Every day, thousands of Americans fall victim to phishing scams.
Phishing attempts by cybercriminals typically come in the form of email or text messages in order to trick unsuspecting individuals. Their goal is for the receiver to click a malicious link or attachment, or give away sensitive information such as passwords, account numbers or Social Security numbers. With that information in hand, scammers can gain access to private banking, Social Security, tax and other accounts.
Phishing is a global business, with experts estimating that 3.4 billion fraudulent emails are sent around the world every day. The Federal Trade Commission received more than 1.4 billion fraud reports in 2017 and reports that the number of fraud attempts increases exponentially each year.
Unfortunately, phishing attempts are getting more sophisticated each year. They are no longer as simple as the now-cliché scams, such as the mysterious Nigerian “businessmen” with relatives in jail who need help or lottery winnings to share with just a small investment. Today, phishing emails are more likely to imitate legitimate companies, perhaps even from businesses you know or patronize.
Generally speaking, there are two types of phishing email tactics hackers use. The first is a mass email with generalized content or subject lines about something you may have or participate in, such as Facebook account or a Netflix account. These are sent to thousands of email addresses, and the chances are the email will be relevant to a portion of the recipients.
The second, called spearphishing, is more targeted and uses information about you to gain your attention. The hacker could view a social media post about your vacation, then send a phishing email posing as an erroneous credit card charge from that location. Adding this extra context increases the chance that the recipient trusts the email and clicks the link or attachment.
At The Fiduciary Group, we want to make sure our clients stay safe in the increasing digital world. We offer the following tips to help identify and protect yourself from phishing attempts:
- Carefully examine the email address. Phishing emails frequently use forged or fraudulent email addresses – called spoofing – to mislead or deceive the recipient about the origin of the message. These email messages may look like they’re from a legitimate business, such as a bank, credit card company, or social networking site. Make sure the sender’s email address looks authentic. If it doesn’t, it could be a phishing attempt. Unfortunately, experienced hackers can manipulate the email address to look like an authentic email. So, even if the email address does look authentic, exercise caution.
- Hover your mouse over a URL, without clicking, to see if it matches the sender. Scammers can spoof the sender to say “Bank of America,” but if the link within the body of the email isn’t associated with Bank of America, it’s most likely a phishing email. Hackers can also make the URLs similar to a legitimate company, but with slight differences. For example, the URL could include “Banc of America.”
- Look for typos and uncommon wording. Often, hackers are based in foreign countries, so it’s not uncommon to see misspelled words or incorrect capitalizations in phishing emails. Since English might not be their first language, the wording within the email might seem odd as well.
- Phishing emails create a sense of urgency. To increase the chance of someone clicking a link or downloading an attachment, hackers create a sense of urgency. An email might indicate that suspicious activity, login attempts or “irregular” activity have been detected in your account. These messages often call for urgent and immediate action on your part. Never react without careful consideration of the authenticity of the request.
- Remember that context is important. If something seems off or out of place, it probably is. For example, if the subject of an Amazon email says there is a problem with your latest order, but you haven’t ordered anything from Amazon, this raises red flags. If the email tells you to check your tracking number for a package, but you aren’t expecting a package, chances are it’s a phishing email.
- Don’t click the link! Do not click on any links or attachments included in suspicious emails. Even if the attachment looks like a familiar file format — like Excel or Word — it could contain a virus. The best practice is to log into the account instead of clicking the link. If there really is an urgent issue, there will most likely be an alert or message when you login directly.
- Take steps to verify. When an email is received, log in through proper channels to check on your accounts and to see if you have any official notifications. If you are unsure of an email, you can always call the company directly to verify the authenticity. In other words, use your usual portal, web address or app to log into your account. If you’ve confirmed a phishing attempt, delete the suspicious email and block the sender’s email address.
- Maximize security on your computer and your accounts. Always make sure that you keep your computer’s security software up to date. Most software companies offer a way to make updating automatic and frequent. Use multi-factor authentication on any of your accounts that offer it. This adds another layer of security by requiring login attempts to include your password as well as an authentication code.
A great way to test how well you can spot a phishing email, take Google’s free phishing quiz. If you receive a phishing email, forward it the Anti-Phishing Working Group at reportphishing@apwg.org. If you think you’ve fallen victim to a phishing scam, the FTC recommends you go to IdentityTheft.gov and file a report.
Always be suspicious if anything feels out of the ordinary. We hope you’ll stay safe from phishing attempts and exercise caution when you receive a questionable email.
Interested in working with The Fiduciary Group? Please reach out to us to get started.