How to avoid becoming a victim of phishing scams (and what to do if you are)

You’ve heard of phishing before, and know that it’s bad. But what is it, exactly?

Phishing is a type of social engineering attack where the attacker uses human interaction to establish (false) credibility and trick the victim into providing sensitive personal information, such as banking or credit card information.

If the word “phishing” conjures up the practice of fishing, it’s not by accident. Bad actors who engage in phishing scams attempt to bait you like a fisherman would bait their hook to reel in a catch.

Luckily, there are ways you can avoid taking this bait and keeping your personal information safe and secure. If you do happen to fall prey to a phishing scheme, there are also steps you can take to regain control over your identity.

There are various types of phishing scams, including:

• Phishing emails: Email is one of the most common forms of media used for phishing attacks, and one of the oldest.
• Vishing: Short for “voice phishing”, vishing leverages voice communication to entice a victim to call a certain number and divulge sensitive information.
• Smishing: This newer form of phishing exploits SMS, or text messaging, to send phony links or direct victims to call a phone number and divulge sensitive information.

While these are three of the most common types of phishing,¹ there are other, more sophisticated types of attacks as well, including whaling, which targets high profile executives; hidden links; domain spoofing; and more.

Scam emails and texts are becoming more common, and attackers are becoming more sophisticated. They will often try to trick you by making up stories that seem real or playing on your sense of urgency.

Phishing messages, whether sent via email or text message, often look like they're from a company you know, such as your bank or a business you frequent. The attacker will often engage in “spoofing” or pretending to be that reputable organization.

Text and email phishing attacks often include these methods of baiting you:²

• Fake alarms: They might say there's a problem with your account or someone tried to log in.
• Urgent requests: They might say you need to confirm your information or make a payment right away.
• Too-good-to-be-true offers: They might promise free stuff or a government refund.
• Fake invoices: They might send you a bill for something you didn't buy.

Attackers want you to click on links that could steal your information or install harmful software on your device. To that end, they often include:³

• Urgent or emotionally appealing language, especially messages that claim dire consequences for not responding immediately
• Requests to send personal and financial information
• Untrusted shortened URLs
• Incorrect email addresses or links that read similarly to a common website name

Installing and maintaining anti-virus software, firewalls, and email and text messaging filters can help block you from receiving some unwanted phishing attacks. Using any anti-phishing features available from your email client or web browser can also help.

But you may not always be able to prevent yourself from receiving phishing messages, so arguably the most important thing you can do is to teach yourself to be aware and vigilant in the face of potential attacks.

The Federal Bureau of Investigation provides these tips to help you yourself from phishing scams:⁴

• Legitimate companies won't ask for your login credentials: Be wary of any unsolicited requests for your username or password, whether through email, text, or phone calls.
• Don't interact with suspicious messages: Avoid clicking links or opening attachments in emails or texts you weren't expecting, even if they seem to be from a familiar source.
• Verify requests directly: If you receive a questionable request, independently find the company's contact information and reach out to them to confirm its legitimacy.
• Scrutinize all details: Pay close attention to the sender's email address, URLs in links, and any spelling or grammatical errors. Scammers can use subtle mistakes to deceive you.
• Exercise caution with downloads: Never open attachments from unknown senders and be cautious even with attachments from people you know, as their accounts could be compromised.
• Enable strong authentication: Use two-factor or multi-factor authentication whenever possible to add an extra layer of security to your accounts.
• Protect your personal information online: Be mindful of the information you share on social media and websites. Details like your pet's name, schools attended, or family members can be used by scammers to guess passwords or answer security questions.

When in doubt, follow the Cybersecurity and Infrastructure Security Agency (CISA)’s advice and:

1. Recognize: Know the common red flags of a phishing attack, like heightened language and requests to send personal information.
2. Resist: Don’t do anything. Take a minute to analyze before acting, and for good measure, contact your actual institution via a trusted method of communication. For instance, if you receive a text message or email claiming to be from your bank and it appears to be suspicious, consider contacting your bank separately (from a phone number, for instance, that is listed on their actual secure website, or the back of your debit card) to verify its authenticity.
3. Report: Do not hit unsubscribe to any emails or interact with text messages. Simply report the message or delete it.

To report a phishing email from a Gmail account:

1. Open the intended message
2. Next to reply, click the three dots (more)
3. Click “report phishing”

To report a phishing email in Microsoft Outlook, with the suspicious message selected, choose “Report message” from the ribbon, and then select “Phishing”.

If you believe you’ve clicked on a suspicious link or have provided personal information over the phone to an attacker, do the following:

• Alert your organization if it happened on a work device. This may mean contacting your IT department or network administrator.
• Contact your financial institution if you believe your account may be at risk.
• Update any passwords or login information associated with the account that may be compromised immediately.
• Consider filing a police report and submitting a complaint to the Federal Trade Commission (FTC) at FTC.gov/complaint or to the FBI’s internet crime complaint center (www.ic3.gov).
• Visit identitytheft.gov if you believe you may be a victim of identity theft as a result of a phishing scheme.

Have more questions about online safety and banking? Head to our online safety guides to learn more.

Sources:

https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks

https://consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams

https://www.cisa.gov/secure-our-world/recognize-and-report-phishing

https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-frauds-and-scams/spoofing-and-phishing

The above article is intended to provide generalized financial information designed to educate a broad segment of the public; it does not give personalized tax, investment, legal, or other business and professional advice. Before taking any action, you should always seek the assistance of a professional who knows your particular situation for advice on taxes, your investments, the law, or any other business and professional matters that affect you and/or your business.