Password Scams
There are two common methods used to trick Yahoo! members into revealing their passwords: impersonation and social engineering.
Impersonation
Impersonated Web Pages
You can find web pages that exist for the sole purpose of collecting Yahoo! IDs and passwords. These pages mimic the Yahoo! sign-in screens, and are sometimes referred to as "spoof" or "password phishing" pages.
Do not enter your Yahoo! ID or password on any web page unless you are on the Yahoo! network and your intent was to visit a Yahoo! sign-in page or a Yahoo! service that requires you to be signed in.
You can quickly see if you are on the Yahoo! network by looking at the address box (circled in the picture below). Web pages on the Yahoo! network have URLs that start with: http://www.yahoo.com/". The "www" may be replaced with the name of the Yahoo! service you are visiting. For example, the address for Yahoo! Mail is http://mail.yahoo.com/
Make sure a "trailing slash" appears after "yahoo.com" -- sites that impersonate Yahoo! will not have the "trailing slash." For example, "http://www.yahoo.com:login&mode=secure&i=b35870c196e2fd4a&q=1@16909060" is a bogus URL.
If you aren't sure you are on the Yahoo! network, go to the Yahoo! home page by typing "www.yahoo.com" in the Address box. Once you're there, click the "Sign In" link on the right side of the Yahoo! home page.
Impersonated Emails
You may receive an email from someone claiming to be a Yahoo! employee who asks for your password for any number of reasons -- to help recover your account, prevent your account from being deleted, or identify your account are a few or the more popular scams. The person may ask you to reply with your password or may direct you to a fake sign-in screen. These are scams. Please forward the email to mail-spoof@cc.yahoo-inc.com. Include the full email headers and the HTML source code of the email you received.
If you are directed to a web page by an email, make sure the web page is in the Yahoo! network, as mentioned above.
Social Engineering
"Social Engineering" is a term that describes non-technical methods used to gain access to accounts, passwords, credit card numbers, Social Security numbers, names, addresses or other personally identifying and confidential information. These methods are mostly based on human interactions and, specific to your Yahoo! account, can be separated into two types.
Con Games
In a con game, the social engineer will try to convince you to share your password. They may impersonate Yahoo! (as mentioned above), claim to be with law enforcement or someone else of authority, or they may befriend you to gain your confidence and offer to help solve problems you may be having with your account.
- Never share your password. Your password is confidential and should not be given to anyone.
- Most online services, including Yahoo!, hold you responsible if you do not properly safeguard your password and your account is used by another person. If you lose a password from another company or online service, you may have that company email your password to you. Thus, if someone else has the password to your Yahoo! Mail account, they may be able to read these emails and be able to access to online accounts from other companies.
Victim Knowledge
A social engineer may also use information they know about you to guess your password or use our password lookup utility to gain access to your account.
- To reduce the chance of someone guessing your password, choose your password wisely. Read "Choosing your password" for more information.
- To reset your Yahoo! password, a person needs to know your date of birth and ZIP code. To learn your new password, a person also needs access to your alternate email account or know the answer to your secret question. That's why it is important to pick a secret answer only you know.
- Choose a security question and answer wisely. When you register with Yahoo!, you can choose a special question and answer that will allow you to access your account if you forget your password.
- Make sure you choose information someone else cannot guess. (Remember, it's possible for anyone who knows your Yahoo! ID and your birthday to see your security question and attempt to answer it.)
- Be careful about what you post publicly and with whom you share personal information. Social engineers may take months to gain your trust, get to know you better, and gather information about you.
For more information, visit the Social Engineering category in the Yahoo! Directory.
Such scams are not targeted only at Yahoo! members. The more popular an Internet service, the more likely fake log-in pages have been set up to collect IDs and passwords. Only give your ID or password when you know you're on a legitimate and trusted web site.
Reporting Password Scams
- Email: If you receive an email impersonating Yahoo!, please forward the email to mail-spoof@cc.yahoo-inc.com. Include the full headers and the HTML source code of the email you received.
- Web page: If you see a web page asking for your Yahoo! ID and password and you feel it is a scam, please report it using our contact form. Include the full URL of the web page collecting passwords.
If you have already been tricked into giving your password, please use the contact form and supply as much detail as possible.
If you entered credit card or bank account numbers, you should immediately contact your financial institution.
If you feel your life is in danger, call your local police immediately.
|
