You may think you would never fall for a fraudulent email, but as phishing tactics are becoming much more sophisticated, even the experts, trained with advanced security procedures, are falling for the scams. One of the primary reasons people fall for these schemes is that we believe we are too smart to be tricked. Overconfidence was the number one reason people fall for phishing scams, according to a study by H.R. Rao at the University of Texas at San Antonio.
Phishing is a planned attack that is designed to gather your personal information with the goal of stealing your money, and or, your identity. By using emails, text messages, phone calls and pop-ups on websites, phishers will try to persuade you to provide your usernames, passwords, social security, bank account, and credit card numbers, along with the security codes. While most phishing attacks are through email, social media-based attacks are increasing.
The scheme begins with a simple click or a download. These actions can trigger a stealth transformation on your device that could include corrupting your valuable files, the automatic installation of malware, viruses, spyware or ransomware. Once hacked, your device could provide thieves with your financial credentials, and even the names of your contacts, so that your device begins sending out more phishing emails, without you even being aware that it’s happening.
In some cases, the malware provides the scammer with remote access to your devices. A recent phishing scam included a document embedded with a Trojan that takes screenshots of your device, gathering credit card data and other sensitive information. Some businesses have become infected with ransomware, which encrypts the hard drive and holds “data hostage” until a “ransom” is paid.
Why Do People Fall For Phishers?
Phishing works because thieves know how to hook you. Using several tactics, you can be drawn into a conversation that seems plausible, sometimes intriguing, and often pushes you into a sense of urgency. Here are some of the ways they will reach out to you:
Phishers will pretend to be one of the contacts in your social media accounts, or by impersonating the names of real executives, found on LinkedIn, from a legitimate company. Often, the emails look as if they are coming from a reliable company, such as a bank, the IRS, your favorite store, or a credit card company. They create copy-cat websites, replicating logos, with the same color scheme, and graphics of familiar companies.
“Respond now, or you risk losing access to the funds in your account!” The rationale is to get you to act before you have time to think. These emails appear to be coming from your financial institution, and they will ask you to “verify” your account information through an online form.
The promise of getting something for free is a prevalent approach — and unfortunately, usually appeals to kids on smart phones. The notification will ask you to click on a link, which could load malware, and then ask you to “fill out a form.”
Asking for Money
We’ve all received the email from a long-lost relative who is stuck in Argentina, has been in an accident, and needs you to wire money so that they can make it back home safely.
How to Protect Yourself — and Your Kids
Children have never had more access to the internet, and are quite vulnerable to online attackers. Teach them what sensitive information is so that they will protect Social Security numbers, credit card numbers, addresses, and passwords. Go through the information presented in this article so that they will know how to recognize “fishy” emails.
Regularly Backup Your Files
Be proactive about keeping valuable documents and treasured photos safe. Use an external hard drive, or buy a cloud-storage service, to keep your valuable documents safe from attacks. Don’t forget to make frequent, regular backups. In the event that a hacker does make it through your security checks, your documents will be protected.
Open Attachments With Caution
Viruses and malware can be unleashed onto your computer by opening an attachment. If the email seems legitimate, open the attachment on the cloud, such as through Google Docs, or Word Online, so that the file does not load onto your device.
It may seem obvious, but the best way to stay safe from phishers is to never give out social security numbers, account numbers, birthdays, passwords or any other confidential information. Also, although it’s tempting, don’t post your vacation dates on social media. It’s an open invitation to thieves.
Be Sneaky With Your Passwords
Let’s not use blatant identifiers for passwords. Passwords to avoid are birthdays, your street address, or worse — your social security number. And of course, don’t use the same username and password for all of your online accounts. Once the thief has access to one password, it’s an effortless step to gain access to the rest of your accounts.
Read Your Statements
As soon as they arrive, check over your financial statements to ensure that the transactions listed are yours.
Keep Your Security Current
In the same way that you lock your doors to your home at night, protect your devices with the latest security patches, anti-virus software, and malware packages.
How to Spot a “Phishy” Email
Check, Don’t Click
Never click on the URL link provided in the email, but test the link by hovering over the link text, to see the actual web address. Sometimes, the URL is hidden in the text under the words, “just click here to confirm.” If the address is an entirely different site than the address used in the email, don’t click the link.
Some hackers can be very clever at disguising the URL link to make it “almost match” the real website. To check, open a new browser window and type the URL of the company yourself — not by clicking the link. Then, check the address bar to see if it matches the URL in the email. Also, the “bad link” may lead to a copy-cat website that has been cleverly designed to look exactly like the page on a legitimate website.
One way you can tell is by looking to see if the URL starts with “HTTPS” and not “HTTP.” Financial institutions use the “s” which verifies that it is a secure website. Also look for the closed padlock in the address bar of your web browser.
Asking Too Much
Reputable companies, including your bank, insurance companies, the government, and including the IRS, will never ask you to provide sensitive information via email or text message. They will only ask for information if you reach out to them, and will usually ask for partial information. For example, sometimes medical insurance companies will ask you to verify the last four digits of your social security number.
Make a Phone Call to Verify
If you still aren’t quite sure if they may be legitimate, call the business. Find the phone number yourself, don’t use the number provided in the email. Ask them if they did send this email.
Reputable businesses don’t let emails go out with errors. Spelling and grammar mistakes are a giveaway.
Free games, ring tones, or offers for a chance to win are often used to hide malware. Make sure your kids understand why it’s important not to download anything.
The Anti-Phishing Working Group list all current phishing attacks and the latest in the fight to prevent phishing.
Immediate Steps to Take If You Have Been Scammed
It happens. The important thing is to act fast — especially if you think you have lost money, or your identity — move quickly. Time is money.
Disconnect from the Internet
Your first defense is to stop the malware — especially if it has remotely accessed your computer. Disconnecting from the internet will keep your device from sending out more confidential information, stop it from infecting your other devices, and sending it to your contacts.
Find the Wi-Fi setting on your computer and disconnect. If you aren’t sure where to find this setting, go to the Wi-Fi router in your home, and unplug it.
Contact One of the Three Major Credit Bureaus
Backup Your Files and Photos
One of the dangers of a phishing attack is that that information on your personal computer can be erased and destroyed. You’ll want to use an external hard drive to store these documents. Hopefully, you will only need to back-up files from the last time you backed-up.
Scan Your Computer
If you have an anti-virus program, run the scan — you can do this without being connected to the internet, despite the warning that may come up on the program. Next, you will want to scan your computer for malware, with this free program, Malwarebytes. To install this, you will need to download the software from another device, load it to a flash-drive, and install it on the compromised computer.
Change your Passwords
Financial institutions, social media accounts, emails and any other financial accounts.
Spread the Word
The Bottom Line
In our 24×7 connected world, phishing has become an impending threat. With each new scam, thieves are becoming far more sophisticated in their arsenal of ploys, with their ability to trick trained security experts. Although phishing is widespread, it is beatable. Stay informed on the latest types of attacks, scrutinize your emails, and don’t be afraid to use the delete button. If you’re unsure if you have enough liability coverage, contact a Cole Harrison agent to review your policy and coverage to ensure you have the right coverage at the right price.