Tip of the Week: 6 Tips To Avoid the Phishing Hook
Have you received emails with messages similar to these?
“We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity.”
OR “During our regular verification of accounts, we couldn’t verify your information. Please click here to update and verify your information.”
These are scams called Phishing.
Phishing can come in many forms but have one purpose – to gather private data, such as financial information, social security numbers, usernames and passwords that may be used to steal unsuspecting victims’ identity. This is achieved by making false websites, graphics, email accounts and phone numbers that look like they are sent from a legitimate company, and may ask you to “update,” “validate,” or “confirm” your account information. Often these messages are sent with threats of your account being deleted.
Phishing emails are inevitable, but there are precautions you can take so you don’t fall victim to their tactics. Here are a few tips to help you avoid the phishing hook. After reviewing these, take the quiz at the end to see how much you’ve learned.
1. Do Not Reply
If you get an email or pop-up message that asks for personal or financial information, do not reply. Legitimate companies don’t ask for this information via email.
2. Do Not Click
Scammers use links to direct people to phony sites that look like the sites of the impersonated company. If you follow the instructions and enter your personal information on the site, you’ll deliver it directly to the hands of identity thieves. To check whether the link is really from the company, hover your mouse pointer over the link. If you are using an email client such as Outlook, a tool tip will pop up showing the link you will be directed to. If you are using an email client in a web browser, the link will be revealed in the bottom of the browser in the status bar. Check for these characteristics:
- If the revealed link is not even close to the real companies web address, do not click.
- Sometimes the link will be close to the real web address. Look closer, though; the truth will be revealed in what’s between http:// and the next forward slash ( / ). In the example below, the first part of the address looks okay (www.irs.gov). If you look beyond that and until the first forward slash, you will see it’s followed by .foodot.com.pl. This is a sure indication that this is a fraudulent email. Do not click.
- Look for subtle clues. Is there a zero where an O should be or a 1 where an L should be? Do not click.
- Always look for “https://” in the link and a padlock in the bottom status bar on web sites that require personal information. If neither are there, do not click.
- Never open an attachment unless it’s from someone you know and trust.
- If in doubt, never click a link within an email you suspect to be fake. Instead, go directly to the website by manually typing in their web address.
3. Bad Spelling and Grammar
If an email contains spelling and grammatical mistakes or miss-uses a company name, then that’s a good sign the email is fraudulent.
4. Say My Name
If the email addresses you by “Dear Account Holder” or “Company Name Member”, be cautious. Most legitimate companies will address you by your name or username.
5. Phone, too?
Know that phishing can also happen with a phone call. You may get a call from someone pretending to from a company and making false claims and asking you for your personal information. Do not give out your information if you get a call like this. Instead, hang up and call the company directly with a number you know is genuine.
6. Sometimes it’s hard to tell.
Be suspicious if someone contacts you by phone or email unexpectedly and asks for personal information. It’s sometimes hard to tell whether something is legitimate by looking at an email, web site or talking to someone on the phone. But if you’re contacted out of the blue and asked for your personal information, it’s a warning sign that something is “phishy.” Legitimate companies don’t operate that way.
If you believe you’ve fallen victim to a phishing scam, do the following as soon as you can.
- Change your password. If you filled out one of these scam forms and entered any password information – change it immediately. While you’re logged into your account, check your information to see if anything has been changed and your transaction history, if applicable, to see if there are any unfamiliar charges.
- Contact the company. Call or email the company being impersonated and let them know that your account might be compromised and that there is a scam using their name. They may not know yet.
- Call Your Bank. If you entered any financial information such as account or credit card numbers, you should call to see if any fraudulent transactions have shown up and to possibly arrange for new cards or accounts.
Even if you didn’t respond to an email and provide your personal information, please forward the the email to firstname.lastname@example.org and the company being impersonated. Also file a report with the Internet Crime Complaint Center. This site is a partnership between the FBI and the National White Collar Crime Center.
Take the Quiz
Think you’re ready to tell if that email is phishy or not? Take the short SonicWALL Phishing IQ Test to find out. When you have completed the test you’ll get a score along with a chance to see why a question was a phishing scam or legitimate. Come back and post a comment with your score and share with us if you’ve had any experience with phishing scams.