Have you ever received an email like this? This is just one example of many common phishing emails that tend to make the rounds. Most of us have received more than one—in fact, over 100 billion spam emails like this are sent every day.
Phishing is a scam in which a person uses fake emails, texts, and/or phone calls to try to get you to share valuable information such as your Social Security number, account numbers, or user names and passwords. Once they have this information, they may steal your money, your identity, or both. They may also try to access your computer or network by installing ransomware or other programs after you’ve clicked a link in one of their emails or texts. These programs can lock you out of your computer and allow thieves to steal your personal information.
Don’t take the bait
There are a few common tactics you can watch out for that scammers use to try and entice you to hand over your personal information.
Familiarity. Using familiar company names, or pretending to be someone you know, is known as email spoofing. The email appears to be from a trustworthy source, like a legitimate company, family, friend, or even coworker, and lends the recipient a false sense of security that makes them more likely to open files and click on links.
Website spoofing is often used in concert with the fake email by linking it to a website that looks legitimate, but isn’t. When the user goes to the site, they may be asked for sensitive financial or login information. These fraudulent websites may also contain malicious code that ends up on the user’s computer.
Timing. Attackers often take advantage of current events and certain times of the year, such as natural disasters, health scares (like COVID-19), major political elections, and holidays.
Attention. Attracting your attention with lucrative offers or eye-catching statements is another common tactic. For example, a message may claim you just won an iPhone, gift, or large amount of money. Remember, if it seems too good to be true, it probably is.
Enticement. Scammers will try to encourage you to click on a link or open an attachment. They often tell a story to trick you by claiming they’ve noticed suspicious activity, such as stating there’s a problem with your account, directing you to make a payment, or announcing you’re eligible for a refund.
Limited time only. Phishers rely on urgency to increase the odds of pressuring you to ACT NOW and quickly hand over your sensitive information. A legitimate website for a bank, credit card company, or other organization isn’t going to have an air of desperation about it by posting urgent messages on their website. If you see this on a site you visit, double check the URL to make sure you’re actually in the right place.
Avoid getting hooked
- Stay vigilant and be wary of unsolicited requests for your personal information online, by email, or by phone.
- Do not share any user names, account numbers, or passwords with anyone, and don’t use the same password across accounts.
- Never trust alarming emails, and don’t open attachments from strange emails you may receive.
- Use security software on your computer and keep it up to date.
- Set your mobile phone software to update automatically so you don’t miss critical updates that protect against security threats.
- Use two-factor authentication on all accounts that offer it—besides using a password, you also add a second step like a fingerprint or special code. This makes it harder for scammers to log in to your accounts if they do get your user name and password.
- Back up your data someplace not connected to your home network, such as an external hard drive or cloud storage site.
- Unsure about a link to a website? Look the business up separately online and call them directly, telling them about the message you received. Your bank, for example, will never ask you to send your password or personal information by mail or email.
- While not a guarantee of a website’s legitimacy, look for secure websites with a valid Secure Socket Layer (SSL) certificate. They’ll begin with “https” and have a closed padlock icon in the status bar. (Eventually all sites will be required to have a valid SSL.)
- Carefully read any email messages you receive. Is it missing your name? Is there bad grammar or spelling? Is it asking you for personal information?
- Hover over links (don’t click on them!) to see the actual URL you will be directed to. Look at the web address carefully—it may just be one letter off or something similar.
Sources: Federal Trade Commission Consumer Information, Cybersecurity and Infrastructure Security Agency, Phishing.org
Top frauds of 2019
According to the Federal Trade Commission (FTC), these were the top schemes reported by more than 3.2 million people in 2019.
- Number one fraud: Imposter scams. Imposters pretended to be calling from the government or familiar business, a romantic interest, or a “family member” with an emergency. People reported losing more than $667 million to these schemes, which they often paid with a gift card.
- Top government scam: Social Security imposters induced fear by threatening people with arrest by marshals or police officers until the imposters received money. The median individual loss was $1,500.
- Phone calls were the main way people reported being contacted by scammers. Those who didn’t hang up and followed through on scammers’ requests had a median loss of $1,000.
During 2019, FTC law enforcement actions led to more than $232 million in refunds to people who lost money. If you spot a scam, report it at the Federal Trade Commission Complaint Assistant.