“Phishing refers to emails that trick people into giving out their personal and banking information; they can also be sent by SMS. These messages seem to come from legitimate businesses, normally banks or other financial institutions or telecommunications providers. The scammers are generally trying to get information like your bank account numbers, passwords and credit card numbers, which they will then use to steal your money. Phishing emails often look genuine and use what look to be genuine internet addresses—in fact, they often copy an institution’s logo and message format, which is very easy to do. It is also common for phishing messages to contain links to websites that are convincing fakes of real companies’ home pages. The website that the scammer’s email links to will have an address (URL) that is similar to but not the same as a real bank’s or financial institution’s site. For example, if the genuine site is at ‘www.realbank.com.au’, the scammer may use an address like ‘www.realbank.com.au.log107.biz’ or ‘www.phoneybank.com/realbank.com.au/login’.”

The following information was extracted from the SCAMWatch site:

Warning signs

• You receive an email or SMS claiming to be from a financial institution, telecommunication or email provider. This message may seem to be from your bank, service or email provider or a business you don’t have an account with. The email contains a link that leads you to a website where you are prompted to enter your bank account details or email account details.
• The email does not address you by your proper name.
• The email might contain typing errors and grammatical mistakes.
• The email might claim that your details are needed for a security and maintenance upgrade, to ‘verify’ your account or to protect you from a fraud threat. The email might even state that you are due to receive a refund for a bill or other fee that it claims you have been charged.

Protect yourself from phishing scams

• NEVER send money or give credit card or online account details to anyone you do not know and trust.
• Do not give out your personal, credit card or online account details over the phone unless you made the call and know that the phone number came from a trusted source.
• Do not open suspicious or unsolicited emails (spam)—ignore them. You can report spam to Australian Communications and Media Authority. If you do not wish to report the message, delete it.
• Do not click on any links in a spam email or open any files attached to them.
• Never call a telephone number that you see in a spam email or SMS.
• If you want to access an internet account website, use a bookmarked link or type the address in yourself—NEVER follow a link in an email.
• Check the website address carefully. Scammers often set up fake websites with very similar addresses.
• Never enter your personal, credit card or online account information on a website if you are not certain it is genuine.
• Never send your personal, credit card or online account details through an email.

As well as following these specific tips, find out how to protect yourself from all sorts of other scams. Download our Phishing scams fact sheet for more information.

Do your homework

If you receive an email claiming to be from a bank, other financial institution, telecommunications or email provider that asks you to enter your details—delete it! A legitimate bank or financial institution will NEVER send an email like this.

If the email appears to be from your bank or financial institution and you think it might be genuine, telephone your bank or financial institution to let them know about the email and ask their advice. DO NOT call any telephone number listed in the email; instead, use a phone number that appears on your bank statement or card or in the telephone directory. Many banks and financial institutions now have specialised internet security staff that can help you.

Decide

You should NEVER give your personal or bank account details to people you don’t know and trust. Don’t be fooled by an email that looks legitimate or appears to link to a genuine website. If you think the email may be genuine, ALWAYS contact your bank to confirm an email’s legitimacy before replying. Your best defence is to delete the email straight away.

For me, this paragraph summarises everything:

“My top advice is to be mindful of any Web page that requests your Yahoo! password. The #1 way people get their passwords stolen is by typing them into lookalike “phishing” web sites, pages that pretend to be Yahoo! or another trusted Web site but actually are run by the bad guys. Scrutinise carefully any page that requests your Yahoo! password.” – Mark Risher, Director of Product Management for Mail.

For more tips and information on how to keep yourself and your computer safe online, check this post on our Yahoo!7 Answers Blog.

If you’ve reached this post and you’ve already fallen victim to a phishing scam with your Yahoo!7 Mail account, read this post to find out what to do next.

Finally, please report any suspicious emails to Yahoo!7 Customer Care via this form.

Cheers,
Tasla – Yahoo!7 Mail Team

Stay Safe Online

October 12th, 2009 3 comments

The following is an important message from Mark Risher, Spam Czar for Yahoo! Mail, worldwide:

Keeping you safe while you’re online is a top priority for us here at Yahoo!. One important part of your online safety is making sure that nobody else can access your Yahoo! Mail account without your permission, and the best way to do that is to make sure you choose a good password and make sure nobody else knows it or can easily guess it.

know it can feel like a pain typing out a more detailed password, but none of us want to make it any easier for the bad guys.

My top advice is to be mindful of any Web page that requests your Yahoo! password. The #1 way people get their passwords stolen is by typing them into lookalike “phishing” web sites, pages that pretend to be Yahoo! or another trusted Web site but actually are run by the bad guys. Scrutinize carefully any page that requests your Yahoo! password. In addition:

• Make sure the Web page address doesn’t have any misspellings or extra words (e.g. http://www.yah000.com, http://www.yahoo-members.com, or http://www.yahoo.BadGuyEnterprises.com) in it. When it doubt, go straight to http://www.yahoo.com.au and log in from there.
• Be vigilant about anything that doesn’t look right on the page, such as typos, outdated content, or broken or missing pictures.
• Best idea: be sure to set up a customized “Sign-In seal” picture — instructions are located here — and never enter your password unless you see that picture on the page.

Here are a few more tips to help keep you safe online:

• Don’t use the same password on multiple sites. Your Yahoo! Mail account is important to you, so it deserves its own password. That way, if the unthinkable happens on another site, at least your Yahoo! mailbox remains secure.
• Never send your password over email. Yahoo! will never request your password from you in an e-mail; if you ever receive such a request, you should treat it as fraud. Do not pass “Go!” Instead immediately click the “Spam” button on that message.
• Protect yourself with a virus scanner. Another way passwords get stolen is from a virus that records your keystrokes. Don’t give the bad guys that option: There are a number of anti-virus companies that offer free versions or trial offers, including (in no particular order and with no specific endorsement implied) http://security.symantec.com , http://usa.kaspersky.com/downloads/free-virus-scanner.php, http://us.mcafee.com/root/downloads.asp?id=freeTrials, and http://www.avast.com/eng/avast_4_home.html.

Unfortunately there is no silver bullet against these criminals and con-men, but hopefully these tips will help us all keep the bad guys at bay.

Mark Risher – Spam Czar, Yahoo! Mail

In the News: Email Accounts Posted Online

October 7th, 2009 Add comment

In light of recent media reports regarding email accounts from various providers and their passwords being posted online, please read the following from Yahoo! Mail’s Program Manager, Andrew:

You may have heard or read about email accounts and their passwords being posted online. While I’ve read different versions of how the person(s) responsible was able to get the email account information, it was not a result of any insecurity at Yahoo! It looks to be a result of phishing attacks. Should you feel that one of your email accounts was affected by the recent publication, whether it is a Yahoo!, Hotmail or Gmail account, I would suggest changing your password as well as other account security information like secret questions and alternate email addresses.

We are aware that a limited number of Yahoo! IDs have been made public, it’s uncertain if any of those email/password combinations have resulted in any accounts being compromised. Online scams and phishing attacks are an ongoing and industry-wide issue and Yahoo! takes great effort to protect our users’ security.

We also have the following online resources that provide information and guidelines on email safety:
Our anti-spam site: http://au.antispam.yahoo.com/
With a phishing prevention sub-section: http://au.antispam.yahoo.com/phishing/
Our help pages: http://help.yahoo.com/l/au/yahoo7/mail/yahoomail/abuse/
And of course, I’ve posted a number of articles about online safety to this blog: Spotting phishing emails, how to spot online scams, avoiding the lottery scams, and account recovery help

Here are a couple FAQs that provide additional information:
Have accounts been compromised because of this?
We are unable to confirm whether accounts have been compromised at this time. However, we strongly suggest that consumers take caution in securing their email and other online accounts by regularly changing their passwords, and updating account security information.

What do I do if I think my account has been compromised?
You should change your password immediately. Also, if you are unable to enter your account, you can take steps to recover it here: https://edit.yahoo.com/forgotroot

We take online security seriously at Yahoo! We strive to make you and your Yahoo! account as safe as possible. Of course if you have any questions or issues with your account, please contact our Customer Care team.

Please rest assured that Yahoo!7 will never email you asking for your password. If you receive such an email that looks like it’s from us, please be sure to pass it on via this form.

The following blog posts, that we have previously written on different security issues, may also be of interest to you:

• Tips for Spotting Online Scams
• Be Wary of Supposed Lottery Wins
• Log in securely with Sign-In Seals
• We will never ask for your password

Email safely,
Kate – Yahoo!7 Mail Team