Gone Phishing: How To Avoid Being Caught By Scammers
Published on - September 9th, 2009 (by Adam Baker) This article is by Adam Baker, a new GRS Staff Writer. In addition to writing for Get Rich Slowly, Baker blogs over at Man Vs. Debt, where you can find his personal background story and read more of his writing.
Last week, I adjusted several preferences on my PayPal account. I added and verified a new e-mail address and swapped my linked bank account. Shortly after finalizing the changes, I received a brief e-mail from PayPal stating that I needed to log in order to verify my account.
Nothing seemed suspicious at first. But after closer examination, I noticed that the message was requesting that I log into a client provided within the e-mail itself. ”That’s weird,” I thought. Then it hit me: A well-timed phishing attack had just penetrated my e-mail account’s spam filter. I couldn’t believe how similar it was to the legitimate e-mails I’d received earlier that day confirming my account changes — or how perfect the timing of the attack was.
Fortunately, I had previously been exposed to the basics of this type of scam. I reported the attack by forwarding the message to PayPal and then immediately deleting it. Nevertheless, I realized how easy it would have been for me to fall for this phishing scam, especially given the luck of the timing. Hopefully by increasing awareness of these scams, we can decrease the chance that others will fall victim.
What exactly is a phishing scam?
“Phishing” is the process by which a criminal disguises himself as a trusted entity in order to fraudulently obtain sensitive information. Although phishing can occur in many forms, the most common of these attacks involves the creation of an e-mail, one which prompts the recipient to enter specific personal information. This allows the criminal to “catch” the resulting data.
Phishing is relatively young. The first major cluster of phishing activity focused on obtaining information through America Online accounts only 15 years ago. As online banking becomes more popular, many of the new attacks have been targeting this segment of the industry. Over the last five years, the frequency and intensity of these scams have exploded. Sadly, as a recent article in Business Week pointed out, the current recession has only spurred this upward trend.
What information are thieves looking to catch?
Most attacks target very specific information. This is often a simple username/password for the particular online site being impersonated. (In my case, the scam was only targeting my PayPal username and password.) Because far too many people use only one standard password across many accounts, thieves are frequently able to compromise many other accounts for a single victim.
Although it’s more rare, some attacks attempt to steal broad personal information. This may include your:
- social security number
- date of birth
- driver’s license number
- banking PIN numbers
This information is often compiled into a database, which can later be used to open fraudulent accounts or apply for new lines of credit. The nickname for this highly-targeted process of creating a profile on a specific individual is often referred to as spear phishing.
How to spot a phishing scam
In the past, discerning between these scams and legitimate e-mails was much easier. They often contained obvious typos, short or broken sentences, and disjointed formatting. Unfortunately, it didn’t take long for the scammers to refine their skills. Most of today’s attacks utilize meticulously detailed corporate replicas.
Of the attacks that target a specific online account, there are two primary methods used to capture your data. The majority of these will urgently prompt you to follow a hyperlink to log in to your account. These embedded links will either forward you to a basic login client, or go as far as to create elaborate rip-offs of the genuine brand’s homepage.
Rather than redirecting you to another site, a portion of phishing attacks will provide the login client embedded within the e-mail itself. This was the tactic that tipped me off to the fraudulent PayPal e-mail I received last week. The e-mail stated, “For your convenience, you can log into your account using the secure fields below.” How nice of them!
Another less common — but effective — tactic involves requesting that the recipient call a fraudulent customer service number for urgent account information. Once dialed, the automated system will ask the victim to enter information such as account numbers, security PINs, expiration dates, and even passwords. Many people are more susceptible to this form of phishing because they’re accustomed to automated phone systems when calling customer service.
Phishing scams can also be identified through common trends in phrasing. The following examples should send up red flags:
- Extreme Urgency: Phishing attacks often use some sort of urgent time-frame in order to increase the chance you respond. They might, for example, state that you need to login “within 24 hours” or “by Thursday at 12:00 a.m.”
- Account Restrictions: Many attacks will claim that access to your account has been (or soon will be) closed. They use phrasing such as “to restore access to your account” or “to prevent your account from being closed.”
- Security Issues: Ironically, attacks often refer to a security threat or breach. Some will explain that you need to log in to update your security settings. Others may urge you to download and install a “security update” that is really a keylogger or other form of malicious software.
- Bonuses or Promotions: Some attacks will claim that you’ve won a bonus or special promotion. This may take the form of a cash bonus or a free upgrade to a premium account of some sort. Of course, you have to log in to claim your prize.
Phishing attacks can target a wide variety online accounts. Research has shown that brands like PayPal and eBay are consistently targeted by these attacks, as are large banking institutions. Around tax-time, you should be especially wary of fraudulent e-mails impersonating the IRS and various tax preparation companies. These days, even social media and internet gaming accounts are used as bait for phishers!
Additional resources
While I’ve attempted to outline the basics of the phishing scam, it’s impossible to cover every detail. For more information, here are some additional resources:
- The official U.S. Federal Trade Commission’s site on identity theft
- Whitepapers: The Phishing Guide
- Phishing Scams in Plain English [video]
- 33 Ways to Thwart Identity Theft
- How and where to report phishing attacks
How often do you encounter phishing scams? Do you know anyone who has been a victim? Any additional tips for staying out of harm’s way? Join the discussion by adding your experience below!
Hook, line, and sinker photo by ToastyKen. Click through on the photo to read his own story of falling for a phishing scam.
GRS is committed to helping our readers save and achieve your financial goals.Savings interest rates may be low, but that’s all the more reason to shop for the best rate.Find the highest savings interest rate from Ally Bank, Capital One 360, Everbank, and more.
This article is about Hints and Tips, Insurance, Odds and Ends, Real-Life
Disclaimer: This content is not provided or commissioned by American Express. Opinions expressed here are author's alone, not those of American Express, and have not been reviewed, approved or otherwise endorsed by American Express. This site may be compensated through American Express Affiliate Program.
Discover is a paid advertiser of this site. Reasonable efforts are made to maintain accurate information. See the Discover online credit card application for full terms and conditions on offers and rewards.
SEARCH FOR RECENT ARTICLES
This is an important topic for personal finance blogs. Around the time Bush approved the economic stimulus plan, several phishing scams sent out invited you to enter your Social Security number to “claim your stimulus check immediately.” I’m sure thousands of people fell for it.
One thing I do is mouse over the links in my email client. If they go to a domain name that doesn’t match the domain name I’m familiar with, I don’t click on them. If you’re not sure, best to delete the email and just log in at the site you always log in at.
-Erica
loading....
I just sent an email to paypal after reading this entry and got a very nice note from them thanking me for my efforts to prevent phishing. It was a bit hard to find the address (which is spoof@paypal.com) but I feel that I’ve done my bit to keep the internet clean today.
loading....
It was actually refreshing to read this post this morning. It had the personal finance edge to it, but wasn’t heavily weighted toward it. A change of pace was nice!
loading....
I like the way Vanguard adds an extra layer of security to your account. When you sign up for an account, the site gives you a picture and asks you to caption it. Later, when you put in your username, it shows you your picture and caption before you put in your password.
loading....
I get phishing emails from “my bank” every few weeks. At first, I forwarded them to my bank, but my bank sent an email back saying that it was a phishing scam and my security info was in grave danger, but it’s not like I fell for it, so I’m at no risk(except someone may know where I bank). Now I just delete them.
loading....
I use a simple rule: *Never* use a link in an e-mail if it’s a site that requires you to log in. *Always* type the URL in manually.
loading....
A long read and not exactly a phishing scam, but this is one of my favorite stories from the net (some language NSFW):
http://www.zug.com/pranks/powerbook/
A couple of forum members gang up to scam an eBay scammer.
loading....
I’d be suspicious of the “luck of the timing.” Given the sophistication of targeted advertising I’d not be surprised if the phishers had access to or knowledge of your activity. Not the specifics, but at least that you’d been visiting the site.
loading....
I’d like to expand on #6 cph’s comment.
Rule 1: Never click on a link in an email from “your bank” always type the URL manually.
Rule 2: Never click on a link in an email from “your bank” always type the URL manually.
Rule 3: If you receive an email that urgently asks for your information go back and read rules #1 and 2.
loading....
Phishing scams have hit my university the past couple of years. They pose as though they are the help desk saying they need their username and password to complete some account settings or maintanence. They looked legitimate and got at least a handful of accounts.
Watch out for these phishing scams!
loading....
Just as an addition to the “what is phishing?” section…
Phishing is a type of hacking that falls into the ‘social engineering’ category. The idea is that the scammer sends out many mails in the hope that one unlucky mark will bite – just like fishing. The ‘ph’ prefix comes from a term in the early days of hacking – phreaking – where hackers used various techniques, both social and technical to access the telephone network for, amongst other things, free calls.
loading....
Interesting term and phenomenon. Seems to pray on people’s impulses and stupidity.
Why can’t the “phisher” just use spell-checker and write with proper grammar is a mystery.
Just stop buying things on impulse and read everything. Join me this austerity September and buy nothing!
loading....
#8 My brother and I have noticed this as well… it always seems to be impeccably timed… especially revolving around paypal!
loading....
Great article here Baker.
The best advice I can give as an Information Technology Manager mirrors what you mention in your post, and what Erica (comment #1) mentioned…
loading....
Thanks for the post! I try to be really careful, but I did not realize phishing got so sophisticated. I thought that typos, irregular spacing, etc. would tip me off if this ever happened to me, but it didn’t occur to me that scams were this advanced, for some reason. And the eerie timing is just frightening. I emailed your article to a few people I know. You can just never be too careful.
loading....
I will repeat this because its the best way to defend against this. Always go to your banking website by your own bookmarks or typing in the address bar. Don’t use a link in the email no matter the convenience and NEVER enter confidential information in an email or outside site. Great Post.
loading....
I’ve received similar PayPal emails, but since I don’t have a PayPal account, I’ve never fallen for it.
I usually hover over the link and check the URL – that is the quickest way to see the email is bogus.
Even legit emails I get – ex: telling me my monthly bank statement is available – I go to my bookmark (or type the URL) and log in there rather than clicking anything in the email.
loading....
Oops.
Baker left a reply to several comments, but I accidentally deleted his post. Sorry folks. And now he’s probably asleep. It’s 3am in New Zealand!
loading....
@ erica – That’s another great example of an event-based phishing scam. Got to be careful for these type of one time surges.
@ Cathy – Thanks for providing that e-mail, it’s something I definitely should have included above. You’ve done your part
.
@ cph – That’s a great rule of thumb
@ Tyler – Haha, thanks for linking to that story. Refreshing to read.
@ Linear Girl – I found it suspicious, too. I’ve not ruled out the possibility of what you suggest, but I can’t think of anyway to know or anything to do differently. For now, I’ll just closely monitor the account.
@ David – I didn’t think of Universities, but that’s great to point out. I’m sure it’s rampant there.
@ Tom – Great summary of phishing. I actually didn’t realize that the ‘ph’ originally came from phreaking. Thanks!
@ ebyt – Don’t sweat it. If I’m being totally honest, this was the first time I really have seen an authentic attempt face-to-face. I didn’t realize how people could fall for them until I got this one!
Also, lots of people backing up creating your own trusted bookmarks. This is a great way to still save time, but add a touch of security. Sweet tips.
loading....
Very great article, I work at a university environment and we are constantly faced with spam and phishing email issues. you would think people would not fall for it anymore, you will be surprised how easily people share their email passwords over email because someone is asking them urgently.
- Roozbeh
loading....
Adam–I must have gotten the same PayPal message you did, and it happened last week. The email said–ironically–”We have observed activity in this account that is unusual or potentially high risk.”
Then there was an attachment that looked exactly like the PayPal website asking for ALL of my personal information. But it got worse…
Later that same day, I got a similar email from my bank, again noting suspicious account activity, with an email attachment that was a deadringer for my banks website. At this point I called my bank, thinking there may be something going on since two of my accounts where showing issues. There could have been a legitimate security theft issue.
The bank promptly told me it was fraudulent and to report it to their fraud department, which I did.
Fortunately, I didn’t respond directly to either email due to the generic nature of the sources and the fact that they asked for extremely detailed information, of the kind that each company should have on file to begin with.
But the fact that it was done so convincingly with two accounts shows how sophisticated the phishers have become. If only they could take that obvious talent and apply it to something legitimate…the possibilities of what they could produce are mind boggling!
loading....
Loved this post Baker – thank you!
loading....
Oh man that’s nothing at all what I assumed a phisher looked like. He’s wearing a tie and everything. I assumed a phisher would be an amorphous inhuman blob. They definitely seem robotic in the language of some of their lamer attempts.
But your Paypal story certainly is alarming. I feel like that’s something I would’ve almost fallen for. I wonder how they even knew you were changing your email (or was it a coincidence?). I keep getting emails from my bank addressed to “Jacob E. Busk” which is CLOSE to my name (not really) but definitely no cigar. I hope phishing doesn’t become as prevalent as trashy forwards were in the late 90s…
loading....
Paypal makes itself a prime target for Phishing. Since they send links through their own emails, it’s not odd to receive a fake Paypal email with links in it!
At least this is the case for the “confirm your e-mail address” you get when you sign up.
You can log in and enter the numeric code they send directly into your profile, but the fact that they send links just invites trouble.
loading....
DON’T BE FOOLED if the link text looks like the real url!! HTML can be used to disguise the true destination of a link.
For example, here is a link to Google: http://www.google.com
But if you click it, you go to Yahoo! Phishers can very easily make a link to their site look like the true url of your bank.
loading....
@ Jack – Even scammers have a dress code
.
@ Micheal – That’s a great observation. Actually many companies do that went confirming set-ups. Ironically, they use the same tactic as the scammers, because both know it helps increase the number of people who end up clicking/confirming.
@ Courtney – Also a good point. Several people have suggested hovering over the link to check where it *actually* links to, but there are even creative ways to mask this. Many websites due this to hide affiliate links, etc…
loading....
I got two email notices from the “IRS” about a tax underpayment / fraud application today. With a convenient link to click on the get the details, of course.
(sigh)
loading....
I was recently hooked by one of the phone scams, and it really sucked. I called my bank a few moments after I got the call because it felt weird, and nothing was stolen but my dignity.
I wrote about it on Momknewbest.blogspot.com
loading....
Several years ago when I would get phishing emails all the time, I would submit nasty messages to the phishers in the username/password fields they would provide in the email.
A bit childish, but it gave me more satisfaction than just forwarding to the fraud dept.
loading....
Phishing scams are only increasing due to the economic environment. And the scams are becoming more elusive. For example, some work environments have their own IT staff under a certain name and many are now calling claiming they are from the department and asking for a password or your e-mail will be shut off. I think most are now immune to the countless spam messages. Yet on the phone, surprisingly many people will give out their password. Once this is done, someone can access an account with usually sensitive information.
The IRS scam is prominent as well as some have indicated. I usually get these around tax filing time. They normally come under the guise of the local taxing authority. In California for example they will claim they are the Franchise Tax Board and explain how I have unclaimed funds and usually ask for your Social Security number and name on a dummy web site.
loading....
Great post. One thing that I didn’t see mentioned in the article or in the comments is that legitimate emails from both Paypal and Ebay will always address you by your first and last name when emailing you. The phishers always address you as “valued customer” or something along those lines.
loading....
A few people have recommended typing the URL yourself (or using a saved bookmark), which is good advice. However, I came across a situation a while back where someone’s PC was infected with a virus, and it updated the HOSTS file. Without getting too technical, that meant that it automatically redirected her to a different website when she typed in the bank’s URL herself; fortunately, she noticed that it looked different, and called me for help. Even if your computer is clean, the same thing could happen if you use a DNS server that’s been compromised, e.g. a wireless router. So, keep your eyes open!
SSL certificates can also help with this, although my bank (Lloyds TSB) doesn’t handle them very well, e.g. this website works:
http://www.lloydstsb.com/ (legitimate but insecure)
but this one doesn’t:
https://www.lloydstsb.com/ (would be secure if it worked)
loading....
“Phishing is relatively young. The first major cluster of phishing activity focused on obtaining information through America Online accounts only 15 years ago.”
Doesn’t that put the start of phishing around 1994, which is before the majority of people got online, and before online banking really took off? So to most people phishing’s been around as long as the internet. It’s more like, as long as there’s been a way to fool people into giving up their personal details, phishers have been doing it.
I’m amazed by how many people still get fooled by these things. Rule #1 of internet: never respond to spam to get removed off email lists; rule #2: never believe any email that provides you a link and asks you to log in.
loading....
I would add one bit of advice to avoid falling prey to “phishers”. That is, Use Your Head!!!
I am not saying that all of these types of attempts are obvious and blatant, but as long as we all realize that these types of thieves are out there, and we do our best to not make it easy for them, and again, use your head, for the most part, you should be just fine.
Be vigilant, keep your eyes wide open, and always keep in mind that the internet is a very very public place.
loading....
For all the Firefox users out there you should use the Web of Trust add on https://addons.mozilla.org/en-US/firefox/addon/3456
Members mark websites as good or bad and if you stumble across something that has been rated as dangerous a big warning will pop up before loading the page. Very useful for avoiding being tricked by phishing attacks.
loading....
Thanks for the helpful tips. I recently received an email (supposedly from paypal) which seemed like it could be such a scam. I saved it and didn’t do anything with it. Reading your article confirmed this email is probably in fact a scam to obtain my personal information. When I checked my paypal account (by logging in directly on their website) everything was fine. Here is a small excerpt from the email:
We recently received a report of unauthorized credit card use
associated with this account. As a precaution, we have limited access to your PayPal account in order to protect against future unauthorized transactions. Please download the form attached to this email and open it in a
web browser. Once opened, you will be provided with steps to
restore your account access. We appreciate your understanding as we work to ensure account safety.
loading....
this is a scarily eye opening post. i dont remember ever reading a blog post ever so carefully. i will take heed and keep myself out of problems because of ignorance and not being observant enough. thanks man. i think that i will link to it in my blog(i will notify you first)
loading....
In GMail there exists a lab gadget called “Authentication icon for verified senders” which indicates whether an e-mail can be verified. Currently only works for PayPal and eBay, but it is still very handy. None of the phishing attempts ever get through!
loading....
Those scammers are getting trickier. Good to have a refresher!
loading....
In light of what John Kirk said, one thing to do is whenever you sign up for any type of account is to take down the customer service number right away. If you get ANY e-mail asking for ANYTHING and you are unsure, just call the number.
999/1000 Those e-mails are scams. Why would anyone need to “verify” an account anyway? And of course, if a company did “lose” your info, as a result of an upgrade (or whatever reason one may claim), you need to be calling them anyway.
You should never have to correspond with a company in that manner. If anything, you should be alerted the next time you log in.
loading....
Very informative.
General rule I live by:
If it doesn’t seem “right”, it probably isn’t.
loading....
Good post.
A relatively easy way to determine if a message you received is legitimate or not is to call the company or organization that sent you the message via a publicly accessible (ie posted online) customer service number to follow-up.
As has been mentioned in several comments, do not click through the email itself – and if it sounds scammy – it probably is.
loading....
Wombat Security offers a game that teaches employees and customers how to avoid phishing scams with anti-phishing Phil. You can swim over a worm to reveal its URL and then decide if it is a legitimate web address or a fake. Play part of the game here: http://wombatsecurity.com/antiphishing_phil/index.html.
loading....
Very accurate information. I remember we got hit by some large fraudulent orders when running an online ecommerce store. The folks whoes credit cards were used got their money back from the bank but as a business, you’re always at a risk, so we lost the products and didn’t get paid either. That sucks. It’s important to safeguard yourself and get your PayPal account verified and addresses confirmed before you start shopping around. And like they say, they will always refer to you by your first and last name and will never ask you to enter your email address and password in an email. I really feel sorry for those who get ripped off. I wonder what happens to those people…?
loading....