O Phishing! My Phishing!

Phishing is a huge criminal enterprise. “Phishers” send billions of fake text and email messages and try to get you to click through to a fake website or call a fake number. Your best protection is to not click (or call) anything in a text or email. Take your time. If you want to contact the company involved, use Google or another search engine to get customer support information. 

Phishing uses your emotional responses (fear, anger, greed, excitement, etc.) to get you to call them or click on a fake text or email. This will either download something nasty on your device or take you to a fake web page where bad guys try to get the information they can use to steal from you. There are thousands of different phishing scams – new ones every day.  

• Thank you emails or receipts for things you didn’t buy (you are tempted to call to straighten it out, but you will be talking to the scammers) 
• Any message that warns you an account will be shut off if you don’t act right away (large companies don’t usually do this – even if there is a problem you have time to close the message and call the company directly from the number on their site) 
• Text emails that want you to click to collect a prize 

It’s good to know a little bit about how cybercriminals operate.  

• Cybercrime organizations are surprisingly sophisticated these days.

• Criminals are playing a vast numbers game. They can afford to pretend to know something about you that feels specific – that you have a certain phone, shop at Costco, or have a dog.  If it doesn’t apply to you, their scam will not work, but if it does, you let your guard down a little. It’s very inexpensive for them to send billions of fake texts and emails and very expensive to you if you make a mistake.  

• Some are very good at creating an email that looks like they came from a big company. They can easily copy graphics and formatting. Often they will have some real elements (the logo might go to the real website) along with a big button that leads to a fake site.  
• They use constant “A/B” testing on every aspect of their scams – the subject line, text, graphics, and the call to action. You may see the same scam with subtle variations.  

But some things are harder to fake than others: 

• The sender may be a phone number, a long email address, or something else the real company doesn’t use. For instance, AT&T uses a short code to send text messages, not a 10-digit phone number. And a legitimate email address will have the company URL right before the “.com”.  For instance, service@amazon.com. Not service@amazon.FTL77.com 
• Many messages are still written in poor or strange English.  The graphics might be perfect, but GoDaddy is probably not misspelling its name and Costco wouldn’t text: “your invoice from 28 is printed winning code”

How do you protect yourself from phishing attacks since some emails and texts are real? 

1. Slow down. Criminals want you to be stressed and rushed, so you’ll make mistakes.  If a text or email says, you must do something immediately, be extra suspicious.  Remember, time is on your side – there is no actual rush.  
2. Don’t click. You rarely need a link from a text or email and can always investigate first. If you are worried about your Amazon account, open a new browser window and type in Amazon from there. If you get a security warning from your bank, email provider, or mobile company, go to the phone book or Google their website and call their main customer support number. Never use the number they provide.  
3. Look at the details. Crooks have come a long way from the “foreign prince wants to give you a million dollars” days, but many scam emails and texts still contain grammatical errors, misspellings , or infrequently used words. Foreign scams often use “Kind Regards” at the end.  
4. Phone Numbers and Addresses. Major corporations and government industries are not contacting you from random phone numbers and email addresses. A legitimate Amazon email will come from an email address ending in Amazon.com – not Amazon.CSUP.com. That is coming from a criminal who owns CSUP.com.  
5. Compare. If you have an email or text that you know is authentic, compare everything – especially the sender information. Be aware criminals can copy the logo, formatting & colors from a real email, so just because an email looks good is no guarantee.   
6. Don’t click. It’s worth repeating. Some fake emails will have several real links and one bad link. This makes the bad link look legitimate. Don’t call a phone number in a message.