Don’t Take the Bait: How to Avoid Being Phished
“Phishing,” “spear phishing,” and “spoofing” may sound like fun, jovial activities, but they’re no laughing matter. Each of these activities is a scam designed to steal your personal information or hijack your computer, tablet, or smartphone. They affect millions of people and cost consumers and businesses billions of dollars.
A 2017 report by the FBI found that, from October 2013 to December 2016, the Bureau investigated over 22,000 phishing incidents involving domestic losses totaling nearly $1.6 billion. In addition, the FBI Internet Crime Complaint Center receives an average of 280,000 complaints each year. And if you think these scams only affect the gullible and could never fool you, think again. A global study by Intel Security showed that 97% of the subjects tested could not properly identify a phishing email.
TRICKERY TIMES THREE
They may have different names and subtle differences, but phishing, spear phishing, and spoofing all have one thing in common: They’re crimes designed to steal your personal information or exact a ransom from you. They employ cleverly disguised emails, texts, and even phone calls—all of which get more professional and sophisticated every day—to trick you into divulging personal information that can be used to make fraudulent charges or steal your identity. Or, in the case of spoofing, to download a virus or ransomware onto your phone, tablet, or computer.
Here’s a quick summary of each of these forms of fraud:
Phishing is a broad attempt to trick you into providing sensitive information such as credit card numbers, Social Security numbers, usernames, passwords, etc. These attempts typically appear to come from trusted sources, but they’re not as personalized or targeted to specific victims as in spear phishing. The objective is to trick as many targets as possible into opening an embedded link to a counterfeit website or calling a bogus phone number.
Spear Phishing is a more targeted attempt to acquire sensitive personal information, usually directed at specific individuals or organizations to obtain specific information. Like phishing, these attempts also typically appear to come from a trusted source.
Spoofing differs from phishing in that instead of trying to trick you into going to a fake website or calling a phony number, the goal is to get you to download malware onto your computer, tablet, or smartphone by clicking a link or opening an attachment. The downloaded virus can then gather sensitive information by accessing your files, or it can disable your operating system or even lock you out of your machine and demand a ransom to unlock it.
7 STEPS TO AVOID BEING HOOKED
While phishing and spoofing attempts have grown more clever and sophisticated, they can often be identified and avoided by exercising a bit of common sense and a healthy dose of skepticism. So, the next time you receive a suspicious email, text, or phone call, practice the following:
1. Scrutinize What’s Being Communicated
Reputable companies do not ask for sensitive personal or financial information to be communicated via email, entered into a suspect website, or conveyed over the phone. They also rarely emphasize the urgency of doing so unless they’ve already attempted to contact you several times before. So, if you receive an email, call, or text requesting sensitive account information, be skeptical.
Also scrutinize the way the communication is being conveyed. If it’s riddled with grammatical and spelling errors, it’s doubtful it came from the company it claims to be authored by. Reputable companies employ professional writers, editors, and proofers. As clever as many of these fraudsters are in developing their scams, good, error-free writing seems to be a skill that eludes many of them.
2. When in Doubt, Verify
If an email or text looks authentic but is asking you for sensitive information or to do something that seems dubious, don’t hesitate to pick up the phone and call the customer service department of the company that supposedly sent the communication. Just don’t use the telephone number provided in the suspect communication; find a phone number from a past statement or from the company’s website. If the email is fake, any phone numbers provided within it will undoubtedly be bogus as well.
3. Don’t Click Suspicious Links or Open Attachments
If you’re not sure about an email or text, do not click on any links embedded in it or open unsolicited attachments. Doing so could take you to a bogus website or download a virus. If you hover the cursor over the link and the displayed URL does not appear to be the same as what the link claims to be, or there are spelling errors within the URL, it’s probably a scam. Also be wary of shortened URLs, which are often used by cybercriminals.
4. Do Not Divulge Any Personal Information Online
Unless you’re on a secure website, do not communicate sensitive information over the internet. And don’t give it out over the phone if you receive an unsolicited phone call. You can easily tell if a website is secure because it will begin with “httpS” instead of “http.” A closed padlock icon should also appear in your browser if you’re on a secure website. Clicking that padlock icon will reveal security certificate information.
If you’re directed to a suspicious website and it requests your password, try entering an incorrect one. A legitimate website will inform you that your password is wrong; a bogus one phishing for your personal information will accept anything you enter.
5. Keep Your Browsers & Operating System Up to Date
Phishers and spoofers exploit software vulnerabilities and loopholes, so be sure to regularly download updates, many of which contain critical security patches. Also be sure to use firewalls, anti-virus software, and spam filters to minimize phishing and spoofing attempts. There are even anti-phishing toolbars you can install directly to your browser.
6. Check Your Accounts Frequently
One of the best ways to detect fraud is to check your accounts on a regular basis so you can spot any activity that’s not yours. While you’re in your accounts, be sure to change your passwords regularly as well. And don’t forget to check your credit reports at least once a year—by federal law, you’re entitled to a free credit report from each of the three major credit bureaus annually.
7. Report Scams
If you’ve received a phishing email or text, don’t just shrug it off—report it. Doing so could help prevent others from falling victim to the same scam.
If you’ve received a phishing email, forward it to firstname.lastname@example.org and to the organization being impersonated in the email. You can also file a formal complaint with the Federal Trade Commission. The Anti-Phishing Working Group (APWG) is an international coalition that collects, analyzes, and exchanges lists of phishing sites, and encourages you to report any phishing emails you receive.
Phishing and spoofing may cost the economy billions, but you don’t have to take the bait and be just another number. By exercising a little caution, you can minimize the splash phishers, spoofers, and other cybercriminals are making—at least in your own life.