One of the first things you learn when you start looking for phishing attempts is divergence between the link you see on screen and the link you see in the status bar when you mouse over it.
Weirdly, I got one yesterday that had no such divergence, but was still bogus. Some of the text, for the benefit of searchers:
Dear Comerica Bank customer,
You have received this alerting message, as you are listed to be an Comerica Business Connect user.
We would like to inform you that we are currently carrying out scheduled maintenance of banking software, that operates customer database for Comerica Business Connect users. Customer database is based on a client-server protocol, so, in order to finish the update procedure, we need customer direct participation. Every Comerica Business Connect customer has to complete a Comerica Business Connect Customer Form. In order to access the form, please use the link below. The link is unique for each account holder and expires within a certain period of time. If you don’t fill in Comerica Business Connect Customer Form before your unique link expires, the system will automatically send you a new notification message.
The language, of course, gives it away; it’s only slightly better than someone trying to imitate American legalese with no tools but a French-to-Urdu phrasebook. All it lacks is a hovercraft full of eels.
But the link, ostensibly to “businessconnect.comerica.com,” for some reason showed exactly that when I tried mousing over it in my webmail client. Perplexed, I saved it as a file on the desktop and viewed it separately; Firefox did not catch the discrepancy. (I later downloaded it through POP3, and Outlook Express was not fooled.) The only anomaly I could see in the code was that they’d set what looked like a couple of hex bytes 3D between “<a href=” and the beginning of the real URL.
Eventually I determined that the destination of all clicks on this link was a Mexican domain, which prompts the following response from me: “Mi aerodeslizador está lleno de anguilas.”