What is phishing, vishing, and SMShing?
A few days before Christmas, I was having lunch out when I opened an email that appeared to come from American Express:
“Please click this link to authorize a recent charge on your account.”
“Well, that’s weird,” I thought. I hadn’t used my American Express card in several months.
I was stunned as I read the rest of the email. They wanted me to confirm a purchase that was definitely not made by me — a $5,500 order at an online Apple store. And I totally panicked. I mean, I freaked. Someone was obviously going on a wild online shopping spree with my credit card information, right? I had to put a stop to it right that second.
Since I didn’t want to sort it out through email, I chose to call American Express directly with the number on the back of my card. And once I did, I was relieved to find out that the email I received wasn’t actually from American Express at all. Nope, according to the rep I spoke with, the email was just one of the many phishing scams that are currently being perpetrated against American Express and their customers. But, what exactly is a phishing scam? After getting off the phone, I did a little bit of research to find out what was going on. What I discovered is that tech-savvy scammers are coming up with inventive ways to trick consumers into handing over their personal information. As the FDIC puts it, a “phishing scam” is a scheme that “encompasses fraudulently obtaining and using an individual’s personal or financial information.”
Types of phishing scams
In today’s Internet-connected world, phishing scams are on the rise — and the variety of scams is amazing. Many originate in email form, asking unsuspecting consumers to hand over their personal information for the purpose of verifying their identity, updating their information, or, as in my case, confirming a suspicious-looking purchase on their account. Once they get you to click on the link to their fraudulent website, however, they’ll ask you a whole range of questions under the guise of consumer safety. It’s all a lie and they can only hope that you’ll play along and fall for it. In the meantime, they’re busy plotting to steal your identity or access your accounts.
Unfortunately, I would soon find out that scams like this aren’t limited only to email.
A few weeks after receiving the fraudulent American Express email, I was on the receiving end of a phishing scam for the second time. It all started when I received a legitimate-sounding voice mail from Chase Bank stating that I needed to call to verify my account. I was skeptical at first, but I do have several Chase accounts, including a mortgage. So I called the 1-800 number they left on my voice mail. However, while I was on hold, I did a quick Google search for the number to determine that it was, in fact, a Chase number.
And it wasn’t.
My quick Internet search uncovered that it was another phishing scam designed to get my personal information in the sneakiest way possible. So I hung up and called the number on the back of my Chase card instead.
“There’s nothing we can do,” said the operator at Chase fraud protection. “We take the number and their information and keep track of it, but we can’t stop these people,” she said. “There are just too many of them.”
Phishing scams gone wild
With the recent data breach at Target stores that affected an estimated 40 million individuals, many, if not most, people have become rightfully concerned about the safety of their personal financial information. This includes, but is not limited to, our bank account numbers, Social Security numbers, credit card numbers, and other information that could prove helpful to someone who wants to rob us blind, or worse. And with scams coming at us from nearly every direction, it’s becoming hard to know whom to trust.
I recently reached out to Curtis Arnold, editor-in-chief of CardRatings.com, in an effort to see what steps I could take to avoid phishing scams altogether. Unfortunately, I learned that there is nothing anyone can do to avoid being targeted, at least short of not having any sort of presence in the financial world or online. Instead, we must learn to identify phishing scams if we have any hope of avoiding them. According to Arnold, phishing emails usually have at least one of these telltale signs:
- An urgent tone “Phishing emails usually have an urgent tone and warn of terrible consequences,” says Arnold. The details vary from scam to scam, but they often include threats of account closure, lost funds, or unauthorized purchases.
- An unfamiliar salutation According to Arnold, an email that starts with “Dear Customer” or “Dear Valued Client” is most likely a phishing email.
- Bad grammar and spelling errors Scammers whose first language is not English may struggle to create an email that is free of errors or awkward wording.
- A fake logo Although tech-savvy scammers may get close to re-creating a logo, it’s often different enough that it can be noticed by the naked eye.
According to Arnold, these types of scams frequently take the form of a phone call (vishing), like the call I received, as well as a text message (SMShing). But no matter how you are contacted, the telltales are the same.
How to protect yourself from phishing scams
While we can’t prevent being targeted by scam artists, we can protect our personal and financial information by taking the proper precautions when dealing with unsolicited phone calls or emails.
“The first step should always be to call the bank, credit card company, or retailer from whom the email is from and ask. You can also mouse over the links and see if they look legit,” says Arnold.
“Anyone who calls or emails and asks for your account number or Social Security number should also raise red flags,” he adds. “If you call your bank, they are likely to ask for a variety of information to locate your account and verify that you are who you say you are. But, it’s highly unlikely that they would call you and ask for sensitive information and even less likely that they would ask via email,” he says. “If you get a call like that, hang up and call the number on the back of your card.”
It’s also important to monitor your credit report for errors, which can be done easily and for free by accessing annualcreditreport.com. Another way to protect yourself is by tracking all purchases on your accounts closely online, says Arnold.
“If your information is compromised, you’ll want to know as soon as possible so you can notify the bank.” This part can be critical to ensure that you’re not on the hook for any fraudulent charges to your account.
The bottom line is this: Phishing scams aren’t going anywhere. In fact, it’s likely that they’ll only become more sophisticated and harder to detect. Learning to recognize a scam and avoid it is, unfortunately, all that anyone can do to protect themselves. As criminals continue to come up with creative and innovative ways to exploit us, we must become wise.
Have you ever been on the receiving end of a phishing email or phone call? Do you know anyone who has been a victim of a phishing scam?
Become A Money Boss And Join 15,000 Others
Subscribe to the GRS Insider (FREE) and we’ll give you a copy of the Money Boss Manifesto (also FREE)
There are 72 comments to "What is phishing, vishing, and SMShing?".
This is an important topic for personal finance blogs. Around the time Bush approved the economic stimulus plan, several phishing scams sent out invited you to enter your Social Security number to “claim your stimulus check immediately.” I’m sure thousands of people fell for it.
One thing I do is mouse over the links in my email client. If they go to a domain name that doesn’t match the domain name I’m familiar with, I don’t click on them. If you’re not sure, best to delete the email and just log in at the site you always log in at.
-Erica
I just sent an email to paypal after reading this entry and got a very nice note from them thanking me for my efforts to prevent phishing. It was a bit hard to find the address (which is [email protected]) but I feel that I’ve done my bit to keep the internet clean today.
It was actually refreshing to read this post this morning. It had the personal finance edge to it, but wasn’t heavily weighted toward it. A change of pace was nice!
I like the way Vanguard adds an extra layer of security to your account. When you sign up for an account, the site gives you a picture and asks you to caption it. Later, when you put in your username, it shows you your picture and caption before you put in your password.
I get phishing emails from “my bank” every few weeks. At first, I forwarded them to my bank, but my bank sent an email back saying that it was a phishing scam and my security info was in grave danger, but it’s not like I fell for it, so I’m at no risk(except someone may know where I bank). Now I just delete them.
I use a simple rule: *Never* use a link in an e-mail if it’s a site that requires you to log in. *Always* type the URL in manually.
A long read and not exactly a phishing scam, but this is one of my favorite stories from the net (some language NSFW):
http://www.zug.com/pranks/powerbook/
A couple of forum members gang up to scam an eBay scammer.
I’d be suspicious of the “luck of the timing.” Given the sophistication of targeted advertising I’d not be surprised if the phishers had access to or knowledge of your activity. Not the specifics, but at least that you’d been visiting the site.
I’d like to expand on #6 cph’s comment.
Rule 1: Never click on a link in an email from “your bank” always type the URL manually.
Rule 2: Never click on a link in an email from “your bank” always type the URL manually.
Rule 3: If you receive an email that urgently asks for your information go back and read rules #1 and 2.
Phishing scams have hit my university the past couple of years. They pose as though they are the help desk saying they need their username and password to complete some account settings or maintanence. They looked legitimate and got at least a handful of accounts.
Watch out for these phishing scams!
Just as an addition to the “what is phishing?” section…
Phishing is a type of hacking that falls into the ‘social engineering’ category. The idea is that the scammer sends out many mails in the hope that one unlucky mark will bite – just like fishing. The ‘ph’ prefix comes from a term in the early days of hacking – phreaking – where hackers used various techniques, both social and technical to access the telephone network for, amongst other things, free calls.
Interesting term and phenomenon. Seems to pray on people’s impulses and stupidity.
Why can’t the “phisher” just use spell-checker and write with proper grammar is a mystery.
Just stop buying things on impulse and read everything. Join me this austerity September and buy nothing!
#8 My brother and I have noticed this as well… it always seems to be impeccably timed… especially revolving around paypal!
Great article here Baker.
The best advice I can give as an Information Technology Manager mirrors what you mention in your post, and what Erica (comment #1) mentioned…
Thanks for the post! I try to be really careful, but I did not realize phishing got so sophisticated. I thought that typos, irregular spacing, etc. would tip me off if this ever happened to me, but it didn’t occur to me that scams were this advanced, for some reason. And the eerie timing is just frightening. I emailed your article to a few people I know. You can just never be too careful.
I will repeat this because its the best way to defend against this. Always go to your banking website by your own bookmarks or typing in the address bar. Don’t use a link in the email no matter the convenience and NEVER enter confidential information in an email or outside site. Great Post.
I’ve received similar PayPal emails, but since I don’t have a PayPal account, I’ve never fallen for it.
I usually hover over the link and check the URL – that is the quickest way to see the email is bogus.
Even legit emails I get – ex: telling me my monthly bank statement is available – I go to my bookmark (or type the URL) and log in there rather than clicking anything in the email.
Oops.
Baker left a reply to several comments, but I accidentally deleted his post. Sorry folks. And now he’s probably asleep. It’s 3am in New Zealand!
@ erica – That’s another great example of an event-based phishing scam. Got to be careful for these type of one time surges.
@ Cathy – Thanks for providing that e-mail, it’s something I definitely should have included above. You’ve done your part ;-).
@ cph – That’s a great rule of thumb
@ Tyler – Haha, thanks for linking to that story. Refreshing to read.
@ Linear Girl – I found it suspicious, too. I’ve not ruled out the possibility of what you suggest, but I can’t think of anyway to know or anything to do differently. For now, I’ll just closely monitor the account.
@ David – I didn’t think of Universities, but that’s great to point out. I’m sure it’s rampant there.
@ Tom – Great summary of phishing. I actually didn’t realize that the ‘ph’ originally came from phreaking. Thanks!
@ ebyt – Don’t sweat it. If I’m being totally honest, this was the first time I really have seen an authentic attempt face-to-face. I didn’t realize how people could fall for them until I got this one!
Also, lots of people backing up creating your own trusted bookmarks. This is a great way to still save time, but add a touch of security. Sweet tips.
Very great article, I work at a university environment and we are constantly faced with spam and phishing email issues. you would think people would not fall for it anymore, you will be surprised how easily people share their email passwords over email because someone is asking them urgently.
– Roozbeh
Adam–I must have gotten the same PayPal message you did, and it happened last week. The email said–ironically–“We have observed activity in this account that is unusual or potentially high risk.”
Then there was an attachment that looked exactly like the PayPal website asking for ALL of my personal information. But it got worse…
Later that same day, I got a similar email from my bank, again noting suspicious account activity, with an email attachment that was a deadringer for my banks website. At this point I called my bank, thinking there may be something going on since two of my accounts where showing issues. There could have been a legitimate security theft issue.
The bank promptly told me it was fraudulent and to report it to their fraud department, which I did.
Fortunately, I didn’t respond directly to either email due to the generic nature of the sources and the fact that they asked for extremely detailed information, of the kind that each company should have on file to begin with.
But the fact that it was done so convincingly with two accounts shows how sophisticated the phishers have become. If only they could take that obvious talent and apply it to something legitimate…the possibilities of what they could produce are mind boggling!
Loved this post Baker – thank you!
Oh man that’s nothing at all what I assumed a phisher looked like. He’s wearing a tie and everything. I assumed a phisher would be an amorphous inhuman blob. They definitely seem robotic in the language of some of their lamer attempts.
But your Paypal story certainly is alarming. I feel like that’s something I would’ve almost fallen for. I wonder how they even knew you were changing your email (or was it a coincidence?). I keep getting emails from my bank addressed to “Jacob E. Busk” which is CLOSE to my name (not really) but definitely no cigar. I hope phishing doesn’t become as prevalent as trashy forwards were in the late 90s…
Paypal makes itself a prime target for Phishing. Since they send links through their own emails, it’s not odd to receive a fake Paypal email with links in it!
At least this is the case for the “confirm your e-mail address” you get when you sign up.
You can log in and enter the numeric code they send directly into your profile, but the fact that they send links just invites trouble.
DON’T BE FOOLED if the link text looks like the real url!! HTML can be used to disguise the true destination of a link.
For example, here is a link to Google: http://www.google.com
But if you click it, you go to Yahoo! Phishers can very easily make a link to their site look like the true url of your bank.
@ Jack – Even scammers have a dress code ;-).
@ Micheal – That’s a great observation. Actually many companies do that went confirming set-ups. Ironically, they use the same tactic as the scammers, because both know it helps increase the number of people who end up clicking/confirming.
@ Courtney – Also a good point. Several people have suggested hovering over the link to check where it *actually* links to, but there are even creative ways to mask this. Many websites due this to hide affiliate links, etc…
I got two email notices from the “IRS” about a tax underpayment / fraud application today. With a convenient link to click on the get the details, of course.
(sigh)
I was recently hooked by one of the phone scams, and it really sucked. I called my bank a few moments after I got the call because it felt weird, and nothing was stolen but my dignity.
I wrote about it on Momknewbest.blogspot.com
Several years ago when I would get phishing emails all the time, I would submit nasty messages to the phishers in the username/password fields they would provide in the email.
A bit childish, but it gave me more satisfaction than just forwarding to the fraud dept.
Phishing scams are only increasing due to the economic environment. And the scams are becoming more elusive. For example, some work environments have their own IT staff under a certain name and many are now calling claiming they are from the department and asking for a password or your e-mail will be shut off. I think most are now immune to the countless spam messages. Yet on the phone, surprisingly many people will give out their password. Once this is done, someone can access an account with usually sensitive information.
The IRS scam is prominent as well as some have indicated. I usually get these around tax filing time. They normally come under the guise of the local taxing authority. In California for example they will claim they are the Franchise Tax Board and explain how I have unclaimed funds and usually ask for your Social Security number and name on a dummy web site.
Great post. One thing that I didn’t see mentioned in the article or in the comments is that legitimate emails from both Paypal and Ebay will always address you by your first and last name when emailing you. The phishers always address you as “valued customer” or something along those lines.
A few people have recommended typing the URL yourself (or using a saved bookmark), which is good advice. However, I came across a situation a while back where someone’s PC was infected with a virus, and it updated the HOSTS file. Without getting too technical, that meant that it automatically redirected her to a different website when she typed in the bank’s URL herself; fortunately, she noticed that it looked different, and called me for help. Even if your computer is clean, the same thing could happen if you use a DNS server that’s been compromised, e.g. a wireless router. So, keep your eyes open!
SSL certificates can also help with this, although my bank (Lloyds TSB) doesn’t handle them very well, e.g. this website works:
http://www.lloydstsb.com/ (legitimate but insecure)
but this one doesn’t:
https://www.lloydstsb.com/ (would be secure if it worked)
“Phishing is relatively young. The first major cluster of phishing activity focused on obtaining information through America Online accounts only 15 years ago.”
Doesn’t that put the start of phishing around 1994, which is before the majority of people got online, and before online banking really took off? So to most people phishing’s been around as long as the internet. It’s more like, as long as there’s been a way to fool people into giving up their personal details, phishers have been doing it.
I’m amazed by how many people still get fooled by these things. Rule #1 of internet: never respond to spam to get removed off email lists; rule #2: never believe any email that provides you a link and asks you to log in.
I would add one bit of advice to avoid falling prey to “phishers”. That is, Use Your Head!!!
I am not saying that all of these types of attempts are obvious and blatant, but as long as we all realize that these types of thieves are out there, and we do our best to not make it easy for them, and again, use your head, for the most part, you should be just fine.
Be vigilant, keep your eyes wide open, and always keep in mind that the internet is a very very public place.
For all the Firefox users out there you should use the Web of Trust add on https://addons.mozilla.org/en-US/firefox/addon/3456
Members mark websites as good or bad and if you stumble across something that has been rated as dangerous a big warning will pop up before loading the page. Very useful for avoiding being tricked by phishing attacks.
Thanks for the helpful tips. I recently received an email (supposedly from paypal) which seemed like it could be such a scam. I saved it and didn’t do anything with it. Reading your article confirmed this email is probably in fact a scam to obtain my personal information. When I checked my paypal account (by logging in directly on their website) everything was fine. Here is a small excerpt from the email:
We recently received a report of unauthorized credit card use
associated with this account. As a precaution, we have limited access to your PayPal account in order to protect against future unauthorized transactions. Please download the form attached to this email and open it in a
web browser. Once opened, you will be provided with steps to
restore your account access. We appreciate your understanding as we work to ensure account safety.
this is a scarily eye opening post. i dont remember ever reading a blog post ever so carefully. i will take heed and keep myself out of problems because of ignorance and not being observant enough. thanks man. i think that i will link to it in my blog(i will notify you first)
In GMail there exists a lab gadget called “Authentication icon for verified senders” which indicates whether an e-mail can be verified. Currently only works for PayPal and eBay, but it is still very handy. None of the phishing attempts ever get through!
Those scammers are getting trickier. Good to have a refresher!
In light of what John Kirk said, one thing to do is whenever you sign up for any type of account is to take down the customer service number right away. If you get ANY e-mail asking for ANYTHING and you are unsure, just call the number.
999/1000 Those e-mails are scams. Why would anyone need to “verify” an account anyway? And of course, if a company did “lose” your info, as a result of an upgrade (or whatever reason one may claim), you need to be calling them anyway.
You should never have to correspond with a company in that manner. If anything, you should be alerted the next time you log in.
Very informative.
General rule I live by:
If it doesn’t seem “right”, it probably isn’t.
Good post.
A relatively easy way to determine if a message you received is legitimate or not is to call the company or organization that sent you the message via a publicly accessible (ie posted online) customer service number to follow-up.
As has been mentioned in several comments, do not click through the email itself — and if it sounds scammy — it probably is.
Wombat Security offers a game that teaches employees and customers how to avoid phishing scams with anti-phishing Phil. You can swim over a worm to reveal its URL and then decide if it is a legitimate web address or a fake. Play part of the game here: http://wombatsecurity.com/antiphishing_phil/index.html.
Very accurate information. I remember we got hit by some large fraudulent orders when running an online ecommerce store. The folks whoes credit cards were used got their money back from the bank but as a business, you’re always at a risk, so we lost the products and didn’t get paid either. That sucks. It’s important to safeguard yourself and get your PayPal account verified and addresses confirmed before you start shopping around. And like they say, they will always refer to you by your first and last name and will never ask you to enter your email address and password in an email. I really feel sorry for those who get ripped off. I wonder what happens to those people…?
I hate phishing scams for a multitude of reasons, all in addition to the fact there is a need to spell it with a “ph”… is there some other animal based fishing scam we need to visually distinguish it from? Anyway…
I think phishing will only increase as technology moves towards more mobile and personal platforms. I fully expect “phishers” to know my name, my lifestyle and preferences and loved ones. Its like evil Google.
Exactly. With travel scams, crooks often look at people’s social media accounts to find out when and where they’re travelling. It makes all those “I’m stuck in this country and need you wire money to me” scams all the more plausible.
I remember reading somewhere that scammers are often early adopters of new technology. Those phoney, badly written emails leave the impression that scammers are behind the times, but that’s not the case.
That is why I never post my travel plans on Facebook or my blog except in vague terms. It’s a bit tricky since I live overseas, but I’d hope that my friends and followers would know by now that if they saw a random “send money now” message that they’d know that I’m well looked after in my country of residence.
All good tips! But in recent years, scammers have gotten more sophisticated. They can copy the HTML code of a legitimate bank email, download the logo and use better grammar than they did in the past. Just because an email looks legit, doesn’t mean it is. Sometimes, you can “hover” over the links with your mouse and see that those links have nothing to do with your bank.
I never do what I’m told 😉 If I see a suspicious email or receive a suspicious phone call, I’ll go to the financial institution in question’s website to see if they have any fraud warnings posted. If I’m at all concerned, I’ll look up the phone number (either on the website or the back of my card) and call them myself.
I take caution on any incoming emails. Selling on line I get many incoming emails, I do answer each one. One of the things I have noticed is an increase in people asking for donations of items it have for sale. While I do donate, I do not donate to charities I have never heard of, cannot find a physical address for or just are to far out there. The charity I give to the most is the Salvation Army.
You can usually check out the hyperlinks also. They will link to something that looks official, but is usually not the main site. So, instead of linking to AmericanExpress.com it will link to AmericanExpress.ResolveIssues.com – that’s a dead giveaway!
We get calls at home all the time from operators stating they are calling from Microsoft and there is an issue with our PC. Its a scam where they ant you to click on a link for their software and it cost $ to have it removed from your PC. I tell them I don’t own a PC and the hang up. I report the number to the National do not call list and it has seems to help.
I have gotten those types of calls-they claim my computer is sending out error messages. I assume they want to hack my computer.
My 83yr old mother received one of those calls, and right away she said to the person on the phone “you’re trying to get some money..I know you’re not calling from Microsoft. Don’t call me back!!” She may forget a lot of things as she gets older, but she certainly doesn’t forget to protect her money God love her!
These calls come and go for us, but I find them both maddening and hysterical. . .I have no Windows computers in my house – I use Linux.
I did have some friends succumb to the scam, too. Fortunately, their bank caught it, and I cleaned their computer of the program they were using.
Note: The program they use is a variation of program VNC. VNC is a legitmate program that enables tech support people to sign into a clients computer to fix it. These scum-dwellers modify it to their own evil ends.
I know this is off topic, but I’ve read that one should be cautious about sharing one’s SS# with even legitimate entities, like doctor’s offices. All of my doctors want SS#’s but I leave that section blank in the registration forms and they never protest. I don’t know WHY they want it…maybe for insurance reasons?
When I moved back to Anchorage I got a new dentist and politely declined to give my SS#. The young woman at the desk kept repeating what I assume was a script they gave her, and I kept politely saying, “I don’t share my Social.”
Did they refuse to see me? Of course not.
More on that here:
http://www.forbes.com/sites/kellyphillipserb/2013/10/21/losing-your-identity-in-five-easy-steps-step-one-go-to-the-doctor/
Also look at the email address it is coming from. It might look legit but at the end of the email address, I have noticed /uk which means it is from Britain not the US. So watch where it is coming from and immediately know it is scam.
The latest ones that we have been getting purport to suggest that we have filed a complaint through a court such as New York and we need to verify our “complaint”, or we receive an eviction notice through email or we receive utility bills from providers that we are not in their provider area such as PG&E.
Here’s another nasty variation:
http://www.theguardian.com/money/blog/2013/jul/29/courier-scam-lose-money-bank-cards
Never heard of this one before and I thought I’d heard them all. Thanks for sharing.
The big reason you caught this Holly is because you know what you’ve spent money on and keep good records. You knew that you had not used the AMEX in a couple of months so this solicitation stood out as weird to you and peaked your alert level. (It was also a large purchase which I’m surprised about. It would seem like a smaller amount would slip by easier.) These type of schemes are successful because so many people are not aware of their spending patterns or what their spouse is doing.
Actually, in this case, the phishers wanted Holly to recognize the charge as incorrect and panic about it so she would immediately click on their link. If it had been a small amount that she may not have recognized as incorrect, she wouldn’t have been as inclined to take action.
What drives me crazy is that Capital One sometimes randomly calls me to ask for very personal info to verify identity (last 3 home addresses, SS#, mother’s maiden name, previous phone numbers…basically the answer to every security question you’d ever come across). They say there’s been some kind of breach and they need to confirm details. I know–it sounds totally sketchy. I’m never sure whether the person is legitimate or not. Sometimes I ask to call back and get their number off their website, and when I do and call them at their general number, it really is legitimate. Other times I quiz THEM on my account to see if they are the actual bank…”What other credit cards do I have open with you? What was my balance last month? When did I post payment?” So far everything has panned out, but it always leaves me shaken. I wish they’d send me a secure message in my online account or something to let me know a real call was coming. There has to be some kind of better way than this.
I was once asked to name the highway near my house when verifying my account during a help call.
Problem was I hadn’t lived in the city they were referencing for almost 20 years…I would have had to google it too. (which is what I think the rep was doing) Those of us who are mobile or change passwords often might not be able to answer the right challenge questions.
No wonder tech help at large companies will be forgiving when you don’t have all the right answers, which leads to ID theft as well
YES! I received a call just like this from Ally Bank a couple weeks ago — out of the blue, they call (actually the rep called it “Allied Bank” the first time she identified herself) and ask me to verify my identify by answering my security questions. I declined to speak with them and then called the real bank to check if it was a legit call. I couldn’t believe that it was real!
I never believe any phone call or email. If I do not recognize it I will not open it and delete immediately. If by phone I get their name and department and then hang up on them and call the number on the back of my credit card and let them transfer me over.If they cannot then they need to send me snail mail. I have also cancelled over 50 percent of my credit cards, as I have determined it is only more exposure (and I really do not need them).
It’s gotten so bad I pretty much assume every email that makes me scratch my head even a little is a scam. I got an email from Scottrade once about some investment tender offer thing. It seemed phishy (haaaa) to me, but it contained the last 3 of my account number and details about the stock. So I called Scottrade. Turns out, it wasn’t a scam, but still.
I got an email from a zookeeper in Australia once; it was a follow-up job interview email obviously meant for another Kristin Wong. I Google searched that email, sender name and URL for a good while before I decided to email and let her know she got the wrong person.
When it comes to this kind of stuff, it’s best to err on the side of caution.
I work as an Information Security professional and deal with phishing attempts within my organization on a daily basis. In addition to technical security controls that protect against phish, the message we routinely communicate to computer users is PAUSE, THINK, ASK.
PAUSE and read an e-mail (scrutinize sender, subject, and message content. Read the message and THINK about whether it makes sense. ASK — call the sender directly, or ask the IT Department to confirm the validity of the e-mail. For a personal e-mail, I would suggest forwarding the e-mail to a tech-savvy friend who could help confirm its validity; My parents often forward me suspicious e-mails.
A phishing attack can get really nasty and hard to detect if someone is targeting you specifically. The smartest people fall for phish — even IT Security companies are hacked because of phish attacks. The best defense is ongoing education and awareness.
Be careful! They don’t always pretend to be from your bank or credit card. I just read an article about people being scammed from a fake funeral home! Phishers got the name and likeness of a real funeral home and emailed out a condolence letter with a link that supposedly lead them to more information on the loved one that passed away. Instead, it downloaded malware.
I’ve “missed” quite a few calls from random places where I know nobody (Antigua being one of them). It’ll ring once then hang up. If you call back, they’ll charge you an arm and a leg per minute. I typically don’t pick up calls from numbers I don’t recognize and don’t call any random missed calls back, but again, be careful!
That’s pretty messed up.
The email scams are getting better and better all of the time. At first the “from” address or the sender name would set off a red flag no so anymore. Now I usually catch them by misspelled words. Though if I do have doubts, I never, ever click on the link. I open a new window and log into my account from there or call.
We recently had a check for $140 cashed by someone other than the institution or was intended for. The check was sent through our credit union’s online bill pay program and we haven’t been able to determine how it happened yet, but it’s another form of fraud. If I hadn’t caught it purely by chance (I realized I had accidentally over paid the account and called to get a refund) We would have been charged hundreds of dollars worth of late fees due to the nature of the bill we were paying. Fraud happens in all sorts of ways.