There are new criminals in town, and they may be as close as your laptop or smartphone. These digital fraudsters are experts in what’s known as phishing—a practice by which internet fraudsters impersonate businesses to try to trick victims into sharing sensitive personal information. This includes login and password details, bank account information, or even social security numbers. The cyber-crooks then use these details to perpetrate crimes such as identity theft and fraud.
Phishing scams are a fast-growing form of cybercrime. According to the Anti-Phishing Working Group, Inc., the number of phishing scams doubled over the course of the year 2020. And phishing also tops the IRS “Dirty Dozen” list of tax scams, impacting everyone from payroll and tax professionals to unsuspecting taxpayers themselves.
Older individuals are especially at risk for phishing scams. The Stanford Center on Longevity reports that those over age 65 are 34% more likely to fall victim to a “phishing expedition” than those in their 40s.
How many types of phishing scams are there and how can you protect yourself against them? Here’s what you need to know.
Email Phishing Scams
Although all phishing methods involve fooling unsuspecting victims into revealing their sensitive personal and/or financial information, there are two broad email phishing methods:
- Mass-scale phishing seeks a wide range of victims
- Spear phishing targets a much smaller group
Mass-Scale Phishing Scams
This is the most common form of phishing—mass emails sent to a broad range of victims. Characteristics of mass-scale phishing emails include:
- A sender name and/or domain that sound almost, but not-quite legitimate: The sender name may be similar to a well-known brand or company name, such as your bank’s name. For example, instead of “Bank of America” the sender name may be “Bank in America.”
- An impersonal greeting: Phishing emails often do not address you by name, but instead include a salutation like “Dear Sir/Madam.”
- Poor grammar and spelling: This happens frequently in the body of phishing emails.
- Urgency or scare tactics: Messages may try to spark a sense of urgency or use phrases to try to scare readers, such as “Your account is past due, you must act immediately.”
- May imitate a legitimate brand, company, financial institution, or entity: This includes re-creating the real company’s logo on the scam email.
- A zip file attachment: When you click on these, a malicious file downloads onto your computer.
A more customized form of phishing, spear phishing focuses on a smaller, more targeted group of victims and often uses personal details to make email correspondence seem legitimate. These emails appear to come from individuals or businesses you’re familiar with. Signs an email could be a spear phishing expedition include:
- Personalized email messages: These often use your name in the greeting line, instead of a general salutation, such as “Dear Sir/Madam.”
- A reference to personal details: This could include the name of a co-worker. Be particularly wary if the co-worker’s name is misspelled or job title is inaccurate, as these could be signs of a spear phishing email. For example, if Jayne Smythe is your company’s HR Director don’t assume it’s an innocent typo if the email refers to “your HR Manager, Jane Smith.”
- Spoofed links to websites: These can look legitimate but are really sites that collect your personal information for criminals to access later.
Protect Yourself From Phishing Expeditions
As email phishing scams become more widespread, take these precautions to protect yourself from being caught in this criminal net:
- Don’t reply to any suspicious emails.
- Install anti-virus and anti-malware security software on your computer and set it to update automatically.
- Don’t click on links within emails asking you to provide or verify information.
- Use caution when opening email attachments as they could contain malicious files sent to infect your computer. Do not click on email attachments from senders you’re not 100% sure of!
- Don’t include any personal information (especially your login/password details, financial information or Social Security Number) within an email.
How To Report Phishing
The Federal Trade Commission recommends taking the following steps to report phishing:
Step 1: If you got a phishing email, forward it to the Anti-Phishing Working Group at firstname.lastname@example.org. If you got a phishing text message, forward it to SPAM (7726).
Step 2: Report the phishing attack to the FTC at ReportFraud.ftc.gov.
Phishing Goes Beyond Email
Phishing has evolved far beyond email. Watch out for these scams.
The term vishing combines the words “voice” and “phishing” to describe phone calls meant to trick unsuspecting victims into revealing their personal information. And vishers are clever, sometimes using information from social media profiles to make it sound as though the call is legitimately coming from a bank, a credit card company or even from the IRS. In fact, the Treasury Inspector General for Tax Administration (TIGTA) reports that they are aware of more than 10,000 individuals who’ve paid over $54 million in bogus tax bills from October 2013 through 2017 as a result of phone scams!
Characteristics of a vishing call may include:
- A “Too good to be true” offer
- Fear tactics or threats, much like those in email phishing
- A blocked or altered phone number from the caller
If you suspect you’re on the line with a possible visher, hang up. If the caller claimed that they were calling from your bank or credit card company, call the phone number on your most recent statement or on the back of your credit or debit card to ask whether they’ve been trying to contact you. Your financial institution should have a record of the call if it was legitimate.
The IRS does not call taxpayers to demand payment, nor does it ask for your debit or credit card information over the phone. If you suspect that a scammer is posing as a representative of the IRS, hang up immediately and contact TIGTA at (800) 366-4484 to report it. Alternatively, use the IRS Impersonation Scam Reporting site.
Smishers contact victims via SMS (text) messages in an attempt to gain access to personal information. Hallmarks of smishing include:
- Unsolicited texts from unknown phone numbers
- Texts that come from numbers that aren’t 10 digits, such as a 5000 number
- Incomplete details about your personal information, such as a few digits from your bank or credit card
- Links to spoofed sites in the body of the text
- Some smishers use an email service when they text victims to mask their own identities. In this case, instead of seeing a sender’s phone number, you’d see an email address.
If you receive a text that seems suspicious, avoid clicking on any links included in the copy. If the sender claims to be from your bank or credit card company, immediately contact your financial institution using the number on the back of your credit or debit card (not the number in the text nor on any websites linked within the text). You’ll want to confirm that the text came from them.
Social Media Phishing
If you’re on Facebook or other social media networks, you may receive a duplicate friend request from someone you’re already friends with on the platform. Chances are a social media phisher is casting a line. Watch for these signs of social media phishing:
- A notification that a contact has set up a new social media account to replace their previous one
- Private messages from your contacts asking you to click on links within the messages. These links could point to spoofed sites where criminals will try to steal your personal information.
- Fake posts right in your newsfeed asking you to click on a link to provide your personal details
- Suspicious posts or messages from “admins” of the platform
Be vigilant when using social media. If you receive a duplicate friend request, don’t click on it or accept it. Instead, try to contact your friend via a different method, like phone or text, to let them know you’ve received a second friend request. And don’t click on any suspicious links in messages, posts or status updates.
The word pharming combines phishing with farming and it’s yet another form of cybercrime. When pharming, fraudsters secretly install malicious code on a computer or server to direct traffic away from a real website to a fake website. The fake website can send malware to visitors’ own computers or collect personal information. Criminals can use your information for a variety of fraudulent and illegal activities, such as:
- Applying for credit cards, loans or even mortgages
- Using victims’ own credit card accounts to make online purchases
To help avoid becoming a pharming victim, always check that you’re visiting a secure site. Look for an “s” at the end of “http” in the URL address in your browser bar, as well as a little padlock symbol at the bottom of your browser page to confirm security. You should also install anti-virus and anti-malware software on your computer, tablet and smartphone. And as with other forms of phishing, never click on suspicious links.
Read more: How to Cyberproof Your Smartphone
As a computer and smartphone user, the best way to protect yourself from phishing scams is to become familiar with their many forms. Know what to watch for and never open attachments, click on links or respond to unsolicited communications if anything seems even a little off. When it comes to phishing, it’s better to play it safe in order to protect your personal information and avoid becoming yet another fraud or identity theft victim.
Have you run into any phishing scams recently? Share your experience and any tips you have for avoiding them below.