Of course Lenny, and 99.99% are delivered to the SPAM FOLDER where they'll never be noticed.
That this one got through the internet's top spam filter makes it worth mentioning, wouldn't you think?

Also, forward the email with full headers directly to the company's fraud department.
Spam reporting sites are worthless, and misreport thousands of false positives.

Phishing is the easiest way to infect computers in order to execute cyber terrorism attacks. It has become the cause of most current-day computer security problems. Everyone needs to know how to keep from becoming victim.

This particular email is relatively easy to spot because the clickable link has text that is pointing to some other site. The more sophisticated phishers create an email that appears to be correct when you simply read the email. However, if you "hover" your mouse over the link (do not click!) and then look at the bottom left corner in most browsers, you should see the link that you will be taken to, if you click.

If that link doesn't contain "ups.com" (in this case), don't click. And, even if it "contains" ups.com, make sure it is actually the root of the URL, and not buried within another URL:

http://ups.com/sweepstakes <--- OK

http://hacker.com/ups.com/sweepstakes <-- not OK

Here's an example. This points to my family web site:

http://themeyersite.com

This next link points to the exact same site, but the link looks like it is going to take you the UPS site::

http://ups.com

Hover your mouse over the second link that looks like it is going to take you to the UPS site, and you'll see that instead it is going to take you to my site.

Some sites use third parties to handle some of their business, so the link may not always be directed to the host company's site. If this is the case, you still shouldn't click on the link. Instead, log into the site manually and do your business there. I would report the email even if you recognize the third-party company: no company should present customers with such emails given the severity of the potential threats, and all companies should host the responses and then send the responses to the third party from their own server.

Always report suspicious email directly to the company who is being spoofed. They can deal with it -- usually very quickly -- and will report it to the authorities, if it is warranted. Don't bother reporting anything to the authorities yourself, because they'll have a tougher time aggregating threats reported by millions of individuals. Also, they have to first verify your legitimacy.

You can get a little relief from phishing threats if you enable a feature that some browsers offer which is a list of sites known to host bad things. This provides some protection, but like the mostly useless anti-virus programs, it can only catch things that are already known. All computers are completely vulnerable to new attacks, which is why I don't bother (and never have) with anti-virus software.

nb: (I just rescued three more client computers from the evil clutches of Symantec and MacAfee anti-virus programs ... boy, are these two anti-virus programs awful ... between the anti-virus and some horrible HP printer drivers, it took over four minutes, by my watch, to open Windows explorer and click on the C: drive. When I was finished, it took 1/4 of a second. The companies that produce this stuff should be brought up on criminal charges because the result is actually worse for the user than most malware).

Excellent summary, John, and one further heads up:

Some hover links are spoofed too, by using javascript to make it look like it's pointing to a legitimate site, when in fact it's not.

"The companies that produce this stuff should be brought up on criminal charges"
It's impossible to locate, much less prosecute criminal sites in uncooperative and third world nations, even with the support of international courts.
The best they can do is block them at the DNS level, an endless game of tail-chasing.

Some hover links are spoofed too, by using javascript to make it look like it's pointing to a legitimate site, when in fact it's not. Wow, I didn't know that. I'm looking into that as soon as I finish typing this.

[edit]Verified. You are, unfortunately, correct. I guess the advice I gave above must be modified, and you instead must right click on the link, copy the link to the clipboard, paste it into Notepad, and then inspect the link there.

I've received several of those through my local ISP email, starting a couple of years ago. The big players (Yahoo, Gmail et al) usually catch them and disable the links before they reach your inbox.

When I suggested that companies should be brought up on criminal charges, I was referring to McAfee and Symantec. Their software has caused thousands -- and perhaps millions -- of people to scrap their PCs and purchase new ones, because they thought their PC was getting slower because of "age." I am the last person on earth to subscribe to conspiracy theories, but it wouldn't take much imagination to come up with a scenario where the main PC companies all agree to install these anti-virus program on their PCs (which, of course, is exactly what they do) knowing that over time these programs will slow down the PC and make people feel like they need to purchase another computer.

I still use a ten-year-old computer ever single day, and except for things like rendering video or streaming and decompressing HD video, it works perfectly fine.

Ah, got it. I totally read that sentence out of context.
I got rid Norton years back and never missed it. Also I've never had a virus. A good router firewall and caution when opening emails is all the additional protection most people need.

A good router firewall and caution when opening emails is all the additional protection most people need.Yup.

Anti-virus software is fighting last decade's war.

Also I've never had a virus.

Neither have I, as far as I know. For the same reasons. However, I just assume there are two types of computers: Those you know have viruses and those you don't know have viruses.

The thing about phishing is that if it happens to you 100,000 times, there's going to be a day when you screw up and click something you shouldn't have. Maybe you'll be distracted, undecaffeinated, overcaffeinated, in a hurry, or just plain click-happy. So having some sort of intervention between you and the attack will increase your odds, as long as the intervention isn't so obtrusive that it makes you impatient.

Rob

There are a few excellent, standalone virus scan utilities, and I get curious enough to run one a couple of times each year, right before I do a full system backup. A couple of false positives, but nothing more consequential. Windows Defender also scans periodically, causing only temporary system slowdowns.

in addition, the various tools at grc.com are a great way to assess your vulnerability to certain types of intrusions.

By all means, avoid third party popups that warn you of a virus, then offer to scan it for you. They are all bogus ("We'll give you the disease for free, and charge you for the cure!").

The first thing I do when I purchase a new laptop, is to remove any and all files associated with McAfee and Symantec.
Believe me, it is not an easy job, they make it very hard to be removed from the computer.

Since I build most my desktops myself I do not run into that problem.


Ted

I have several PCs, two on Windows and one a Chromebook. I get phishing emails and scam emails daily. So far I've kept the computers virus and malware free. Spybot now and then finds a suspicious file to remove. Chrome as an OS is supposed to be the most secure OS right now. I second on third the thumbs down on Symantec. It's malware in my opinion. Almost impossible to remove.