Fight Online Crime with Grammar

We have all seen them: emails with bad grammar, spelling mistakes and other problems. The writers ask us to go to a web page or open a file linked to the email. But if we do, the result is sharing personal or financial information.

Here is the good news. Anyone with some knowledge of grammar can find out that these are not official messages from a bank or an internet service. We will learn how to recognize them in today's Everyday Grammar.

Cybersecurity experts call these email or text messages "phishing."

You might think about it as trying to catch fish, but this word is spelled with "ph" not "f." Hackers came up with the word in the 1970s basing it on another cybercrime called "phone phreaking." Phishing describes the method of sending emails into a "sea of internet users" hoping some will "take the bait" or get caught up in an illegal activity.

The Federal Trade Commission, or FTC, an agency of the U.S. government, says there are several things phishing attempts have in common. They look like they are from a company you know or trust, such as a bank, credit card company or online store. They tell a story to get you to take some action. The story may involve activity on your account, a bill you must pay or an offer for a reduced price on something. Then, they ask you to give them personal information, such as your date of birth, your telephone number or credit card details. In addition, they often say something bad will happen if you do not take immediate action.

The question is: How can you tell when a request is not an official communication from a trusted company?

Here is where your knowledge of English grammar can help you. You can look for grammar and spelling mistakes by asking these questions:

  • Do you have an account or normally do business with this company?
  • Does the message follow or break grammar rules?
  • Does the message use correct spelling, punctuation and spacing?
  • Does the message follow the rules of language use in business, such as the use of formal language?

The FTC gives an example of a phishing message that is supposed to be from the video service, Netflix.


Sample Phishing Email

Your account is on hold

Hi Dear.

We're having some trouble with your current billing information. We'll try again, but in the meantime you may want to update your payment details.

Update Account Now

The first problem is that the message starts with the greeting, "Hi Dear." That is wrong for two reasons. It does not use your name, and it uses both "Hi" and "Dear." The correct use of "dear" in English is before a name, as in "Dear Dr. Robbins." And, an official letter would never use the informal greeting, "Hi."

The Netflix message asks you to update your payment details. This, too, is a warning sign. Experts say you should visit the company's official website if you think there may be a real problem. You should not click on the button to follow the link in the message.

At the end of the message is another mistake. It says, "Visit the Help Centre," spelling "center" with "re," not "er." Netflix is a U.S. company. You would not expect it to use British spelling.

Arnold Zwicky wrote about another phishing email in The Language Log. Here is part of the message.

This message is from One Communications Internet SM message center to all uga.edu account owners.We are currently upgrading our data base and e-mail account center. We are deleting all unused uga.edu account to create more spacefor new accounts.

You are advice to verify and confirm your account details below to enable us upgrade our school uga.edu Internet Service e.g. Your uga.edu

E-mail, Password, and Address etc.

It begins, "This message is from One Communications Internet message center." That is a grammatical mistake, because the definite article "the" should be used, not the noun "one."

Next, we see two words written together, "owners.We..." This spacing mistake appears in another place in the message too. The message says, "We are deleting all unused account..." With "all" before it, the word "account" should have the plural form "accounts."

The next sentence has two grammatical mistakes: "You are advice to verify and confirm your account details below to enable us upgrade our school...Internet Service." Did you find the mistakes? "Advice" should be the passive form, "advised" and "to" is needed for the infinitive verb form in "enable us to upgrade."

After looking at some phishing messages, you may wonder how anyone could think they are official emails. But most of us do not read our email messages carefully enough.

As a result, people often follow the instructions in a message without thinking of the risks. The risks are serious. The FBI says that people lost $57 million to phishing activity in one year and much more from all forms of cybercrime.

Now that you know what to look for and how to use your knowledge of English grammar, you can avoid becoming the victim of cybercriminals.

I'm Jill Robbins.

Jill Robbins wrote this story for Learning English. Mario Ritter, Jr. was the editor.

______________________________________________________________

Words in This Story

cybersecurity –n. related to providing security against an internet attack

hackern. a person who secretly gets access to a computer system in order to get information or cause damage; a person who hacks into a computer system

cybercrime – n. criminal activities carried out by means of computers or the internet

spelling – n. the act of forming words using the correct letters

bait – n. something used to attract a fish (or anything else) so that they can be caught

punctuation – n. the marks, such as periods and commas, used in writing to make it clearer and to separate sentences and parts of sentences

Have you seen phishing attempts in your email? How did you tell it was not a real message from a company you do business with? We want to hear from you. Write to us in the Comments Section.

Cybercrime Prevention Advice from the Federal Trade Commission:

Four Steps to Protect Yourself From Phishing

1. Protect your computer by using security software. Set the software to update automatically so it can deal with any new security threats.

2. Protect your mobile phone by setting software to update automatically. These updates could give you critical protection against security threats.

3. Protect your accounts by using multi-factor authentication. Some accounts offer extra security by requiring two or more credentials to log in to your account. This is called multi-factor authentication. The additional credentials you need to log in to your account fall into two categories:

  • Something you have - like a passcode you get via text message or an authentication app.
  • Something you are - like a scan of your fingerprint, your retina, or your face.

Multi-factor authentication makes it harder for scammers to log in to your accounts if they do get your username and password.

4. Protect your data by backing it up. Back up your data and make sure those backups aren't connected to your home network. You can copy your computer files to an external hard drive or cloud storage. Back up the data on your phone, too.