Early
one Sunday morning, my editor, Yahoo Finance’s Erin Fuchs, checked her
personal email and was surprised to find a message from PayPal (PYPL). The missive said she had recently changed her password, and asked her to call a phone number if that wasn’t the case.
It
wasn’t, so Fuchs called. The email had come from a “service@paypal.com”
address and included a link to the PayPaypal website. However, she
became suspicious when the person on the other end of the line asked for
her credit card information to “verify her account.”
An example of a phishing email.
It
doesn’t matter who you are or what email service you use. If you have
an email account, you’ve received some kind of scam, or phishing email,
just like my editor.
Most
of the time, these emails are relatively easy to spot. Some African
prince or other wealthy individual wants to send you money until he can
make it to the US. You just need to send your bank account information
and Social Security number.
But
criminals are quickly changing their tactics, firing off more
sophisticated emails in an attempt to trick you into giving away your
personal information. According to Gary Davis, chief consumer security
evangelist at Intel (INTC) Security, in a recent study, more
than 19,000 people were asked to look at 10 emails and identify which
ones were scams. Only three percent of them were able to find all of the
phony messages.
Worse
still, some phishing messages contain ransomware, which locks down your
entire computer until you pay the culprits a ransom.
Yes,
it’s a scary world out there. But there’s hope. If you follow some of
these quick tips, you’ll be able to stay one step ahead of the bad guys.
Read the subject line and sender’s address
Phishing
emails are designed to sucker as many victims as possible. They cast a
wide net by covering topics like banking and package deliveries—two
things most people generally receive emails for.
You
should be on high alert if you get a message from an unknown sender
with a subject line mentioning changes to your bank account—or that you
need to pick up a package that can’t be delivered—and you aren’t
expecting either of those things. It’s probably a phishing attempt.
Just delete the message and move on with your life.
Hover over links
Okay,
so you can’t remember if you changed your bank account info or aren’t
sure if you have a package in the mail, so you open the email. That’s
cool. As Intel Security’s Gary Davis explains, it’s rare that just
opening a message executes any kind of code on your computer.
It doesn’t matter what email service you use, you’ve definitely received a phishing email.
The
message, however, tells you to click a link to check out the changes to
your account or the status of your package. What do you do? Simple:
Hover your mouse over the URL. When you point to a link without
clicking, most web browsers and email programs automatically display the
web address that link will open. If the email says it’s from your bank
or delivery service, but the link points to a different site, don’t
click it.
Urgency is suspect
A
good number of phishing emails try to get you to act before you
think—by adding a sense of urgency to their messages. An email telling
you to log into or verify information for your bank or other account
labeled “Final Warning” or “Urgent Notification” should set off warning
bells right away.
Kevin Haley, director of product management for Symantec’s (SYMC)
Security Response, explains that you should be suspicious if
you receive an email with a URL or attachment that is trying to get you
to click on something right away.
If an email seems like it’s trying to push you to do something immediately, it’s probably a scam.
Russian agents are widely considered to have used this exact method to break into the Democratic National Committee’s server’s via a phishing email.
So
if you get a message telling you to do something instantly, ignore it.
If you think it’s legitimately from your bank, skip the link and just go
directly to your company’s website.
Hooked on phonics
The easiest way to identify a phishing email is if it’s loaded with grammatical or spelling errors. As Microsoft points out
in its phishing email primer, legitimate businesses hire professionals
to ensure that communications with customers are mistake-free.
Criminals? Not so much. So if you get an email that’s strangely
formatted, and is loaded with enough grammar issues to drive your
fifht-grade English teacher insane, delete it.
If you receive an email with especially poor grammar, just delete it.
Patience is a virtue
A
lot of people fall victim to phishing emails because they’re simply in a
rush. They’re in the middle of cooking dinner and taking care of two
toddlers, see an email from their bank and BAM, that’s that. So how do
you fix this? Just take a few minutes, breathe, and read your emails
carefully. That’s pretty much it.
What to do when you’re hooked
So you’ve clicked a link or downloaded an attachment in a phishing email. You’re done for, right?
Not exactly.
Both
Davis and Haley suggest that if you realize you’ve been the victim of a
phishing scheme and you’re fast enough, you can change your passwords
on any affected websites before the criminals get access to your
accounts. If you can’t do that, your best bet is to disconnect your
computer from the internet and run an antivirus program.
Disconnecting
your computer (like turning off WiFi) ensures that any malware you
downloaded can’t communicate with its home server and steal your
information; meanwhile, the antivirus program takes care of anything on
your machine. You should also enable two-factor authentication
on your accounts, which requires that you enter both your password and a
second string of characters usually sent to your smartphone via text or
an app, to keep people from accessing your information.
If,
however, you’ve given your private information to someone via email,
well, your best bet is to use a credit-monitoring service to make sure
that no one is opening credit-card accounts in your name.
