Avoid The Hook: Protect Yourself Against Phishing

The technology news headlines have lately been buzzing with news of recent widespread phishing attacks. One report from earlier this month states that a phishing scheme aimed at email users took in more than 20,000 email addresses and passwords. The FBI director even admits to a brush with such a scam, which prompted his wife to take over the responsibility of their online banking.

When it comes to phishing scams, a compromised email account can be the least of your problems. Many people use the same password on several websites, including their online bank accounts. Information gathered through various online accounts can be used to steal not only your money, but your identity. Criminals can then use your stolen identity to obtain medical care, loans, or commit crimes in your name.

Phishing efforts can be particularly devious in the current economic climate, preying on fears that our money might not be safe with the financial institutions we use. Recent bank mergers also give criminals an opportunity to collect your password. Emails might pretend to be from your local bank’s branch manager, your credit card company, or even your investment broker. A particularly nasty scam that impersonates the Internal Revenue Service (see image below) demands your financial information and threatens an audit if you do not comply immediately.

As fraudulent email scams become more sophisticated, the average user must become proactive regarding their online security. Armed with common sense and the knowledge of what you should be looking out for, anyone can learn to avoid phishing scam and protect themselves from becoming another victim.

How to Recognize a Phishing Scam

Gone are the days of being able to spot a fraudulent email scheme because of extensive spelling and grammar errors. Modern cyber criminals create pitch-perfect emails, complete with stolen images and boilerplate text that has been stripped from the very websites they are emulating. The return email address can no longer be trusted either: messages can ostensibly be from a family member, a friend, a social networking site you frequent, or a corporate website. Below are a few tips on recognizing a fraudulent email.

• Beware emails that encourage you to “Verify your account” or ask you to “Respond within 48 hours or your account will be closed.” or even “(Your bank or workplace) has installed new security measures. Please login here to verify your info.” These typical phrases are known as “calls to action” that lead you to click on a link and divulge information. When an official-looking email makes you feel rushed, take a step back and reevaluate it. When in doubt, call or email the company directly (don’t reply) and verify that the message is genuine.
• Ignore emails that tell you that you’ve won a “lottery” or special “drawing”. These are usually advanced fee scams, where you need to give up some amount of money in advance before you receive a lump sum (which never comes).
• Avoid email links that go to “misspelled” corporate addresses such as Micorsoft.com, Googel.com, Yahooo.com, PayPa1.com, PayPaI.com (uppercase “i” or numeral one instead of an “L”).
• Also avoid links that will take you to an IP address (e.g. 192.0.32.10). Some links may look legitimate at first glance, but by hovering over a link in most browsers, you can see where it will actually take you.
• Learn to spot newer “spear” phishing scams. Now that many of us know not to send sums of cash to wayward Nigerian princes, the criminals have devised a more personal approach to scamming you: emails that contain information such as your full name, the last few digits of your social security number, your home address, or the knowledge that you are in a desperate financial situation. These emails lull you into a sense of security and believing that they already possess all of your information makes you more apt to fill in the blanks for them.

Five Steps To Staying Secure

1. Don’t give out personal information through email and don’t follow links from emails to websites that prompt you for your login ID, password, social security number, address, or any other information. Simple in theory, difficult in practice.
2. Use a web browser with a built-in anti-phishing filter or that monitor websites for phishing attempts, such as Internet Explorer 8, Firefox 3.0, Google Chrome, Opera 9.2, and Safari 3.2. Keep your browser updated.
3. Use email encryption when sending potentially sensitive information such as passwords and financial information.
4. Check potential phishing websites against Phishtank.com.
5. If a site asks you for your password, enter a false one. If the site accepts it as valid, then it was probably phishing. Report it.

What to Do If You Think You’ve Been Hooked

• Act quickly. First, change your email password, then your account passwords. If you change your account passwords before your email password, the accounts usually send a copy of your new password to your email address. Make sure your email address is not set to forward messages.
• If you believe your online banking password has been compromised, change your password immediately and alert your branch manager.
• If you’ve accidentally given out credit card information or your social security number, ask the three major credit bureaus to put your credit report on “fraud alert” which will help you recover your credit rating if it’s abused by criminals.
• Close any unnecessary financial accounts that you know or feel may be compromised.
• Go here for more information: http://www.ftc.gov/bcp/edu/microsites/idtheft/

A common mistake that many people make is thinking that they won’t fall for these scams because they’re net-savvy. But as smart as you are about avoiding phishing scams, a criminal’s job is to stay one step ahead. By adopting a few standard safety procedures when it comes to email, and practicing them faithfully, you can keep your personal and financial information, and your identity, safe from cyber criminals.