10 Tips to Stop Falling for Phishing Scams
Every day millions of unsuspecting people receive phishing emails, worldwide.
Some are so obvious, you may immediately dump them into junk mail. On the other hand others may be so craftily written they appear to be emails from companies or people you know and trust or have accounts with.
With all the articles and information distributed by top news agencies, journalists and cyber experts – daily – amazingly people still fall for phishing schemes and various other cyber scams. It could be anything from a bank – not even your own – contacting you via email asking you to change your personal and financial information, to an email or popup on your computer requiring you to click a link for free software they’ll immediately add to your computer to protect it. And, once you do, they commandeer your computer for their own fraudulent purposes.
Technically, what is a phishing scam?
Cyber criminals are so experienced today, they send emails – purportedly – from well-known companies you may currently be dealing with. Or you’ll receive an email from a college or group you know – or believe you know. For example, your bank, credit card company, even your Internet provider.
In short, this email will have a similar address to someone you have a connection with or appear to have a connection with (that will be covered later). These emails are written in such a way as to engage or scare you in order to rob you of money, credit, personal or financial information.
To ‘fix’ the situation, these fraudsters tell you – for example – ‘your account has been compromised’ and you’re required to fill out a form to verify your actual information.
When you click the link provided, you’ll be sent to a phony website page where they require you to provide personal and/or financial information. Once you type in any or all of this information you have provided them with the keys to your personal and financial accounts. And they can start defrauding you immediately. This isn’t the exception to the rule. Unfortunately this is what’s happening daily; in fact – hundreds of thousands of times daily.
Typical information scammers are looking to grab is:
* Credit card number, expiry, 3 digit code on the back of your card.
* Bank account log-in info and passwords; bank account number.
* They may want you to type in your password, then change it.
* Date of birth
* 1st security question and answer to it.
* Alternate security question and answer.
* If you work in the U.S., they may ask for your Social Security number.
After gathering this info, they sell it to other fraudsters. Or use it to continue to hack your personal and financial accounts, your credit cards and email, for example.
Below is an example of an email phishing scam:
FROM: BANK OF TOMORROW.COM SUPPORT TEAM
Reply to: “BANKOFTOMORROW.COM. SUPPORT TEAM” email@example.com
Date: June 20, 2017
Subject: URGENT – YOUR ACCOUNT HAS BEEN COMPROMISED
This email is to inform you that your account has been compromised
and is seriously at risk. To restore your account, it’s imperative you visit
our site within the next 24 hours to update account information.
If you fail to update your account within the next 24 hours, you may be
Thank you for using Bank of Tomorrow.
Bank of Tommorow.com Support Team
Let’s pick apart the email above.
1. Look at the ‘From’ line. It says supportteam01. If you check with your bank you’ll quickly discover they don’t have support teams. They have customer service representatives. And don’t use such words as team/s when emailing customers. Nor do they usually use numbers such as ‘01’ to designate support or customer service.
2. Check out the Reply To line.The word support is spelled incorrectly (spupport). It also does not include the identifying number ‘01’ earlier specified.
3. Look at the subject line. No bank will send you an email with that subject line. They usually call first. I’ve had my credit card hacked and the bank called me immediately. Several people on my staff have had similar situations; and with each incident the bank called them. Unless this is a worldwide cyber attack, you should expect a call from your bank. And once you’ve covered the information with a bank customer service representative, you will be told to expect an email from them to corroborate the conversation.
4. Re-read line 2 of the email. We’re quite certain no bank will send you an email requiring you to make account changes online before notifying you personally. Plus you may also receive a letter of notification asking you to call a specific customer service number. Remember, a hacker or cyber criminal has no intention of wasting time sending you an actual letter. What they do is quick and dirty; eliciting info from you in order to steal from you fast, before you change your mind.
5. Locking you out of your account. Unless you have harmed the bank, written bad checks and/or scammed others, it’s highly unlikely a bank will lock you out of your own account. This is merely a fear or scare tactic. Professional scammers want you to act quickly in order to steal your money or credit – again – before you change your mind.
“Phishing schemes are crude engineering tools”, says the Indiana University Policy Office. “Designed to induce panic in the reader”. These are the types of scams, they tell us, organized to trick the reader into taking immediate action. And, by the way, the University of Indiana has also had hackers who sent out phishing emails using their name and supposed email to gather email addresses, personal and financial info.
What other ways can fraudsters alert you to a phishing scheme:
- If you’re unsure from whom the email was sent, use your mouse to hover over the name
of the company or individual before clicking to open the email. This will show the exact name of the sender.For example, let’s say it’s an email from Starbucks. And you do have an account with Starbucks. But something about this particular email makes you question if it’s actually from them. Hover over the address or name of the sender and you may discover it’s from starbucks25.org. Not the email address they use to communicate with customers.
- Be sure the URL is real. For example the URL firstname.lastname@example.org is how the URL should look. However, if the URL is email@example.com this isn’t a real address. An email extension (i.e. info) is placed before the name of the company or individual. And no email runs further than .com or .org or any other extension. Therefore the .mischief.com, at the end of the sample URL above, is not valid.
- Are grammar and spelling correct? Remember, many of these hackers come from countries in which English is a second language. And aren’t as familiar with grammar and spelling – often phonetically typing out a word or name.
- The offer seems too good to be true. For example you’ve ‘won the lottery’; you’ve won a new car or new home. Unless you recently entered a lottery contest in your area, or a contest for a new car or home, always send these to junk mail.
Phishing schemes lure you into a sense of security using well-known names of companies you may have purchased from or interacted with; using actual logos copied from trusted companies in their emails. Recently there was a phishing email supposedly from Paypal asking to update financial information. Once I hovered over the email address I quickly discovered it was not from Paypal. Of course I also knew Paypal only asks you to change financial information once you’ve logged into your account.
Info regarding 2 charitable phishing scams the U.S. government advises you to be aware of:
# Charitable groups for Military members and their families.
Because a group encouraging you to donate has the words ‘military’ and ‘military families’ in the subject line, or the name of the charity, it doesn’t mean they are actual groups supporting the military. Donate to charities with a known track record.
# Online fundraisers for police, firefighters and their families.
The U.S. Trade Commission refers you to the following 3 groups to discover whether they are, in fact, legal charitable groups:
Give.org – www.give.org is a division of the U.S. Better Business Bureau – It allows you to type in the name of a charitable group to discover whether it’s a
legal group or phishing scheme.
Charity Navigator also allows you to check the veracity of a charitable group asking you for donations – https://www.charitynavigator.org/
Guidestar is the largest repository of info on charitable organizations in the U.S. http://www.guidestar.org/Home.aspx
More charitable scams info:
10 Ways to Deal With a Phishing Schemes:
1. Unless you know the group, never contribute to an email request from businesses or charitable groups before doing a little research.
2. Before clicking a link, leave your email page and search for the company or business listed in the email. If you click, and it’s a scam, search engines may send you to a non-existent page which can nab your I.P. (‘International Protocol’ – computer address).
3. Never pay for a promise of a service or product unless you know the individual, group or company well.
4. Pay via Paypal or Authorize.net and other payment servers when possible. They’ll keep your financial info secure. it’s not a good idea to share your financial info with a group or individual you aren’t well acquainted with. Read their Terms of Service first, to discover how they treat your personal and financial information.
5. Be skeptical of ‘free trial’ or ‘$1 trial’ offers. Even if you know the company, individual or group, be sure to ‘read the fine print’ before clicking. You could be signing on to an expensive deal with no end date.
6. The email makes unrealistic threats. For example you receive a nasty email from the U.S. IRS requiring you to pony up cash for long overdue taxes owed. While no one wants to receive any more info or letters than necessary from the IRS, the IRS doesn’t send threatening emails regarding your account. If they do have an issue with you, they send you a registered letter which must be signed for. On the other hand, if they owe you money, they’ll send you a check along with a letter of explanation. Also beware of threatening letters from other U.S. agencies such as the FBI and Homeland Security, for example.
7. The ‘TO’ section of the email says ‘To undisclosed recipients’. These are usually scams.
8. Don’t invest in businesses or situations which require a large up-front investment or deposit before checking them out. Here’s an excellent article from the U.S. Federal Trade Commission – https://www.consumer.ftc.gov/articles/0238-investment-risks
9. Before clicking on a link in an email, check the signature at the bottom. If there’s only a typed one – yet the email claims to be from a well-known company – it’s likely a scam. If it were from a real company, not only would their logo be included, there would be a unique, formal signature at the end of the email.
10. Hover your mouse over any text links included within an email before clicking. This will expose the actual URL (site) to which you are being redirected.
Sign up for ‘Scam Alerts’ with the U.S. Federal Trade Commission –
Get the PhishMe Reporter add-on for Outlook and Mac which allows you to report phishing scams. https://kb.iu.edu/d/aogv
If you spot a scam, report it at ftc.gov/complaint. Your reports help the FTC (U.S. Federal Trade Commission) and other law enforcement agencies investigate scams and bring criminals to justice.
Check out https://haveibeenpwned.com/ to discover whether your email has been hacked.
Authors: Jean L. Serio CPC, CeMA and the Staff at Cyber Protect.
*Secures up to 3 PCs, Macs, iOS & Android devices –
*A physical activation key code will be emailed to you
*Installs in minutes, rated highest in usability, includes unlimited 24/7 access to a Norton technician, and offers a 100% guarantee that helps keep you virus free or your money back!
Antivirus is included, and your protection is always up-to-date to defend against spyware, malware, and unsafe websites, while safeguarding your identity and online transactions – Also includes Norton Utilities which cleans up, tunes up, and speeds up your PC to help make it run like new (for up to 3 PCs)