Phishing scams keep popping up in the news and scammers are getting more sophisticated, and bold. CNN recently reported on an email scam targeting the White House. The incident provided fodder for late night talkshow hosts like Stephen Colbert, but phishing attacks are no laughing matter.
What exactly is phishing?
Phishing is an attempt to get recipients to divulge sensitive information such as usernames, passwords or Social Security numbers, or to transfer money to the scammer through a variety of methods. Usually, this is done through email but is also now popping up in text messages. Phishing has been around for decades and continues to be a growing problem for consumers and businesses alike.
The global cybersecurity organization APWG says there were more than 1.2 million phishing attacks in 2016, which is 65% more than the previous year.
Between personal and business accounts, the number of emails you get each day could easily top a hundred or more. Chances are good that at least once a day, a phishing email lands in your inbox: 76% of corporate information security professionals polled by Wombat Security in its 2017 State of the Phish report said their organization has experienced a phishing attack.
Personal email accounts see frequent phishing attempts as well, so keeping an eye on your personal email inbox is just as important. There's no particular time that identity thieves focus on phishing—it happens year round, so you always want to be aware before you click on that email link and provide your personal information. You may see certain scams pick up around certain times of the year. For example, phishing for tax information is common at the beginning of the year and phishing surrounding shipping amps up around the holidays when a lot of people are sending packages.
How to spot a phishing scam
Whether they're aimed at a business executive or a consumer, phishing emails have some common characteristics. Learning to spot the warning signs that an email is bogus could help you avoid falling victim to a phishing scam.
Be alert for emails that:
- Use a generic address rather than your name. For example, an email from your mortgage company that begins "Dear account holder," instead of actually addressing you by name.
- Urgently require you to take an action. An email that appears to be from your credit card company may tell you your account will be frozen unless you click on a link in the email and complete a form.
- Contain subtle or express threats. For example, "confirm your user credentials immediately or your account will be permanently frozen."
- Has a suspicious sender email address. Although some phishers may be able to fake a credible-looking email address, phishing emails often come from addresses that don't make sense. For example, a personal email address in the sender line of an email claiming to be from your bank. You may also notice the email address has a lot of different characters including different letters and numbers or that the business name has one letter off the correct spelling of the email address.
- Has a wrong or bogus recipient address. Scammers may know one of your email addresses, but not the one you gave to the company they're pretending to be. For example, you receive an email from your credit card company on your business account, even though you provided your personal email address as contact information.
- Contains URLs that don't go where they say they'll go. Often, scammers will embed hyperlinks into an email that take you to a fake site where they collect your information or load malware onto your computer. Before clicking on a suspect link, hover your mouse over it to see what the actual URL looks like. Look for warning signs, such as the URL doesn't begin with "https" or the URL goes somewhere other than where the hyperlinked text says it will go.
- Includes poor grammar or spelling errors. Multiple typos or spelling errors could be a sign the email does not come from a legitimate source.
- Has an email or web address that is not quite right. Scammers may mimic websites from known companies in order to fool you by changing a letter or word so it closely resembles a legitimate address.
- Includes attachments. It's unusual for a legitimate financial institution or company to send account information as an attachment, so be wary of any email you receive that says a statement or credit card bill is attached. Opening a suspect attachment could allow malicious software to download onto your computer.
- Requests or demands information the "sender" should already have. For example, your bank should never need you to verify your account number because they already have it. Likewise, the IRS already knows your Social Security number—plus the IRS only contacts taxpayers by U.S. mail when money is owed.
Texting for personal information
With the rise in smartphone usage, fraudsters have also shifted efforts from just targeting email inboxes to including text messages as well. Many of the same things to look out for in email are applicable for SMS as well:
- The 'From' number or contact is often an email address with various random letters and numbers.
- Zeros may appear as capital Os.
- Punctuation and grammar are slightly off.
- The company name is slightly different (adding a hyphen, extra spaces or other slight tweaks to the company name)
What if you fall victim to a phishing scam?
If you stay vigilant in reviewing emails and texts before clicking or calling to provide personal information, that's your best defense. But with your busy day-to-day tasks, you may still mistake something fraudulent for something that seems legitimate. If you do suspect you've been the victim of a phishing scam, there are a few steps you may want to take:
- Contact the bank or financial institution with whom you have the account using the main company website. Talk to their customer service team or fraud division, if they have one, and explain the details.
- If you're on a personal computer, ensure your computer's antivirus protection is up to date with the latest version and run a scan for viruses. If you're using a work computer or email, you'll want to contact your company's information security team immediately so they can help you with any potential concerns or issues. Delaying contact or trying to fix something yourself on a work computer can end up with more time for damage to be caused, so trust the experts to help resolve things rather than trying on your own.
- If you've entered in personal information on a site you realize may be part of a phishing scam, you may need to also keep a close eye on your credit card and bank accounts, and contact any companies who need to be on the lookout for withdrawals or charges. You can also check your credit report regularly to keep an eye out for any new accounts, inquiries, or higher balances being reported by creditors. If you suspect anything is off on your credit report, you can place a fraud alert on your credit file. Experian IdentityWorks members also get alerts to help with identity theft protection and can lock their credit with Experian CreditLock to prevent new accounts from being opened in their name.
What happens next
Phishing scams work a variety of different ways. Sometimes they focus on installing malware on your computer and other times your information is collected when you click a link and provide information on a fraudulent site. Once an identity thief gets your personal information, it can be sold online to other thieves on the dark web. Learn more about the dark web and how to protect yourself from it here.
Phishing scams pop up every day. Even if you aren't seeing them in the news, you likely come across them in your inbox. Keep an eye out for anything that looks off, especially before clicking on a link or opening an attachment so you can help protect your information from getting into the wrong hands.
Editorial Disclaimer: Opinions expressed here are author's alone, not those of any bank, credit card issuer, or other company, and have not been reviewed, approved or otherwise endorsed by any of these entities. All information, including rates and fees, are accurate as of the date of publication.