What is Phishing?
Phishing is a type of online scam where criminals send an email that appears to be from a legitimate company asking you to provide sensitive information. This is usually done by including a link that supposedly takes you to the company’s website where you are asked to fill in your information – but the website is a clever fake and the information you provide goes straight to the crooks behind the scam.
The term ’phishing’ is a pun on the word fishing because criminals are dangling a fake ’lure’ (the email that looks legitimate, as well as the website that looks legitimate) hoping users will ’bite’ by providing the information the criminals have requested – such as credit card numbers, account numbers, passwords, user names, and more.
See just how clever these phishing scams can be in this example of a fake Charles Schwab notice. The first picture shows the scam as it appeared in email, the second picture shows where the clues are tipping you off that this is indeed fraudulent.
Here are some clues indicating this email is actually a scam:
- The email is not addressed to the recipient. If the recipient was truly being notified by Charles Schwab that there was an issue with their account, they would know the recipient’s name.
- Again, they don’t know the recipient’s name;"Dear Customer" isn’t an identifier.
- The recipient hasn’t attempted to sign into a Schwab account, so could not have exceeded the number of attempts allowed.
- Grammatical errors: The words Online Banking are capitalized throughout the text. And, if you read carefully, the text says "Please visit www.schwab.com/activate Reset Account your account" which clearly doesn’t make sense, but since most people scan emails quickly, grammatical errors that are this small usually don’t get noticed.
- They try to reassure recipients by encouraging them to confirm the email is from Schwab….. by using a link they provide.
- Look at the 6th flag; this shows the true email address displayed when you hover your mouse over any link on this page (which is a red flag in itself, what company would have all of these actions point to the same link?). See that the website is actually http://almall.us? The scammer added the words /schwab.com/ after their website’s true name in an attempt to look legitimate, but this site is anything but legitimate.
Seeing any one of these flaws is enough to tell you the email is a phishing attempt – but what if these errors aren’t present?
A smarter scammer could have corrected all these mistakes, including knowing the recipient’s name and email address, and masking their URL in a much more convincing manner. If they had done a better job there would have been nothing in the message to trigger your alarm bells – even though the email would still be fake.
So how can you guarantee you don’t fall for a phishing scam?
Apply these two actions consistently and you will be nearly 100% protected from online scams.
- Drive, don’t be pulled. Stay in the driver’s seat by finding the website yourself. This is the ONLY way to guarantee you land on the legitimate site. If you use the link (or phone number) in an email, IM, ad on a website/blog site/forum/social network/text message, etc., where you land (or who you talk to) is their choice, not yours. The website they take you to (or the ’bank manager’ on the phone) may be a very convincing copy, but if you enter your information it will be stolen and abused.
Instead, use your own link. If you use the company, you may already have a bookmark for the website you can use, if not, use a search engine and type in the company’s name, then use the link from your search engine to go to the correct site. If the email is legitimate, you will see the same information when you log into your account on the legitimate site.
- Install or activate a web tool that identifies malicious sites for you so you know the website you find is legitimate. There are several tools that will do this for you. Every standard browser now has a tool you can turn on to alert you if a website you are about to click on, or just clicked on, is safe or malicious.