woman sitting at desk in front of computer

What is email phishing?

Email phishing refers to scammers sending fraudulent emails asking for sensitive information like passwords and account numbers. The senders of these emails typically act as a trusted or reputable source so consumers feel both obligated and safe to send such information.

How email phishing works

In most phishing schemes, a fraudster will imitate a known or trusted source to trick a person into releasing sensitive information. These sources commonly misrepresent themselves as banks, schools, retailers and charities. Sophisticated perpetrators will take care to reproduce a source’s brand, logos and styling conventions to enhance their credibility.1

With phishing emails, a fraudster will often ask for login or password information. (Nationwide will never send an email to customers requesting login/password information). The request will frequently be phrased as though the source – bank, retail site, etc. – needs to verify your account or password information. Other times these emails request that you access your account and verify recent charges, but the link provided actually delivers you to an imitation site set up by the criminals—which is then used to harvest the information you enter.

Trustworthy companies should never ask you to confirm passwords or sensitive information over email or text message. Such companies understand that these channels are susceptible to fraud.2

Common phishing scams

  • Email phishing – Many email phishing scams imitate trusted ecommerce sites. These emails will typically address the reader as a valued customer or site member, asking you to confirm your login information. Legitimate sites should never ask for password information via email, so if you see an email requesting such information, it is likely fraudulent.

    Similarly, an email may inform you that you have been a victim of identity theft. These emails claim to represent fraud departments or trusted companies where many people shop and use credit cards, making the scenario sound plausible. They also may request personal information to “confirm your identity,” claiming to be for your security. But as with any email, be very suspicious of communication requesting personal information, even if it claims that your identity has been stolen and there is an urgent need for you to confirm your personal details.

  • Spear fishing – These emails generally appear to derive from a person’s place of employment. Users often readily believe that their workplace has misplaced payment or personal information (bank account numbers, SSNs), leading an employee to send the requested information. If you’re in doubt as to whether an email from your company is authentic, simply call your company and speak with a human resources representative. Never send sensitive information without first confirming the authenticity of the request.

  • Pharming – This type of online fraud refers to redirecting users to malicious sites. Once you navigate to sites where you need to submit information, a hacker can collect the information you enter.

Protecting yourself from phishing

To protect yourself from email phishing and email fraud, be wary of any email that requests personal information. Never send account login, password or personal information through a link provided in an email. Even if a company you know and trust sends an email that asks you to follow a link or provide information, you should still navigate directly to the company website or your account in a browser to respond to the message. If your account has a message center, there is a good chance you will be able to access the message there after you log in.

If you’re suspicious of the origin of an email, you can also call and speak with a representative at the organization from which the email was sent. Representatives from human resources or information technology should be able to verify if a message has been sent.

Phishing criminals rely on the mechanical, unsuspecting behavior many users display when accessing emails they believe derive from known, trusted sources. By recognizing the common phishing tactics described above and by educating yourself, you can better spot and avoid phishing scams.

Osbourne, Hilary, “Eight things your bank will never ask you (but a fraudster might),” The Guardian (13 October 2014).
"Phishing." Gale Encyclopedia of Everyday Law. Ed. Donna Batten. 3rd ed. Vol. 1: American with Disabilities Act to First Amendment Law. Detroit: Gale, 2013. 305-308. Gale Virtual Reference Library. Web. 16 Dec. 2015.