Phishing is a type of online scam where criminals send an email that appears to be from a legitimate company and ask you to provide sensitive information. This is usually done by including a link that will appear to take you to the company’s website to fill in your information – but the website is a clever fake and the information you provide goes straight to the crooks behind the scam.
The term ’phishing’ is a spin on the word fishing, because criminals are dangling a fake ’lure’ (the email that looks legitimate, as well as the website that looks legitimate) hoping users will ’bite’ by providing the information the criminals have requested – such as credit card numbers, account numbers, passwords, usernames, and more.
See just how clever these phishing scams can be in this example of a fake Charles Schwab notice. The following image highlights clues that will tip you off that this is indeed fraudulent.
Here are some clues indicating this email is actually a scam:
The email is not addressed to the recipient. If the recipient was truly being notified by Charles Schwab that there was an issue with their account, they would know the recipient’s name.
Again, they don’t know the recipient’s name;"Dear Customer" isn’t an identifier.
The recipient hasn’t attempted to sign into a Schwab account, so could not have exceeded the number of attempts allowed.
Grammatical errors: The words Online Banking are capitalized throughout the text. And, if you read carefully, the text says "Please visit www.schwab.com/activate Reset Account your account" which clearly doesn’t make sense, but since most people scan emails quickly, grammatical errors that are this small usually don’t get noticed.
They try to reassure recipients by encouraging them to confirm the email is from Schwab….. by using a link they provide.
Look at the 6th flag; this shows the true email address displayed when you hover your mouse over any link on this page (which is a red flag in itself, what company would have all of these actions point to the same link?). See that the website is actually http://almall.us? The scammer added the words /schwab.com/ after their website’s true name in an attempt to look legitimate, but this site is anything but legitimate.
Seeing any one of these flaws is enough to tell you the email is a phishing attempt – but what if these errors aren’t present?
A smarter scammer could have corrected all these mistakes, including knowing the recipient’s name and email address, and masking their URL in a much more convincing manner. If they had done a better job there would have been nothing in the message to trigger your alarm bells – even though the email would still be fake.
So how can you guarantee you don’t fall for a phishing scam?
Applying these two actions consistently will help to protect you from online scams:
- Use your own link. If you use the company, you may already have a bookmark for the website you can use, if not, use a search engine and type in the company’s name, then use the link from your search engine to go to the correct site. If the email is legitimate, you will see the same information when you log into your account on the legitimate site. This is the ONLY way to guarantee you land on the legitimate site. If you use the link (or phone number) in an email, IM, and on a website/blog site/forum/social network/text message, etc., where you land (or who you talk to) is their choice, not yours. The website they take you to (or the ’bank manager’ on the phone) may be a very convincing copy, but if you enter your information it will be stolen and abused.
- Install or activate a web tool that identifies malicious sites for you so you know the website you find is legitimate. There are several tools that will do this for you. Every standard browser now has a tool you can turn on to alert you if a website you are about to click on, or just clicked on, is safe or malicious.
If you find you are the victim of a phishing scam, change all of your passwords immediately. If you use the same password for multiple sites (we hope you don't), cybercriminals could be in the process of trying to access other commonly used sites. Consider using a password manager in the future to lower your risk profile, and make sure you have an antivirus solution with secure web browsing features installed and up to date.