Skip to main content

Beware Heartbleed Password-Reset Phishing Scams

The Internet-wide security flaw called Heartbleed means you'll need to change your passwords on sites such as Yahoo, Google, Flickr and more. However, just because you get an email from a trusted site telling you to change your password does not mean you should click any links inside it — at least not until you're sure you're not being scammed. 

No Heartbleed-themed scams have yet been reported, but cybercriminals rarely pass up an opportunity to leverage a big news story. People are scared, and "Heartbleed" has a delightfully ominous ring to it — perfect conditions for preying on fear to make a few bucks.

MORE: Heartbleed: Who Was Affected, What to Do Now

A common email-related scam is phishing, which tries to capture private information, such as usernames or passwords, by dangling bait that targets will find desirable —  in this case, a way to protect yourself from Heartbleed. This bait may come in the form of a legitimate-seeming email from a widely used service asking you to reset your password.

However, the links in the email may lead to malicious websites — perhaps one that looks a site compromised by Heartbleed — designed to capture your login credentials or, worse, to Web pages that infect your browser with malware.

You can test the legitimacy of such emails. Look closely at the email address. Is it missing letters or other characters? You can also hover your mouse over links embedded in the email without clicking on them. The actual URL of the linked website should appear in the lower left of your screen; make sure it matches what the message says it is. 

MORE: Yahoo Mail and Heartbleed: How to Secure Your Account

Better yet, use your browser to simply go directly to the website on which you'd like to change a password. If you get an email from OKCupid (among the sites affected by Heartbleed) urging you to change your password, it might be perfectly legitimate — but just to be safe, you should go to OKCupid yourself and change your password there instead of clicking any links in the email. 

It's just bad practice for companies to put links in customer emails, argues security researcher Paul Ducklin on Sophos' Naked Security blog. 

"It's much more convenient if you do give an easily-clickable link, and there is no technical or legal reason not to do so," Ducklin wrote. "But from a behavioral point of view, it's so much better if you don't, because you aren't softening up your customers up to click on the sort of links that scammers love."

Email or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

Jill Scharr is a creative writer and narrative designer in the videogame industry. She previously worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation.