What Are Phishing Scams and How to Avoid Them
One of the major online threats users face today is the notorious phishing scam. When celebrity Twitter accounts are hacked and bank accounts are depleted, it is oftentimes the result of a successful phishing campaign launched by criminals.
Phishing is an extremely popular tool in the cybercriminal toolbox, whether the criminal is a “big fish” or a “bottom feeder”, and they target a variety of online services – online banking sites, emails, social media accounts, frequent flyer programs, and more.
Despite the fact that these scams exploded in popularity over a decade ago, many people still don’t utilize identity protection services, as evident by the fact that they are still going strong and users continue to fall for them. So what are they exactly and how can you protect yourself?
So what is a phishing scam?
In essence, phishing scams are a tool for collecting credentials. Cybercriminals create a site that looks exactly like the actual website they want to target, then they place it on a web server that they control. Creating a copy of a legitimate website is a lot easier than you may expect, as every browser has the ability to save a webpage locally, including all of its content, such as images, etc.
Then, the cybercriminal crafts an intimidating email message– one that may say “we have noticed suspicious activity on your account, please provide your information to validate your identity, or your account will be shut down”.
The email, which includes an actual logo of the organization or social media site, contains a supposed link to the organization’s website – but in fact it takes you to a fake site. There, victims divulge the requested credentials and the information reaches the cybercriminal instead of the organization. Once the information is in the cybercriminal’s hands, they can use or sell it.
The general idea behind phishing scams is pretty straightforward. In the past criminals tried hacking into organizations’ websites to get user information, but at some point they realized there’s a much easier way to do that by targeting an organization’s weakest link – its customers. A bank could support the most resilient and secure internal network but its customers, specifically those who are less tech-savvy, are more vulnerable and exposed to online scams.
If you would like to learn more about the inner workings of phishing scams, click here.
How to identify phishing scams
So, how can we protect ourselves from phishing?
Know the Enemy
The biggest way to avoid falling victim to a phishing scam is simple – know that it exists. Now that you know what phishing emails look like, you’ll be able to recognize them and think before you click.
Keep in mind that phishing scams don’t just target online banking sites; Your emails or Twitter account could also be the target of phishing and unlike banks, these services may actually send you notification emails. In these cases it will be harder to distinguish the legitimate emails from the false ones, so use caution when opening emails and go directly to the social media website rather than clicking a link.
Never sign into web pages through links
If you receive an email from an online service and would still like to verify that your account is in order, make sure to open your browser and type in the address. Never EVER click on a link, no matter how convincing it is. A link that says “gmail.com” but sends you to a different server is easy to create.
Look at the address bar
Before you provide your details, validate the web address in the address bar . As some phishing domains look similar to the legitimate website, this method isn’t enough to protect you if you click on links embedded in emails.
In addition, look for the padlock icon next to the address bar. As almost all self-respecting websites use encryption– (which is what the padlock icon represents) a lack of it would be enough to raise suspicion that you are about to enter your information into a false website.
Keep an eye for anything suspicious
Always be on the lookout for anything suspicious on the website. If the login page suddenly asks you to fill out additional fields, if certain links do not work, or the format of the page seems a bit wonky (criminals aren’t able to fully replicate the site every time), stop and go through the previous steps to ensure you are communicating with the legitimate site.
As a side note, if you see extra fields that shouldn’t appear but you are sure you’re on the right website – you may not be a victim of phishing and may have been infected by malware! Click here to read more.
What you should do if you’ve been victimized
If you realize you’ve fallen victim to a phishing scam – log into the legitimate website and change your credentials immediately! Criminals don’t normally use your credentials the minute you provide them so you have a window of opportunity to change the password and render the information you provided as useless.
If you use the password you provided for more than one site, make sure to change it across those sites as well. Fraudsters are well aware of password reuse and will try to exploit it to compromise your identity.
If you’ve provided information such as your Social Security Number, your mother’s maiden name and your date of birth, set up a fraud alert as soon as possible. Fraud alert messages notify potential credit grantors that they need to verify your identification before extending credit in your name in case someone is using your information without your consent. Here is their contact information:
Once you set up a fraud alert for one of them, the other two will be notified.
There are several types of fraud alerts you can place– from an initial fraud alert which lasts for at least 90 days to an extensive alert that lasts up to 7 years. You can choose which fraud alert to set up based on the severity of the identity theft incident.
Furthermore– and this is true regardless of where you live– if fraud has already taken place, you should immediately notify the financial institution you bank with (if your account has been taken over) or issuer (in case your credit card was used).
In some countries, it may be advisable to report the crime to the police as a police report can be later used as proof that you have been victimized.
Unfortunately, the internet is filled with individuals who try to compromise our identity for financial gain, political activity or even just for their own amusement. Be aware of phishing scams and the threats out there and stay alert. Be safe!