PASS Training & Compliance

View Original

Beware Wary of Phishing Scams

By Holly Westerfield

Here at PASS, we take digital and online security very seriously. We have noticed an uptick in scams and phishing emails recently, so we figured this would be a good opportunity to cover some best practices to keep you safe in this ever-evolving digital landscape.

The first thing you need to understand is the end goal of these scammers. They are trying to collect whatever personal or financial information they can from you. They will often use texts or emails to try to trick you into giving them your passwords, social security number, or your account numbers. With this information, they may be able to gain access to your email, bank, or other accounts. It may even lead to identity theft.

Scammers will often use spoofing techniques to trick you into believing their messages are from a legitimate company, possibly even one you do business with such as your bank, your credit card company, or an online store. The FBI defines spoofing as “…when someone disguises an email address, sender name, phone number, or website URL—often just by changing one letter, symbol, or number—to convince you that you are interacting with a trusted source.”

These criminals will try to trick and manipulate you into sending them money, downloading malicious software, or disclosing personal, financial, and sensitive information. These messages will commonly claim:

  • There has recently been a large purchase in your name, and you will need to log in to refute it. It will often include an invoice you don’t recognize.

  • There is an issue with your account and you need to confirm personal or financial information

  • There has been suspicious activity or log-in attempts, and it will provide a link it claims will give more information

  • You have a payment that is due immediately, often providing a link you are supposed to click.

  • You have won a prize or offer coupons for free stuff… and all you have to do is click a link and provide them with a few details.

  • That you are eligible for a major government refund.

None of these things are true.

If you receive one of these messages and you are concerned it is real, you should not click the link. You should contact the company using a phone number or website you already know is real and verify the claim.

An example of a phishing email. Notice the spelling mistakes through out the email, the suspicious URL that misspells the company’s name, the large charge that is allegedly being charged to you, and the deadline. It is also suspicious that they need your credit card information again. If you look at the email addresses you will also note they are suspicious. No legitimate company is going to misspell their own name in their email domain. They are also unlikely to have their employees use their personal email accounts to conduct business, as seen under the CC.

How to Spot a Scam

These emails may look legitimate, even going so far as to use the company’s logo in the header. Here are some signs that the message is fraudulent:

  • The email has a generic greeting, as opposed to using your name.

  • Carefully check the email address. The sender's name may say it’s from official support, but the actual email address may be slightly misspelled or from a random, unrelated email address.

  • It will claim you need to click on a link, usually to solve some sort of billing issue or to update your information. Legitimate companies won’t email or text you a link to update your billing information.

  • They contact you to ask for your username or password, which is something legitimate companies generally don’t do.

  • It may be from a website, company, or service you have never used before.

  • It may claim you owe hundreds or thousands of dollars, it is meant to scare you into clicking the link.

  • The message may include easy-to-spot spelling mistakes.

Examples of phishing scams disguised as fun trends or memes on social media.

Screenshot by CNET/Alan Belniak Facebook

The links they send you will sometimes take you to a spoofed website that may look a lot like the real website. But don’t be fooled, it is a fake website designed to trick you into giving criminals your login information. Make sure you never open an attachment from anyone you don’t know and be wary of attachments the at were forwarded to you.

You should also be wary of the information you share about yourself on social media. There are a lot of memes and trends that seem innocent but are actually designed to provide scammers with all the information they need to get through your security questions. Not to mention it provides the public with a list of potential passwords.

How to Protect Yourself

The first layer of protection you have against scammers is your email’s spam filter. Unfortunately, scammers are working every day to try and outsmart this filter, so it’s best to use some additional protection in addition to your common sense.

According to the Federal Trade Commission, one of the best ways to protect your computer is by installing security software. Make sure the software is set up to update automatically so that it will always be up to date and there is no chance of an accidental lapse in protection. You should also set your phone to update automatically for the same reason. The FTC also recommends using multi-factor authentication whenever you can. This makes it harder for scammers to gain access to your account. As an additional level of protection, it is recommended that you make a habit of backing up the data on your computer and phone to an external hard drive or to the cloud. This will protect you from losing everything on your device if it is corrupted by a virus or malware.

How to Report

Now that you know how to recognize a phishing scam, it’s important to know that there is something you can do to help stop these criminals.

If you receive a phishing email, forward it to the Anti-Phishing Working Group at reportphishing@apwg.org.

If you receive a phishing text message, forward it to SPAM (7726).

You can also file a complaint with the Internet Crime Complaint Center.