If you’ve been on the internet for more than a day, you probably know that not everything you find on the web is true. Nobody knows that better than honest Abe himself.
But just because you KNOW there’s sketchy stuff on the internet doesn’t mean you’re automatically safe from it. Sneaky internet scammers known as phishers have mastered the art of tricking unsuspecting users into handing over personal information like account passwords, bank account numbers, and even social security numbers. Thankfully, by being thoughtful and vigilant, you can protect yourself from phishing attacks.
So, what is phishing?
We’re glad you asked.
Wouldn’t I know if I was being scammed?
Well, maybe. Phishing is a form of internet trickery that has been around a long time, and crooks have gotten really good at making you believe that you’re visiting credible web pages. A 2013 study at North Carolina State University asked 53 undergrad students to “distinguish ‘malicious’ emails from ‘legitimate’ ones”, and nearly all of them were unable to correctly identify phishing attempts.
How it works
Most phishing happens in the form of emails, which are sent by phishers posing as actual companies, like airlines, banks, online marketplaces, etc. These emails look authentic; they may even include real logos, address you by your name, or appear to be written by someone who actually works for the company the email is trying to impersonate. Often, the email will tell you that the website needs you to verify account details and link you to a page where you can do that.
Here’s where it gets tricky.
Unfortunately, those links lead to websites that LOOK like the real thing, but are actually cleverly constructed fake sites. After clicking a link in an email, you think you’ve been directed to the Google Drive homepage, so you type in your account information. Now that you’ve entered your password on this scam website, phishers now have access to all the information linked to your Google account.
It can be REALLY hard, almost impossible, to spot phony web pages. Can you tell which of these is the actual Google login page, and which is the work of devious scammers?
Probably not. The first one is the actual page, but there’s almost no difference between the two. That’s just how good phishers have gotten at tricking us.
So how can you keep yourself safe?
Here’s a simple list of tips for avoiding online scams:
- Don’t click links in emails from addresses you don’t know.
If an email looks like it might be suspicious, it probably is. Even if the email is from a contact of yours, hover over the link before clicking to see if it directs you to a site you recognize.
- Check the URL.
We’ve already talked about how you can’t spot a phony webpage just by looking at it. If you’ve clicked an emailed link, check the address bar. If the site you’re visiting is asking for valuable data like bank information, your social security number, etc., the URL should begin with https:// rather than http://, as well as a little padlock icon. Double click that padlock and make sure “issued to” matches the URL of the website you think you’re on. If it’s different, you’re likely looking at a phishing attempt.
Also, look out for URLs and email addresses that are not-quite copycat versions of the websites they’re imitating. In the NCSU study referenced earlier, students received this almost-legitimate-looking email:
A more recent Netflix scam fooled users with this page. See if you can spot what’s wrong with it:
Notice how the URL does not end in Netflix.com? Phishers regularly use legitimate-looking URLs so that you don’t suspect anything amiss. For example, ebay.com and cgi3.ebay.com are both actual pages that end in ebay.com. However, ebay.validate-info.com and ebay.login123.com are not. This isn’t a foolproof rule though, so if you’re suspicious, manually type the website you’re trying to access into your address bar and see if it asks you to update your info. If it does, it’s most likely not a scam. This image is from an incident where phishers tricked Netflix users into calling that 1-800 number on the page. Which brings us to our next point:
- Don’t give out information over phone calls you didn’t initiate.
It’s much safer to call a number printed in literature from your bank than one that was emailed to you. Phishers have been known to lure you in with a fake number and pose as customer service personnel to get you to hand over sensitive information. Sometimes they can even use VoIP services (read up on that next Tuesday!) to change their area code so that it looks like they’re calling from a local number. This kind of scam is fairly new, so do your research and use caution when it comes to calling numbers because of emailed instructions.
- Say NO to pop-up windows!
Pop-ups have a nasty reputation, but for good reason: not only are they annoying, they tend to be dangerous. Utilize your browser’s pop-up blockers to keep them from bothering you, and never click any links or enter any information on pop-ups that might slip through.
- Be wary of software downloads.
Any email link that prompts you to download something is automatically suspect. Use extreme caution, and don’t complete any downloads that you didn’t initiate.
- Install security software
We offer several options in our store. Read up on the specs of each one to decide which one is best for you. A good anti-virus program can save you lots of trouble down the road by keeping hackers from installing malicious software on your computer that will allow them to monitor your online activity and obtain your personal data.
While phishing is a very real danger, you can protect yourself from being preyed upon by using caution in your online activity. The best phishing tip is this: follow your instincts and play it safe. If something seems suspicious or too-good-to-be-true, it probably is!
Want to read up on keeping yourself safe online? Here’s a collection of articles we referenced here:
“Phishing” Fraud: How to Avoid Getting Fried by Phony Phishermen
(via US Securities & Exchange Committee)
How to Avoid Phishing Scams
(via Yahoo! Tech)
12 steps to avoid phishing scams
(via Tech Republic)