Last week, we discussed a few of the important steps you can take to protect yourself from identity theft including strong password protection, regular credit monitoring, and careful oversight of all your bank and credit card accounts. Today, we’ll take a closer look at one of the most commonly employed strategies for perpetrating identity theft–phishing, (as well its smartphone-based cousin, spoofing). Both of these terms refer to efforts by bad actors to trick you into sharing personal information or downloading harmful malware that might ultimately be used to access your accounts, review your sensitive information, and open new credit cards and spending accounts in your name.
No big deal, you say? Obviously, you know better than to give your social security number to a Nigerian Prince who misspells the word Nigerian. But the truth is, scammers are getting more sophisticated. The methods used to draw out your personal information have advanced considerably since the early days of the web. It might not be quite as obvious as it once was that you are being victimized by a phishing scam. In fact, you might not even realize it’s happened until suspicious charges begin showing up in your mailbox or on your credit report.
This means that the best thing you can do to protect yourself is to recognize a phishing scam when you see it. You should understand and be prepared to recognize the tactics used by identity thieves and online fraudsters. While phishing scams have grown more sophisticated, there are still many red flags that should tip you off.
What is phishing?
Phishing is one of the most commonly employed tactics among online scammers. Nerdwallet notes that, with phishing, a scammer will “try to get you to disclose personal data, such as credit card numbers, Social Security numbers and banking information, by sending an official-looking email. Spoofing involves doing much the same thing with caller ID, so that the number appears to be that of a trusted company or government agency.”
If you use the internet, email, or social media (i.e. if you are literally anybody at all), you need to know the telltale signs of phishing. Identifying common indicators like spelling mistakes, grammatical errors, inconsistent URLs, awkwardly phrased salutations, threatening tone, or suspicious attachments could be the difference between being victimized by an identity thief and enjoying a safe, productive existence on the web.
Fortunately, you don’t have to look very far for examples of the tactics used to perpetrate phishing. In fact, your SPAM folder is almost certainly packed with instances of phishing that serve to demonstrate every single one of the warning signs that we’ll address here below. If you’re curious about what each of these tactics looks like in the wild, your own inbox should offer plenty of samples. This is not just useful for our educational purposes here, but also serves to demonstrate just how omnipresent and permeating the threat of phishing actually is, at least for those who are unprepared.
That said, prepare yourself with a look at these 10 Telltale Signs of Phishing…
1. Non-Secure Requests for Personal Information
First and foremost, greet with suspicion any email you ever receive requesting personal information, regardless of the supposed sender. According to the Cybersecurity Awareness Alliance, “Most organisations will never ask for your personal information such as ….login credentials and credit card details to be sent over the Internet. If the sender claims to be from your bank and requests for your bank account number, it should raise a red flag immediately.” It is highly unlikely that your bank, credit card provider, insurer or otherwise will request personal information via email, particularly unprompted. This is considered a highly insecure way of conveying information and, in most cases, would be out of compliance with the responsibilities that your bank or credit card company has to protect your privacy and security. If, therefore, you do receive an email requesting personal information from somebody claiming to represent your bank, reach out to your bank through a separate and official channel such as the customer service phone number to confirm that such an email has been sent. This investigation will likely yield evidence that the initial email was sent by somebody unaffiliated with your bank.
2. Spelling and Grammatical Errors
You will rarely, if ever, receive an email from your bank requesting “immedeate axis to you’re confidenshal password.” Again, considering the tip above, you will almost certianlyl never receive an email from your bank requesting access to your account information or password. So right away, if you receive such a message, you can be certain that it’s a scam. But just in case you aren’t entirely certain, feel free to copy and paste the text of the email into a document where you can run a spelling and grammar check. If you’re reading an email that proclaims itself to be official but is in fact riddled with standard junior high school compositional missteps, it probably wasn’t, as it claims to be, written by your “A Count Manger.”
3. Strange or Inconsistent URLs
Don’t be fooled by company logos. These can be easily copied and pasted into fraudulent emails. Instead, check the web address. When you receive a message from a company with which you have an account—be it your health insurance provider, your Amazon Prime account, or your Apple iCloud account—the sender’s address and any links from the email will contain the actual proper URL for the company that claims to be sending this message. If something looks strange, crosscheck this message against the actual company’s website. When Amazon, for instance, sends you a message, it will come from an address that looks something like this: [email protected] If you receive a message from something more like [email protected], you can be certain it didn’t come from Amazon. Fraudulent links contained within the email may also be harmful. According to the National Cybersecurity Alliance, “Malicious links can also be concealed with the body of email text, often alongside genuine ones. Before clicking on links, hover over and inspect each one first.” Always check the sender’s email address and any links contained in the email before clicking, responding, or complying.
4. Threatening Language
As a general rule, agencies like the IRS do not send threatening letters by email. If the IRS wants to speak with you, they will send you an official statement by snail mail requesting that you contact an agent who is identified by name so that you can assist in the process of investigating an open case. At no point will this devolve into threatening language provided you are cooperative. The same is generally true of your bank, your credit card company, your health insurer or any other service provider. Even in instances where you may have a past due balance, delinquent account or are otherwise in arrears, you will likely be contacted only through official means employing neutral language. Some collection agencies are prone to using threatening language, though they are legally prohibited from doing so. If you are on the receiving end of threatening language or harassment from a debt collector or otherwise, do not respond. Instead, reach out immediately to the Consumer Financial Protection Bureau for support and advice.
5. Suspicious Attachments
When you receive an email that says something to the effect of, “here’s that thing you asked for” and it’s from a person you don’t recognize, and it’s a thing you didn’t ask for, do not download it. It likely contains malware designed to expose your private information. If you’re a really busy person and you’re a bit hazy on whether you recognize this email or address or even possibly whether or not you requested something from somebody by email, you can usually single-click on the attachment for a preview image. If it looks strange, unfamiliar, or is largely empty of content, it’s probably nothing you want to download. Report it as SPAM.
6. Elaborate Stories and Strange Explanations
One of the more sophisticated methods of attempting to draw personal information from unwitting victims is to develop an elaborate story that includes an array of details that might justify clicking an otherwise strange link. The Federal Trade Commission warns that “Phishing emails and text messages often tell a story to trick you into clicking on a link or opening an attachment.” For instance, you may receive an email claiming that somebody has attempted multiple log-ins on your private account. On the grounds that you might be the victim of hacking, the email will advise you to click on a link to address the attempted security breach. Be wary of this link. Hover over it to determine if the URL actually matches that of the company which the sender claims to represent.
7. Casually Familiar Brevity
At the opposite end of the spectrum from the elaborate or strange explanation is the suspiciously brief message. This method will typically employ a message so brief as to suggest that you have already been engaged in an exchange with the sender. If you receive a message from an unfamiliar address that includes an attachment and says only something like “the follow-up info is attached” or “see attachment as per our discussion,” you can be pretty sure the attachment is meant to do damage. Unless you actually are expecting a follow-up attachment from the sender in question, trash it.
8. Alphabetized CC List
Scammers typically try to cast a wide net when scheming for information. You may not necessarily be the intended target, but one of thousands who have received an identical message. You can usually tell just by looking at the “CC” line of your email. If you can see the email addresses of other recipients, it’s a scam. No bank, credit card company or retail chain will send you a message that shares the email addresses of other customers. If you receive an email this way, your email address has been harvested from a list containing countless other email addresses. If you see the names of other recipients, report it as SPAM.
9. Awkwardly Phrased Salutations
The University of Delaware notes that another way scammers play the odds is by producing emails with conspicuously generic phrasing. If you receive an email requesting personal information from a sender that doesn’t seem to know your first name, that’s usually a pretty good sign of a disconnect. The University of Delaware offers a few tips for spotting a scammer including the advice that “Many business and commercial emails from legitimate organizations will be addressed to you by name. If an email claims to come from an organization you know but has a generic salutation, something may be phishy.”
10. Unsolicited Prizes
Amazing! You’ve just received an email indicating that you’ve won a $1000 shopping spree at Target! And you didn’t even apply! Hey…wait a minute. If you’ve ever entered a sweepstakes or a prize drawing, you probably know that the odds of winning are pretty long. They’re even longer if you don’t enter. So if you receive a message saying you’ve won something for which you never submitted an entry, but that you can claim your prize with just a few additional details provided, view this message with extreme skepticism. Better yet, don’t view it at all. Flag it for your SPAM folder and make peace with the fact that Target doesn’t actually send around emails offering shopping sprees to random people. And if you’re really trying to win something, check out our tips for How to Win the Lottery instead.
Now that you know what to look for, you can take steps to protect yourself from fraud and identity theft. By the way, if you make a lot of financial transactions online and you’re concerned that this may be increasing your vulnerability to identity theft, it may be time to explore the world of cryptocurrency. Virtual tokens are designed to accommodate trustless exchanges between two online parties while balancing both anonymity and privacy with security and protection from fraud. To learn more, check out these 10 Reasons to Invest in Cryptocurrency.