Last fall, Facebook users began receiving an alarming email warning. "For
security reasons, your account will be disabled permanently," said the
email. To confirm your identity, the message—which was signed by the
"Facebook Team"—instructed users to click on a link and log into what
looked like a real Facebook page.
But this email had nothing to do with Facebook. It was a phishing (pronounced “fishing”) scam, a form of identity theft
in which hackers use fraudulent websites and fake emails to attempt to
steal your personal data, especially passwords and credit card
information. Phishing scammers send emails that appear to come from
trustworthy sources such as a social media website or a financial
service provider, and tell you that they need you to follow certain
links in order to rectify some problem. Then they steal your data as you
enter it, lock you out, and begin using your account to send more scam
messages in your name.
Phishing attacks are happening everywhere. Online security firm Kaspersky Labs says it repelled nearly 800 billion attacks in 2015, almost 2 million of which were attempts to steal money from online bank accounts.
Phishing attacks are happening everywhere. Online security firm Kaspersky Labs says it repelled nearly 800 billion attacks in 2015, almost 2 million of which were attempts to steal money from online bank accounts.
According to Fraudwatch International,
a global online fraud protection service, some of the recent phished
sites included Bank of America, PayPal, Chase Bank and Apple Store.
Typical fake email alerts: “Westpac Bank—Your Account Has Been Blocked,”
or “Apple Store—About your last Transaction.”
With tax season starting to ramp up, scammers have been targeting TurboTax users with fake subject lines such as “TurboTax Update: Resolve Account Issue Now” and “TurboTax—Important Notice” that urges users to open a fraudulent attachment.
Internet
Service Providers (ISPs) are also now among scammers’ favorite phishing
targets, surpassing the banking and financial services sectors during
the first three quarters of 2015, reports the non-profit Anti-Phishing Working Group
(APWG). Phishers like to break into ISP accounts so that they can send
spam from those user accounts. ISP accounts can also contain other
things that phishers want: personal identity information, credit card
details, and access to domain name and hosting management.
The Best Defense
How can you protect yourself against phishing lures? Here's some advice:
- If
you aren’t 100 percent certain of the sender’s authenticity, don’t
click on attachments or embedded links; both are likely to result in
malware being installed. Instead, open a new browser window and type the
URL directly into the address bar. Often a phishing website will look
identical to the original, so check the address bar to confirm the
address.
- Similarly,
never submit confidential information via forms embedded in or attached
to email messages. Senders are often able to track all of the
information you enter.
- Be
wary of emails asking for financial information. Emails reminding you
to update your account, requesting you to send a wire transfer, or
alerting you about a failed transaction are compelling. However,
scammers count on the urgency of the message to blind you to the
potential for fraud.
- Don’t
fall for scare tactics. Phishers often try to pressure you into
providing sensitive information by threatening to disable an account or
delay services until you update certain information. Contact the
merchant directly to confirm the authenticity of the request.
- Be suspicious of social media invitations from people you don’t know. According to Kaspersky Lab research,
over one in five phishing scams target Facebook. Phishers rely on your
natural curiosity to click on the person’s profile “just to find out who
it is.” However, in a phishing email, every link can trigger malware,
including links that appear to be images or even legal boilerplate;
scammers use your hijacked account to send spam to your friends, because
spam from real accounts is more believable than spam from a fake
account.
- Watch
out for generic-looking requests for information. Many phishing emails
begin with “Dear Sir/Madam.” Some come from a bank with which you don’t
even have an account.
- Ignore emails with typos and misspellings. Recent real examples targeting TurboTax include ”Your Change Request is Completeed” and “User Peofile Updates!!!”
- Update and maintain effective software to combat phishing. Reliable anti-virus software should also automatically detect and block fake websites, as well as authenticating the major legitimate banking and shopping sites.
Mobile
device users should be especially vigilant. Scammers increasingly
design mobile-friendly pages; what’s worse, many browsers hide the web
address bars, so it can be even more difficult to spot scams on a mobile
device.
