There are new criminals in town, and they may be as close as your laptop or smartphone. These digital fraudsters are experts in what’s known as phishing—a practice by which internet fraudsters impersonate businesses to try to trick victims into sharing sensitive personal information. This includes login and password details, bank account information, or even social security numbers. The cyber-crooks then use these details to perpetuate crimes such as identity theft and fraud.
Phishing is a fast-growing form of cybercrime. In 2016, a record-breaking 1,220,523 phishing attacks occurred— a 65 percent increase over 2015. And phishing also tops the IRS “Dirty Dozen” list of tax scams, impacting everyone from payroll and tax professionals to unsuspecting taxpayers themselves.
Older individuals are especially at risk for phishing scams. The Stanford Center on Longevity reports that those over age 65 are 34 percent more likely to fall victim to a “phishing expedition” than those in their 40s.
How many types of phishing scams are there, and how can you protect yourself against them? Here’s what you need to know.
Although all phishing methods involve fooling unsuspecting victims into revealing their sensitive personal and/or financial information, there are two broad email phishing methods: mass-scale phishing, which seeks a wide range of victims, and spear phishing, which targets a much smaller group.
This is the most common form of phishing—mass emails sent to a broad range of victims. Characteristics of mass-scale phishing emails include:
- A sender name and/or domain that sound almost, but not-quite legitimate. The sender name may be similar to a well-known brand or company name, such as your bank’s name. For example, instead of “Bank of America” the sender name may be “Bank in America.”
- An impersonal greeting. Phishing emails often do not address you by name, but instead include a salutation like “Dear Sir/Madam.”
- Poor grammar and spelling in the body of the email.
- Includes a message that imparts a sense of urgency or uses phrases to try to scare readers, such as “Your account is past due, you must act immediately.”
- May imitate a legitimate brand, company, financial institution, or entity, including re-creating the real company’s logo on the scam email.
- May include a zip file attachment that, when clicked on, downloads a malicious file to the victim’s computer.
A more customized form of phishing, spear phishing focuses on a smaller, more targeted group of victims, and often uses personal details to make email correspondence seem legitimate. These emails appear to come from individuals or businesses you’re familiar with. Signs an email could be a spear phishing expedition include:
- Personalized email messages using your name in the greeting line, instead of a general salutation, such as “Dear Sir/Madam.”
- A reference to personal details, such as the name of a co-worker. Be particularly wary if the co-worker’s name is misspelled or job title is inaccurate, as these could be signs of a spear phishing email. For example, if Jayne Smythe is your company’s HR Director don’t assume it’s an innocent typo if the email refers to “your HR Manager, Jane Smith.”
- Spoofed links to websites that look legitimate but are really sites that collect your personal information for criminals to access later.
Protect Yourself From Phishing Expeditions
As email phishing becomes more widespread, take the following precautions to protect yourself from being caught in this criminal net.
- Don’t reply to any suspicious emails.
- Don’t click on links within emails asking you to provide or verify information.
- Install anti-virus and anti-malware security software on your computer and set it to update automatically.
- Don’t include any personal information (especially your login/password details, financial information, or Social Security Number) within an email.
- Use caution when opening email attachments as they could contain malicious files sent to infect your computer. Do not click on email attachments from senders you’re not 100 percent sure of!
Phishing Goes Beyond Email
Phishing has evolved far beyond email. Watch out for these scams.
The term vishing combines the words “voice” and “phishing” to describe phone calls meant to trick unsuspecting victims into revealing their personal information. And vishers are clever, sometimes using information from social media profiles to make it sound as though the call is legitimately coming from a bank, a credit card company, or even from the IRS. In fact, the Treasury Inspector General for Tax Administration (TIGTA) reports that they are aware of more than 10,000 individuals who’ve paid over $54 million in bogus tax bills since October 2013 as a result of phone scams!
Characteristics of a vishing call may include:
- A “Too good to be true” offer.
- A blocked or altered phone number from the caller.
- Fear tactics or threats, much like those in email phishing.
If you suspect you’re on the line with a possible visher, hang up. If the caller claimed that they were calling from your bank or credit card copy, call the phone number on your most recent statement or on the back of your credit or debit card to ask whether they’ve been trying to contact you. If the call was legitimate, they should have a record of it.
The IRS does not call taxpayers to demand payment, nor does it ask for your debit or credit card information over the phone. If you suspect that a scamster is posing as a representative of the IRS, hang up immediately and contact TIGTA at (800) 366-4484 to report it. Alternatively, use the IRS Impersonation Scam Reporting site.
Smishers contact victims via SMS messages (text messages) in an attempt to gain access to personal information. Hallmarks of smishing include:
- Unsolicited texts from unknown phone numbers.
- Texts that come from numbers that aren’t 10 digits, such as a 5000 number.
- Incomplete details about your personal information, such as a few digits from your bank or credit card.
- Links to spoofed sites in the body of the text.
- Some smishers use an email service when they text victims to mask their own identities. In this case, instead of seeing a sender’s phone number, you’d see an email address.
If you receive a text that seems suspicious, avoid clicking on any links included in the copy. If the sender claims to be from your bank or credit card company, immediately contact your financial institution using the number on the back of your credit or debit card (not the number in the text nor on any websites linked within the text) to confirm that the text came from them.
Social Media Phishing
If you’re on Facebook or other social media networks, you may receive a duplicate friend request from someone you’re already friends with on the platform. Chances are a social media phisher is casting a line. Watch for these signs of social media phishing:
- A notification that a contact has set up a new social media account to replace their previous one.
- Private messages from your contacts asking you to click on links within the messages. These links could point to spoofed sites where criminals will try to steal your personal information.
- Fake posts right in your newsfeed asking you to click on a link to provide your personal details.
- Suspicious posts or messages from “admins” of the platform.
Be vigilant when using social media. If you receive a duplicate friend request, don’t click on it or accept it. Instead, try to contact your friend via a different method (e.g., phone or text) to let them know you’ve received a second friend request. And don’t click on any suspicious links in messages, posts, or status updates.
The word pharming combines phishing with farming and it’s yet another form of cybercrime. When pharming, fraudsters secretly install malicious code on a computer or server to direct traffic away from a real website to a fake website. The fake website can send malware to visitors’ own computers, or collect personal information that criminals can use for a variety of fraudulent and illegal activities, such as applying for credit cards, loans, or even mortgages, or using victims’ own credit card accounts to make online purchases.
To help avoid becoming a pharming victim, always check that you’re visiting a secure site. Look for an “s” at the end of “http” in the URL address in your browser bar, as well as a little padlock symbol at the bottom of your browser page to confirm security. You should also install anti-virus and anti-malware software on your computer, tablet, and smartphone. And as with other forms of phishing, never click on suspicious links.
As a computer and smartphone user, the best way to protect yourself from phishing scams is to become familiar with their many forms. Know what to watch for and never open attachments, click on links, or respond to unsolicited communications if anything seems even a little fishy. When it comes to phishing, it’s better to play it safe in order to protect your personal information and avoid becoming yet another fraud or identity theft victim.