A phishing scam is an attempt to “fish for” your sensitive information. Here’s how you can tell those pirates to walk the plank.
An email from PayPal arrives, confirming that you’ve just made a payment for an eBay auction…except that you haven’t. At closer read, you notice some typos and awkward phrasing. And when you click on the PayPal link in the message, the page looks like a PayPal page… sort of.
It’s a phishing scam, an attempt to “fish for” your sensitive information. Chances are good that if you haven’t already encountered one of these scams, you will. In the second quarter of 2014 alone, the Anti-Phishing Working Group (APWG) reported 128,378 phishing sites. But there are things you can do to recognize scams like this one, and outsmart thieves.
Know the scams
Your first line of defense is to know some of the most common phishing scams so you’ll recognize them when you see them.
First are unexpected emails that appear to come from banks, social networks, auction sites like eBay, or financial sites like PayPal, claiming you need to reactivate your account. They’ll then offer a link for you to click through to log in. The link will appear to take you to a real site, but it’s actually a “spoof” that will collect your information.
Another common phishing scam comes from the “fraud department” of a major company, claiming there’s been a security breach and that you must log in (via their fake login page, linked in the email) to check your account. These emails often include tips on avoiding fraud, just to make their messages look trustworthy.
And what about a free gift that you just got sent to your inbox from not-sure-who? And all I have to do is activate it by clicking a strange link and giving you some personal information? I’m on to you, buddy.
Can we outsmart a phishing scam? Totally. Here are some ways to know if an email is legit:
1) No legitimate company will ever (EVER!) ask your for your password or for a private verification code that’s texted to you over the phone or via email.
2) Where I’m from: Check the “From” address. Before you click, read the links in an email closely by hovering your mouse over them: If it’s not the address you expect (for instance, instead of PayPal.com, you get PayPalCo.com or even a completely unrelated URL), you’re looking at a fake. Also, revealing the header information in an email will show you the “From” address, which often is a red herring.
3) Look before you click: Before you click on a link in any email like this, hover over it to see the entire web address: Any secure website will start with an “https://” and will actually go to the website in question. Are you being directed to “Paypal.com” or some other strange variation (like, “Paypalcompany.com”)?
4) I can haz spelling? Almost half of phishing scams originate abroad, according to the APWG; that’s why they’ll often include spelling errors or awkward phrasing that doesn’t sound like native English. And even the ones written by locals are often filled with mistakes (after all, the phishers aren’t professional writers; they’re professional crooks). Scammers hope you’ll read their messages too quickly to notice the errors.
5) Rightnowrightnow! A sense of urgency, and lots of repetition in the message is typical in a phishing scam: for instance, if you don’t act now, your account will be deleted, or you won’t be able to access your funds. When you’re feeling rushed or panicked, you’re less likely to read carefully and question the message. Slow down and don’t fall for it.
6) Beware of attachments. They can carry viruses and malware (and few legit will send you one).
Suspect a phishing scam? Call the company to ask if they sent you the email to know for sure. Or, type their web address in on your own, log into your account (remember, don’t click on the link in that email!) and look for an alert or mention of a problem. If you don’t see one, it’s likely that it’s a false alarm.
You can also report potential phishing scams to the APWG here.
If you do fall prey to a phishing scam, change your password right away, run anti-virus software, and contact a major credit bureau such as Equifax to flag your account against identity theft. So the phishers wind up where they belong: Lost at sea.