Module 8 – Malware Prevention
Module 8 - How to Spot Phishing Scams

phishingPhishing involves the use of email messages that appear to come from your bank or another trusted business in an attempt to scam the user into surrendering private information that will be used for identity theft. The phishing email typically ask you to click a link to visit a Web site, where they are asked to update, verify or confirm your personal or account information, such as passwords and credit card, social security, and bank account numbers.

For best results, view the VIDEO above in “Full Screen”.

Back to Top

Don’t Underestimate Cybercriminals, They are Very Talented

Phishing scammers have become increasingly sophisticated in developing fraudulent, yet realistic looking emails and websites that appear to be from legitimate companies. They even include images and logos from whatever organizations they are trying to imitate and are very good at exploiting social engineering techniques.

Businesses in the financial services sector are the ones most targeted with phishing scams, because they have access to money. Major banks all over the world, Paypal and eBay are common targets.

The theft of email credentials is also very popular, because this information can be sold to other cyber criminals who distribute viruses or create zombie networks. So identity information theft is not the only threat presented by a phishing link. It can lead to a spyware, keylogger or Trojan infection. So even if you don’t have an account that can be targeted by phishers, you are never completely safe.

Phishing succeeds in large part because many consumers aren’t aware about how their financial institutions operate, so when a cyber criminal spoofs one of their websites, the consumer won’t notice any questionable practices they might use to phish your personal information.

Back to Top

Spotting a Phishing Scam

While it’s not too hard to uncover a crude phishing scam where you get an email from a bank you’ve never opened an account at, it gets much more interesting when you get a phishing email representing a bank you actually have an account at.

If this is the case, you need to look at the message very carefully to figure out if it is a phishing scam or not. One telltale sign may be poor grammar or misspelled words. This will at least help you spot phishing attempts from foreign scammers where English is not their primary language. Who hasn’t heard of the Nigerian phishing scam that has been circulating over the years?

One report said that the top 5 countries doing the most internet phishing are the United States, Republic of Korea, China, France and Germany.

You should also find out what the real website address, or “url” is behind any text links that will direct you to the page where they’ll be asking you for your sensitive information. Will it really direct you to where it appears to go?

For example, the link might say http://www.mybank.com/login, but it might redirect you to an entirely different website. In this “safe” example, if you were to hover your mouse over the link above, you’ll find that the real url that appears in the lower-left of your browser is http://www.google.com. You can also right-click the link and check the properties to find out the real url.

Make sure that the domain in the url is properly spelled as well. If your browser uses domain highlighting, it will help make the domain name stand out more prominently so it isn’t obscured by all the other text. Various internet browsers also come with different methods for spotting phishing attempts.

But the best way to avoid becoming a phishing victim is to use good judgment, based on common sense and a little skepticism. Remember that financial institutions will not email you and then ask for you to enter your sensitive information. In fact, most institutions make it a habit to inform their customers that they will never ask you for your personal information via phone or email.

Back to Top

Quick Tips to Avoid Phishing Scams

  • Be Suspicious of Demanding Messages: Messages threatening to cancel, close or suspend your account without your quick response should be handled with suspicion.
  • Be Cautious of Downloads: Installing unknown software on your computer can put your personal information at risk and will ultimately lead to problem with your operating system.
  • Run Frequent Virus Scans: Scan your computer for viruses and make sure your virus software, operating system, and browser patches are up to date.
  • Being Vigilant is a Good Defense: You should periodically check your financial account’s status to see if there is any suspicious activity. But email Spam Filters remain the first line of defense against phishing.
  • Periodically Change Your Password: If you believe any of your online accounts have been compromised, change your account password immediately.
  • Use Unique Passwords: To prevent someone accessing multiple accounts, use different passwords for each account. Also, a strong password will include a combination of letters, numbers and symbols, with lower and upper case letters. There are Password Manager programs that can help you manage your passwords.
  • Contact Your Bank and Credit Card Company: If you believe you submitted your financial information into a phishing site, contact your bank and credit card company immediately

Back to Top

Advice for Victims of Phishing Scams

If you slip on a phishing scam and think you might become a victim, be sure to let your financial institution know about it. You should also initiate a fraud alert on your credit report by contacting one of the major credit agencies like Equifax, Experian or TransUnion. You should also watch your email and financial accounts very closely.

  • Check both your online and paper statements. And if your statements stop being delivered or shows signs of unusual activity, call your bank immediately.
  • If you receive a suspicious email, you can report it. You can send it to the US Federal Trade Commission at spam@uce.gov or you can just click the “Report as Junk” (or similar) button in your email program.
  • You can also submit any suspicious emails to the Anti-Phishing Working Group (APWG) at reportphishing@apwg.org. Their website also has some of the best info about combating phishing at http://www.antiphishing.org
  • The average lifetime of a phishing site is 5 days, so report it quickly.

Back to Top