Is that website legit? Avoid phishing and smishing
If people can reach us, they can scam us. There are potential scams by phone, email (phishing), text message (smishing, or phishing via SMS), Facebook posts and Facebook Messenger, online chat groups, and more.
And we’ve all received that urgent email or text. It might go something like this:
- Your bank account is overdrawn. Click here to check your balance.
- Congratulations, you’ve won a prize! Here’s how to claim your winnings.
- Your package has been delayed. Track your package here.
You might recognize some of them as scams, but others can be pretty convincing.
Let’s look at some of the ways scammers are trying to get your information, how you can identify these cybercriminals, and what to do if you (or someone you care about) falls for one of these phishing scams.
What is phishing and why is it so pervasive?
Phishing is when a malicious actor impersonates a known company or website in order to get you to take an action that benefits them.
Most phishing schemes either want you to click on a link or download a file to your computer. From there they may be seeking to obtain login credentials to a website, social media account, email, bank, or another online service.
But there are other forms of phishing, and they are all worth keeping in mind.
- Employee targeting: Scammers send an email to you at your work email address or via a company-issued device, pretending to be your boss or a coworker. These efforts rely on your eagerness to please to get you to click on a link.
- Fake friend requests: Once you friend someone on Facebook, they have access to all of the data you make public on your account (including your jobs, location, the content of your posts, and your friends list)
- Celebrity impersonations/hackings: There have been a few cases where someone has successfully stolen a celebrity Twitter account (or made a convincing fake) and used it to create a bogus fundraising effort with donations not going to charity but to the hacker themselves.
What all of these messages have in common is they are preying on your emotions—fear, excitement, worry. The senders hope that their false urgency will get you to click on a link to learn more—and when you do so, you might become the latest victim of their scam.
Phishing in the pandemic
To capitalize on the pandemic, one malicious phishing strategy involves sending you an email providing up-to-date COVID-19 information, or perhaps an update on vaccinations or something related. In the email is a link to the Centers for Disease Control, a hospital site, or some other trusted source for more information.
However, when you click on the link, you don’t go to the website you expect—but you also don’t end up on an obvious spam site. Instead, the scammers send you to a fake Outlook login page, prompting you to enter your email credentials to log in.
Without thinking, you enter your username and password. Except you haven’t logged in to Outlook. You’ve just filled out a web form that sent your username and password to a cyber thief.
Or perhaps you download a .PDF file with more information. Seems harmless, right? Except to open that file, you need to log into a PDF reader such as one within Office 365. And once the cybercriminal has access to that account, they may then be able to use that as a stepping stone into your workplace or school Office 365 account, where they can do even more damage the next time.
Smishing is the new phishing
Phishing has been around for many years. What’s relatively new is smishing, short for SMS phishing. This is where scammers try to trick you via text message rather than email.
Smishing is a newer tactic and so many people don’t know to look out for it. Email spam has been around for decades, but spam and fraud in our personal texts is new.
Some common messages often mimic notifications you might typically receive from businesses such as package delivery services, banks, and major online retailers. These messages may tempt you to click on a link by telling you a product is out of stock, a package is delayed, or there’s a low balance on your account. These scams count on you to worry enough to click on a link to find out what the problem is. Once you do, just like email scams, you may end up on what looks to be a legitimate website asking for your personal information, or the scammers may try to get more information about you so they can target your phone number for additional scams. They could also put malware on the websites that you inadvertently download to your device.
What’s worrisome about these scams is that most people do not have the same antivirus and anti-malware protection on their mobile devices as they do on their computers, meaning these devices are more vulnerable to hackers.
How to identify a phishing email or text
Our inboxes are bombarded with spam and phishing attempts. Many of these emails get caught by spam filters and you don’t need to worry about them. Every so often, though, one gets through to your inbox, and it looks legitimate. How can you determine if the email is real or a scam?
Most phishing attempts have a number of things in common.
- Convey a sense of urgency, fear, or excitement that makes you want to act immediately
- Masquerade as a known, trusted company or organization, or the CEO of your company
- Use a fake or spoofed email address that looks correct at first glance but rarely withstands further scrutiny
- Include impersonal text that includes no information specific to the recipient
- Have grammatical mistakes, random punctuation, and/or misspelled words
- Hovering over a link in the email does not go where expected
- Contain .zip files or other downloadable content
- Ask for personal information
- Include an invoice or otherwise asks for payment
If you receive an unusual or unexpected email about your insurance, bank, mobile phone provider, credit card, healthcare, or another subject, you should always assume it’s fraudulent. Instead of clicking on the links, contact the organization that sent you the email directly by going to their website and calling or emailing them from a legitimate contact page. If you do qualify for a benefit or there’s an issue with your account, someone at the company or organization will be happy to assist you.
Here’s an example of a phishing email I received recently:
To an unsuspecting recipient, it could seem legitimate because of the data included in the email. In my case, I do have a student loan and I certainly would love loan forgiveness. It addresses me by name and even has my mailing address, so it must be legit, right? And it stresses the urgency. There’s a deadline, and if that weren’t enough, it’s also first-come, first-served. So I’d better hurry!
Not so fast. There are a few things that tipped me off that this was fake, and these are things you can look for as well.
- My name is not Janice. (Tip: always give a fake name when signing up for discount codes, company mailing lists, etc. so if they sell their list, you’ll spot the spam later on).
- The address they use isn’t my current address
- If the US Government had a real forgiveness program I qualified for, they would be sending me information through an official portal (either a governmental email address or my loan processor)
- The footer details (“marketing services” and “advertisements”) are a dead giveaway that this isn’t real.
For more tips and useful information, check out the U.S. Federal Trade Commission’s website on phishing.
What happens when a phishing scheme succeeds?
Phishing schemes are big business. But you might be wondering why so many people are trying to fool you into clicking on links. What could they possibly be doing with these fake websites?
These criminals are trying to access your personal information in order to commit identity theft, gaining enough of your credentials to be able to pretend to be you. According to Credit Karma, they could withdraw money from your bank or apply for loans or credit cards in your name. They might also use your Social Security Number to submit a fraudulent tax return and take your refund.
Other data gained through phishing allows someone to access your health insurance, sign up for utilities, or use your information for other legal and financial interactions.
There are even rings of criminals that buy this data in bulk on the dark web and use it to create fake credit cards or other payment systems and identification.
Your personal data can be a stepping stone to compromising any of your online accounts, even those unrelated to your financial life. This includes your email, your Google or Apple accounts (which can then lead to remotely accessing your computer), and even your work logins. All of this can be a snap using basic social engineering techniques if someone knows just enough about you.
What do you do if you fall for a phishing scheme?
Most of the time we’d like to think we can identify scams that come by phone, email, or text. After all, the poor grammar, cheap graphics, and desperation that are common to most fraudulent communications are a dead giveaway. But scammers are always changing their strategies, and it’s easy to fall for something if you’ve never seen it before, or if it looks real.
If scammers successfully trick you into clicking on their link, or you give out information by mistake, what should you do about it?
- Immediately change your most important account passwords (and PIN numbers if any), using unique, strong passwords. Priority should be on the following accounts:
- Email — both personal and work accounts
- Social media
- Banks and credit cards
- Apple (if you have any iOS devices)
- Utility companies
- If you downloaded anything (or think you may have), run up-to-date anti-malware software on your computer.
- If the phishing ploy involved a company you do business with (either because they impersonated your provider or you gave out your account information), immediately contact the institution in question and let them know. They can deactivate your cards, flag your account for suspicious activity, or take other steps to ensure the scammers can’t access your account.
- Keep an eye on your financial transactions in case there’s any unexpected activity.
- Freeze your credit report (and regularly review your credit score in the future).
- Get identity theft protection if you don’t already have it. Some credit cards, banks, and homeowners insurance companies offer these plans at a low cost. IdentityTheft.gov offers more advice and reporting.
- Report any instances of phishing or identity theft to the appropriate authorities.
Find out more
If you would like to learn more about phishing, online fraud, and other topics, check out the following articles here at Namecheap:
- Dealing with hacked email and social accounts
- Search engine poisoning and how it can affect you
- The shadowy disguises of social engineering
- How to report a fraudulent website to a registrar