What is Phishing?
Phishing involves the use of fraudulent emails and spoof websites to trick individuals into revealing valuable personal information, such as account numbers, login IDs and passwords. The fraudsters who collect this information then use it to steal the victim's identity, make financial transactions using the victim's name or gain access to the victim's company information.
How does Phishing work?
In a “phishing” expedition, fraudsters typically send out emails to victims asking for updates or change of information. Phishing emails may also contain pictures, music, movies or documents that have malicious software embedded. Downloading these files can give the senders access to your computer and information. These emails may may likewise contain links that direct you to a fake site - called a spoof site - that looks identical to a legitimate site. These spoof sites are intended to collect your credentials, such as your login ID, password and PIN. Note that these spoof sites can even appear in search results on reputable search engines.
How do I recognize email scams?
Email scams can take the form of any of the following:
Phony business opportunities: These scams offer the opportunity to make a lot of money with little effort and may also ask you to reveal personal information like your name, address and birthdate. Subject lines may look like this:
- Be your own boss
- Use the Internet to make money
- Work from home
Advanced fee fraud: These scams attempt to trick people into situations where they have the opportunity to receive part of a large sum after they pay an initial processing fee. If an email proposes a complex arrangement to secure and split funds, it’s safe to assume you’ve received an illegitimate email. Subject lines call for an urgent response and/or would refer to a personal introduction. Examples of subject lines under this type of scam would be:
- URGENT REPLY NEEDED
- Require your cooperation now!
- Re: pleased to meet you!
Request for information from legitimate organizations: Many phishing emails are crafted to look like they’ve been sent from legitimate organizations, such as a bank, asking you to visit a spoof website, reveal personal information or download malware. Common subject lines:
- Problem with your account
- Validate your account
- Log on to website to validate account
Trojan horse email: These emails contain things you will likely be interesting in, enticing you to click and engage, such as a photograph, a joke or a video. However, when opened, the attachment may install software that sends your keystrokes to a fraudster, install software that monitors your online activity, or allow a fraudster access to your files. Common themes:
- Email with subject line “funny” encouraging you to view the attachment
- Email from a supposed “antivirus” vendor encouraging the recipient to install antivirus software
- Email with information on a recent security issue on a software application you have installed. This same email provides a “patch” to fix the security issue
How to protect yourself against Phishing:
The best way to protect yourself is to understand what reputable companies will and will not do. Legitimate entities will not ask you to provide or verify sensitive information through non-secure means, such as email. Here are ways to keep you safe from phishing:
- Be cautious of emails: Do not respond to any emails that come from unknown senders, or emails that request personal or financial information, emails from organizations you weren’t expecting to receive an email from, and urgent or too-good-to-be-true emails (like ones informing you that you won the lottery).
- Be cautious of links, files, and attachments: Do not click on the links, download files or open attachments provided in emails sent by unknown senders. Type the URL into your web browser yourself. A link in a malicious email can direct you to a spoof site that looks like a legitimate site.
- Look at URLs: Make sure you conduct your financial transactions only on a secure webpage that is protected with the proper level of encryption. Look for a closed padlock on your browser's status bar and check that the URL starts with “https” instead of just “http”.
- Beware of pop-ups: Refrain from entering personal information on a pop-up screen. Also, do not copy web addresses from pop-ups into your browser.
- Look at your monthly account statements: Read your statements thoroughly to make sure that all transactions shown are ones that you actually made. Call your bank immediately if you suspect any fraudulent transactions.