Phishing is a huge criminal enterprise. “Phishers” send billions of fake text and email messages and try to get you click through to a fake website or call a fake number. Your best protection is to not click (or call) anything in a text or email. Take your time. If you want to contact the company involved use Google or another search engine to get to the customer support information.
Phishing uses your emotional responses (fear, anger, greed, excitement, etc.) to get you to call them or click on a fake text or email. This will either download something nasty on your device or take you to a fake web page where bad guys try to get information they can use to steal from you. There are thousands of different phishing scams – new ones every day.
Be suspicious of:
- Thank you emails or receipts for things you didn’t buy (you are tempted to call to straighten it out, but you will be talking to the scammers)
- Any message that warns you an account will be shut off if you don’t act right away (large companies don’t usually do this – even if there is a problem you have time to close the message and call the company directly from the number on their site)
- Text emails that want you to click to collect a prize
Cybercrime organizations are surprisingly sophisticated these days. It’s good to know a little bit about how they operate.
- Criminals are playing a vast numbers game. They can afford to pretend to know something about you that feels specific – that you have a certain phone, shop at Costco, have a dog. If it doesn’t apply to you their scam will not work, but if it does apply to you, you let your guard down a little. It’s very inexpensive for them to send billions of fake texts and emails and very expensive to you if you make a mistake.
- Some are very good at creating email that looks like it came from a big company. They can easily copy graphics and formatting. Often they will have some real elements (the logo might go to the real web site) along with a big button that leads to a fake site.
- They use constant “A/B” testing on every aspect of their scams – the subject line, text, graphics, the call to action. You may see the same scam with subtle variations.
But some things are harder to fake than others:
- The sender may be a phone number, a long email address or something else the real company doesn’t use. For instance, AT&T uses a short code to send text messages, not a 10-digit phone number. And a legitimate email address will have the company URL right before the “.com”. For instance, email@example.com. Not service@amazon.FTL77.com
- Many messages are still written in poor or strange English. The graphics might be perfect, but GoDaddy is probably not misspelling its own name and Costco wouldn’t text: “your invoice from 28 is printed winning code”
How do you protect yourself from phishing attacks? Especially since some emails and texts are real?
- Slow down. Criminals want you to be stressed and rushed so you’ll make mistakes. If a text or email says you must do something immediately be extra suspicious. Remember, time is on your side – there is no actual rush.
- Don’t click. You almost never need a link that comes from a text or email and you can always investigate first. If you are worried about your Amazon account, open a new browser window and type in Amazon from there. If you get a security warning from your bank, email provider or mobile company go to the phone book or Google their website and call their main customer support number. Never use the number they provide.
- Look at the details. Crooks have come a long way from the “foreign prince wants to give you a million dollars” days but many scam emails and texts still contain grammatical errors, misspellings or use infrequently used words. Foreign scams often use “Kind Regards” at the end.
- Phone Numbers and Addresses. Major corporations and government industries are not contacting you from random phone numbers and email addresses. A legitimate Amazon email will come from an email address ending in Amazon.com – not Amazon.CSUP.com. That is coming from a criminal who owns CSUP.com.
- Compare. If you have an email or text that you know is authentic compare everything – especially the sender information. Be aware criminals can copy the logo, formatting & colors from a real email so just because an email looks good is no guarantee.
- Don’t click. It’s worth repeating. Some fake emails will have several real links and one bad link. This makes the bad link look legitimate. Don’t call a phone number in a message.