Phishing attacks are nothing new. However, with scammers increasingly using sophisticated and new methods of harming recipients that experts are not as familiar with, being able to identify a phishing attack has never been more important. They can arrive as emails, texts, social media messages, phone calls or links to websites which appear to come from someone the victim knows or a legitimate business. It might look like a boss or co-worker, someone in an email contact list, a bank or a consumer’s favorite retailer.
Trusted brands are used to provide an air of credibility for scammers, who capitalize on the good reputation and relationships these brands have built. Some brands that have been used in phishing attacks to target consumers include Wells Fargo, Zoom, American Express, Apple and Microsoft. The companies being used are not involved in these scams; in many ways, they are victims of the scammer as much as the targeted consumer.
Every phishing attack has a different goal, depending on what kind of ruse they are using. Some use links or attachments to insert malicious code on the user’s device so they can collect more information. Others attempt to steal people’s personal and business usernames or passwords, and others still try to get someone to click on a well-disguised link so they can divert them to a place where the user enters even more information that the fraudster will use to his or her benefit. While phishing attacks have different objectives, the attackers’ primary goal is to steal the information needed to scam individuals and businesses.
Fortunately, the age-old advice about avoiding a phishing attack still holds true. These are some things people should keep in mind when trying to identify a phishing attack.
Check the email address and URL to make sure it is not fake
Check unexpected inbound messages very carefully, paying special attention to the sender’s email or website address included in the message; they might notice something strange. If it says “Amaz0n.com,” for example, it is fake. If the website link is Citibank.card.shop.com (as an example), instead of the company’s actual web address, again, it is probably fake. Always go back to the source of the email (or in this case, the company that is being represented) and check for alerts about potential scams of which they are already aware. Many times, the company is aware and has posted information about the scam.
Never click on an unknown link or open an unexpected attachment
Received an unexpected email, text, social media message or phone call with a link or an attachment? Consumers should reach out directly to the purported “source” of the communication to verify the validity of the message before clicking on a link or opening an attachment (as mentioned above). Clicking on a malicious link or opening a bogus attachment could lead to someone’s personal information being stolen or infect the device with malware.
Check the message for grammatical errors and awkward phrasing
Read unexpected messages carefully and with a critical eye. Grammatical errors and awkward language are two quick indicators that the email isn’t sent by the company indicated. In trying to identify a phishing attack, customers should remember that companies do not send out emails or other messages with glaring errors – in most cases, large, reputable companies have teams checking their communications for just those types of issues. Smaller businesses may have a looser communication style, but loyal customers will know if something is “off.” If someone sees any strange mistakes, that is probably a sign it is a fake. In fact, sometimes spelling mistakes are intentional so that only more gullible recipients will interact.
Never trust the caller ID
Do not go by what the caller ID may say. It is easy for a scammer to change the phone number or screen name to say anything, like “IRS” or “County Sheriff’s Department.” If someone calls with an attempt to verify identity information or demands for some kind of payment, consumers should hang up immediately and initiate contact with the company directly using a verified phone number from a trusted source. Here’s a tip: people should put numbers in their contact list for companies that are used regularly – but name them something only they would identify. For example, list the bank as “Bank on 4th & Main St.” instead of by the bank’s name. That way, if there’s an inbound call from the number, the person receiving the call will know they can trust it.
Remember that in many cases, fraudsters are using websites that look like the companies they are pretending to be. A web search could also bring someone to a potential fraudulent site. People should always treat the search results with the same critical eye as they would these other steps.
Phishing attacks can be confusing because of how close to real they can look or sound. Scam websites, emails, phone calls and text messages that mimic trusted brands will continue. However, by implementing these tips to identify a phishing attack, it will help reduce the risk of falling for a phishing attack.
Anyone with additional questions about phishing attacks, or believes they have been a victim of one, can call the Identity Theft Resource Center toll-free at 888.400.5530 to speak with an expert advisor. They can also use the live-chat feature on the website to get the help they need.