Following a recent alert by Malaysia’s Inland Revenue Board (IRB) warning Malaysian taxpayers not to fall victim to email scams requesting for bank details, Fortinet has advised Malaysians to look out for “key traits” of a typical fake phishing email to stay cyber-safe.
In a statement early this month, Malaysia’s IRB has reported that a syndicate was using the name of its CEO, board members and the official logos of the IRB and banks to convince people that they have overpaid taxes, and that the IRB requires their bank account details to facilitate the refund.
In email scams, cyber criminals often pose as a trusted person or organization. Criminals go to great lengths to create websites that appear legitimate, but which contain phony login pages to trick victims into providing money, passwords and other important financial information.
“Links in phishing emails often lead to malicious websites that are controlled by the attacker. These malicious websites may serve fake login pages of financial institutions, launch exploits targeting vulnerable computer systems, or trick victims into installing malware,” said Gavin Chow, Fortinet’s network and security strategist, who is based in Kuala Lumpur. “It is important that Malaysians learn to be on their guard against potential fake emails and rogue websites.”
Here are Fortinet’s 5 essential guidelines to help identify phishing emails or websites that steal personal information:
1. Generic greeting. Phishers often send thousands of emails at one time. Be sceptical of any email received that starts with ‘Dear Customer’ or ‘Dear Taxpayer’
2. Incorrect “From” address. Look at the sender’s email address. Phishers often use addresses that are similar to, but not the same as a company’s official email address. According to IRB, every official email will be sent from the “@hasil.gov.my” email domain. The public must not follow instructions from emails that are not sent from IRB’s official email domain.
3. Urgent action required. Fraudsters often include urgent calls to action to try to get you to react immediately. Remember that the IRB will never send an email requesting taxpayers to reveal their bank account number, threaten lawsuits, liens, arrest, or other actions.
4. Link to a fake IRB website. To trick you into disclosing your user name and password, cybercriminals often include a link to a fake website that looks exactly like the sign-in page of the legitimate IRB website. Before clicking on the link, put your mouse cursor over it to view the real site address, which is typically provided in the lower left corner of your browser.
5. Poor spelling and grammar. If you end up on a potentially fake site, look for misspelled words and poor language within the site content. You would think that this would be an easy problem for cybercriminals to fix, but a remarkable percentage of phishing emails and websites are riddled with misspelled words, bad punctuation and improper grammar.
“If an email still looks and feels suspicious after passing the above checks, directly contact the organisation that allegedly sent you that email to verify its contents,” concluded Chow.