Phishing Scams and How to Avoid Them
September 30, 2016
What is phishing?
Phishing is a type of scam where cybercriminals fool unsuspecting victims into either downloading malware or turning over personal information like credit card numbers, social security numbers, and passwords—sometimes even directly asking for money. They are literally “fishing” for data, but using phony appearances, hence the “ph” spelling.
Phishing is a scam aimed at tricking you to hand over private information to criminals.
Be suspicious of unusual or irregular emails and don’t provide private information to any unverified source.
How phishing works:
Cybercriminals often masquerade as legitimate businesses, using email, text message and phone calls to target their victims for info.
- An attacker will pose as a credit card company or financial institution or charity.
- Victims will get an email saying there is some problem.
- Victims are usually asked to click on some link and supply their account information or access to your computer to clear it up.
- This link is a fake site, and the info will simply go straight to the attacker, who can now access your real accounts.
How to recognize phishing
Phishing takes a variety of forms—spear phishing, whaling, vishing, all falling into the “social engineering” category of attack. What they all share in common is these attacks, unlike malware, require the victim to take an action of some kind that results in personal info being exposed. The most common types of “bait” used in phishing scams are:
- An email containing an unknown link and a message urging you to click
- An email masquerading as a “security update”
- A suspicious attachment that you are asked to open and review
- A request asking you to log in to a familiar account or provide personal data so the sender can “verify” your information
- Some form of call-to-action that requires “immediate attention” and action
- A text message from an unknown sender asking you to take some action and/or provide information so you can claim an award
- A phone call from an unknown, unidentified or unverified phone number requesting personal or work related information
- A call from a bank or helpdesk organization asking for PIN, account information or login credentials
How to avoid becoming a phishing victim
Trust your instincts – If an email seems suspicious, delete it without opening.
Don’t send personal or financial information to anyone
As a general rule, don’t reveal personal or financial information to anyone unless you know them. Do not respond to email or text solicitations for this information.
Use secure sites beginning with “https:”
If you’re sending sensitive information over the Internet, check the security of the website by making sure the website’s URL uses “https:” instead of just “http:”. Often there will be a lock icon or other indication preceding the URL signaling that the webpage is secured.
Verify the website’s URL
Malicious websites often look identical to a legitimate site (like your bank) but the URL may be spelled slightly differently or a different domain (e.g., .com vs. .net) is used.
Contact the company directly
If you aren’t sure if a request is legitimate, verify it by contacting the company directly. Look up the contact information yourself—not by using the info provided in the suspicious email or text.
Do some research
Known phishing attacks are tracked and identified by groups like the Anti-Phishing Working Group. You can also report phishing to the Anti-Phishing Working Group (APWG).
Keep your computer up to date
As a general rule it is always best practice to install OS updates and other app updates as they become available in order to have the latest security protection.
Review the greeting
Know the difference between a generic salutation or inconsistent greeting you receive. If it seems odd or out of place, it probably is.
Check for mistakes
Errors in grammar and spelling can indicate a phishing attempt, as these often come from foreign countries where English is a second language.
Wait before you act
Be very suspicious of communications that require “Immediate action!”
Look before you click
If a link is included, scroll over it and the destination address will appear. Validate that the link and the destination address match.
Always question attachments
Know what you’re opening and make sure it’s from a reliable source. If you’re not sure, pick up the phone and check.