Phishing and its insidious variants are responsible for over half of all cybercrimes committed in the US. By imitating trusted companies, reputable institutions, or even fellow employees, cybercriminals have been able to scam millions of dollars from unsuspecting victims. But how do they do it? By better understanding the methods that online thieves use to steal finances or vital personal information, you will be better prepared to spot and avoid a phishing attempt.
Scammers often start a phishing attempt by using spoofing techniques to pretend to be a person or company that the victim trusts. This is normally done by making a slight change on a trusted email address, phone number or website URL to make it appear the message is coming from a legitimate source. If the victim isn’t paying close enough attention to spot the spoofing, they become more vulnerable to the actual phishing attack.
(This email has an attention-grabbing subject line, lacks any contact information and has changed the spelling of MicroTech to ‘MycoTek’ in their email address. We can assume that this email is a spoof.)
Spotting a Spoof
- If an email requests sensitive information or financial payment on behalf of a company, check with the business through a customer service department to confirm that the email is legitimate.
- Check provided links by hovering your cursor over the linked texts. URLs leading to spoofed websites will commonly not match the site that’s being imitated.
- Spoofed emails will commonly contain an attention-grabbing subject line to entice the victim to read further. Subject lines such as “IMMEDIATE ACTION REQUIRED” or “I Need Your Help…” are common examples of this tactic.
- Check for contact information in emails supposedly originating from a trusted company. Legitimate outbound emails will contain the sender’s name, email address, mailing address, or phone number.
In a traditional phishing attack, a spoofed email appearing to be from a legitimate business (a bank, credit card company, etc.) will be sent to the victim, requesting an update of personal information. A link will usually be provided, leading the victim to a fake (spoofed) website made to look near identical to the legitimate business’s actual website. Sensitive information will be requested, including passwords, credit card numbers or ATM PINs. Sometimes clicking on a link in a phishing message can download malware to your computer. Other times, the phishing email or website will try to facilitate a money transfer.
(The scammer has made the email appear legitimate, but the message lacks any referral to the customer’s name or personal information.)
Common Signs of Phishing Attacks
- The message lacks any referral to the customer’s name or personal information. Phishing emails are often sent in batches of thousands or even millions, making it impossible for the scammer to personalize the message to an individual like a bank or credit card company would when contacting a customer.
- The email address or website has been spoofed. If an email message seems suspicious, it is a good idea to check the address it was sent from before responding or clicking on anything.
- Many times companies will make it their policies not to conduct certain activities (e.g. transferring money) via email. If you’re not sure about a message you received, call the company.
Unfortunately, phishing scams are not just reserved for emails. One variation is ‘vishing’, which is the use of a phone call to gain sensitive information. Normally the scammer will pose as a bank representative or a member of law enforcement to better convince the victim. Another variation is ‘smishing’, which is the same phishing process down strictly through text or SMS messages.
(An example of a 'smishing' text message.)
What to do if you accidentally responded to a phishing attempt
- Change passwords immediately, especially if you logged into a website by clicking a link in the message. Contact financial institutions (banks, credit cards) and the company that the scammer was spoofing. Let them know your accounts may be compromised. Major companies will have procedures for you to follow to protect your accounts and sensitive information.
- Regularly monitor your computer for viruses or malware. Simplified Computers offers our Extra Care Virus Removal service if your computer should become infected with Malware.
Don’t be fooled! #FightThePhish!