What is phishing, vishing, and SMShing?

A few days before Christmas, I was having lunch out when I opened an email that appeared to come from American Express:

“Please click this link to authorize a recent charge on your account.”

“Well, that's weird,” I thought. I hadn't used my American Express card in several months.

I was stunned as I read the rest of the email. They wanted me to confirm a purchase that was definitely not made by me — a $5,500 order at an online Apple store. And I totally panicked. I mean, I freaked. Someone was obviously going on a wild online shopping spree with my credit card information, right? I had to put a stop to it right that second.

Since I didn't want to sort it out through email, I chose to call American Express directly with the number on the back of my card. And once I did, I was relieved to find out that the email I received wasn't actually from American Express at all. Nope, according to the rep I spoke with, the email was just one of the many phishing scams that are currently being perpetrated against American Express and their customers. But, what exactly is a phishing scam? After getting off the phone, I did a little bit of research to find out what was going on. What I discovered is that tech-savvy scammers are coming up with inventive ways to trick consumers into handing over their personal information. As the FDIC puts it, a “phishing scam” is a scheme that “encompasses fraudulently obtaining and using an individual's personal or financial information.”

Types of phishing scams

In today's Internet-connected world, phishing scams are on the rise — and the variety of scams is amazing. Many originate in email form, asking unsuspecting consumers to hand over their personal information for the purpose of verifying their identity, updating their information, or, as in my case, confirming a suspicious-looking purchase on their account. Once they get you to click on the link to their fraudulent website, however, they'll ask you a whole range of questions under the guise of consumer safety. It's all a lie and they can only hope that you'll play along and fall for it. In the meantime, they're busy plotting to steal your identity or access your accounts.

Unfortunately, I would soon find out that scams like this aren't limited only to email.

A few weeks after receiving the fraudulent American Express email, I was on the receiving end of a phishing scam for the second time. It all started when I received a legitimate-sounding voice mail from Chase Bank stating that I needed to call to verify my account. I was skeptical at first, but I do have several Chase accounts, including a mortgage. So I called the 1-800 number they left on my voice mail. However, while I was on hold, I did a quick Google search for the number to determine that it was, in fact, a Chase number.

And it wasn't.

My quick Internet search uncovered that it was another phishing scam designed to get my personal information in the sneakiest way possible. So I hung up and called the number on the back of my Chase card instead.

“There's nothing we can do,” said the operator at Chase fraud protection. “We take the number and their information and keep track of it, but we can't stop these people,” she said. “There are just too many of them.”

Phishing scams gone wild

With the recent data breach at Target stores that affected an estimated 40 million individuals, many, if not most, people have become rightfully concerned about the safety of their personal financial information. This includes, but is not limited to, our bank account numbers, Social Security numbers, credit card numbers, and other information that could prove helpful to someone who wants to rob us blind, or worse. And with scams coming at us from nearly every direction, it's becoming hard to know whom to trust.

I recently reached out to Curtis Arnold, editor-in-chief of CardRatings.com, in an effort to see what steps I could take to avoid phishing scams altogether. Unfortunately, I learned that there is nothing anyone can do to avoid being targeted, at least short of not having any sort of presence in the financial world or online. Instead, we must learn to identify phishing scams if we have any hope of avoiding them. According to Arnold, phishing emails usually have at least one of these telltale signs:

  • An urgent tone “Phishing emails usually have an urgent tone and warn of terrible consequences,” says Arnold. The details vary from scam to scam, but they often include threats of account closure, lost funds, or unauthorized purchases.
  • An unfamiliar salutation According to Arnold, an email that starts with “Dear Customer” or “Dear Valued Client” is most likely a phishing email.
  • Bad grammar and spelling errors Scammers whose first language is not English may struggle to create an email that is free of errors or awkward wording.
  • A fake logo Although tech-savvy scammers may get close to re-creating a logo, it's often different enough that it can be noticed by the naked eye.

According to Arnold, these types of scams frequently take the form of a phone call (vishing), like the call I received, as well as a text message (SMShing). But no matter how you are contacted, the telltales are the same.

How to protect yourself from phishing scams

While we can't prevent being targeted by scam artists, we can protect our personal and financial information by taking the proper precautions when dealing with unsolicited phone calls or emails.

“The first step should always be to call the bank, credit card company, or retailer from whom the email is from and ask. You can also mouse over the links and see if they look legit,” says Arnold.

“Anyone who calls or emails and asks for your account number or Social Security number should also raise red flags,” he adds. “If you call your bank, they are likely to ask for a variety of information to locate your account and verify that you are who you say you are. But, it's highly unlikely that they would call you and ask for sensitive information and even less likely that they would ask via email,” he says. “If you get a call like that, hang up and call the number on the back of your card.”

It's also important to monitor your credit report for errors, which can be done easily and for free by accessing annualcreditreport.com. Another way to protect yourself is by tracking all purchases on your accounts closely online, says Arnold.

“If your information is compromised, you'll want to know as soon as possible so you can notify the bank.” This part can be critical to ensure that you're not on the hook for any fraudulent charges to your account.

The bottom line is this: Phishing scams aren't going anywhere. In fact, it's likely that they'll only become more sophisticated and harder to detect. Learning to recognize a scam and avoid it is, unfortunately, all that anyone can do to protect themselves. As criminals continue to come up with creative and innovative ways to exploit us, we must become wise.

Have you ever been on the receiving end of a phishing email or phone call? Do you know anyone who has been a victim of a phishing scam?

More about...Credit

Become A Money Boss And Join 15,000 Others

Subscribe to the GRS Insider (FREE) and we’ll give you a copy of the Money Boss Manifesto (also FREE)

Yes! Sign up and get your free gift
Become A Money Boss And Join 15,000 Others

72
Leave a Reply

avatar
newest oldest most voted
Erica Douglass
Erica Douglass

This is an important topic for personal finance blogs. Around the time Bush approved the economic stimulus plan, several phishing scams sent out invited you to enter your Social Security number to “claim your stimulus check immediately.” I’m sure thousands of people fell for it.

One thing I do is mouse over the links in my email client. If they go to a domain name that doesn’t match the domain name I’m familiar with, I don’t click on them. If you’re not sure, best to delete the email and just log in at the site you always log in at.

-Erica

Cathy
Cathy

I just sent an email to paypal after reading this entry and got a very nice note from them thanking me for my efforts to prevent phishing. It was a bit hard to find the address (which is [email protected]) but I feel that I’ve done my bit to keep the internet clean today.

Jessie
Jessie

It was actually refreshing to read this post this morning. It had the personal finance edge to it, but wasn’t heavily weighted toward it. A change of pace was nice!

Claire
Claire

I like the way Vanguard adds an extra layer of security to your account. When you sign up for an account, the site gives you a picture and asks you to caption it. Later, when you put in your username, it shows you your picture and caption before you put in your password.

Emily@Under$1000PerMonth
[email protected]$1000PerMonth

I get phishing emails from “my bank” every few weeks. At first, I forwarded them to my bank, but my bank sent an email back saying that it was a phishing scam and my security info was in grave danger, but it’s not like I fell for it, so I’m at no risk(except someone may know where I bank). Now I just delete them.

cph
cph

I use a simple rule: *Never* use a link in an e-mail if it’s a site that requires you to log in. *Always* type the URL in manually.

Tyler@Frugally Green

A long read and not exactly a phishing scam, but this is one of my favorite stories from the net (some language NSFW):

http://www.zug.com/pranks/powerbook/

A couple of forum members gang up to scam an eBay scammer.

Linear Girl
Linear Girl

I’d be suspicious of the “luck of the timing.” Given the sophistication of targeted advertising I’d not be surprised if the phishers had access to or knowledge of your activity. Not the specifics, but at least that you’d been visiting the site.

JerryB
JerryB

I’d like to expand on #6 cph’s comment.
Rule 1: Never click on a link in an email from “your bank” always type the URL manually.
Rule 2: Never click on a link in an email from “your bank” always type the URL manually.
Rule 3: If you receive an email that urgently asks for your information go back and read rules #1 and 2.

David@DINKS Finance

Phishing scams have hit my university the past couple of years. They pose as though they are the help desk saying they need their username and password to complete some account settings or maintanence. They looked legitimate and got at least a handful of accounts.

Watch out for these phishing scams!

Tom Garrard
Tom Garrard

Just as an addition to the “what is phishing?” section…

Phishing is a type of hacking that falls into the ‘social engineering’ category. The idea is that the scammer sends out many mails in the hope that one unlucky mark will bite – just like fishing. The ‘ph’ prefix comes from a term in the early days of hacking – phreaking – where hackers used various techniques, both social and technical to access the telephone network for, amongst other things, free calls.

Financial Samurai
Financial Samurai

Interesting term and phenomenon. Seems to pray on people’s impulses and stupidity.

Why can’t the “phisher” just use spell-checker and write with proper grammar is a mystery.

Just stop buying things on impulse and read everything. Join me this austerity September and buy nothing!

Jason B
Jason B

#8 My brother and I have noticed this as well… it always seems to be impeccably timed… especially revolving around paypal!

Matt Jabs
Matt Jabs

Great article here Baker.

The best advice I can give as an Information Technology Manager mirrors what you mention in your post, and what Erica (comment #1) mentioned…

ALWAYS LOG INTO WEBSITES DIRECTLY – NOT VIA EMAIL LINKS

.

I always use my Delicious bookmark links to log into my secure/financial websites.

ebyt
ebyt

Thanks for the post! I try to be really careful, but I did not realize phishing got so sophisticated. I thought that typos, irregular spacing, etc. would tip me off if this ever happened to me, but it didn’t occur to me that scams were this advanced, for some reason. And the eerie timing is just frightening. I emailed your article to a few people I know. You can just never be too careful.

Brent
Brent

I will repeat this because its the best way to defend against this. Always go to your banking website by your own bookmarks or typing in the address bar. Don’t use a link in the email no matter the convenience and NEVER enter confidential information in an email or outside site. Great Post.

Kevin M
Kevin M

I’ve received similar PayPal emails, but since I don’t have a PayPal account, I’ve never fallen for it.

I usually hover over the link and check the URL – that is the quickest way to see the email is bogus.

Even legit emails I get – ex: telling me my monthly bank statement is available – I go to my bookmark (or type the URL) and log in there rather than clicking anything in the email.

J.D.
J.D.

Oops.

Baker left a reply to several comments, but I accidentally deleted his post. Sorry folks. And now he’s probably asleep. It’s 3am in New Zealand!

Baker @ ManVsDebt
Baker @ ManVsDebt

You can’t stop me from commenting if you tried! Actually, you easily could, but that’s beside the point… 🙂 @ erica – That’s another great example of an event-based phishing scam. Got to be careful for these type of one time surges. @ Cathy – Thanks for providing that e-mail, it’s something I definitely should have included above. You’ve done your part ;-). @ cph – That’s a great rule of thumb @ Tyler – Haha, thanks for linking to that story. Refreshing to read. @ Linear Girl – I found it suspicious, too. I’ve not ruled out the possibility… Read more »

Roozbeh
Roozbeh

Very great article, I work at a university environment and we are constantly faced with spam and phishing email issues. you would think people would not fall for it anymore, you will be surprised how easily people share their email passwords over email because someone is asking them urgently.

– Roozbeh

Kevin@OutOfYourRut

Adam–I must have gotten the same PayPal message you did, and it happened last week. The email said–ironically–“We have observed activity in this account that is unusual or potentially high risk.” Then there was an attachment that looked exactly like the PayPal website asking for ALL of my personal information. But it got worse… Later that same day, I got a similar email from my bank, again noting suspicious account activity, with an email attachment that was a deadringer for my banks website. At this point I called my bank, thinking there may be something going on since two of… Read more »

Morgan
Morgan

Loved this post Baker – thank you!

Jack @ Master Your Card
Jack @ Master Your Card

Oh man that’s nothing at all what I assumed a phisher looked like. He’s wearing a tie and everything. I assumed a phisher would be an amorphous inhuman blob. They definitely seem robotic in the language of some of their lamer attempts. But your Paypal story certainly is alarming. I feel like that’s something I would’ve almost fallen for. I wonder how they even knew you were changing your email (or was it a coincidence?). I keep getting emails from my bank addressed to “Jacob E. Busk” which is CLOSE to my name (not really) but definitely no cigar. I… Read more »

MichaelM
MichaelM

Paypal makes itself a prime target for Phishing. Since they send links through their own emails, it’s not odd to receive a fake Paypal email with links in it!

At least this is the case for the “confirm your e-mail address” you get when you sign up.

You can log in and enter the numeric code they send directly into your profile, but the fact that they send links just invites trouble.

Courtney
Courtney

DON’T BE FOOLED if the link text looks like the real url!! HTML can be used to disguise the true destination of a link.

For example, here is a link to Google: http://www.google.com

But if you click it, you go to Yahoo! Phishers can very easily make a link to their site look like the true url of your bank.

Baker
Baker

@ Kevin – Sounds like the e-mails were very similar. Wasn’t it sort of freaky how authentic it looked? I was most certainly a wake-up call for me. @ Jack – Even scammers have a dress code ;-). @ Micheal – That’s a great observation. Actually many companies do that went confirming set-ups. Ironically, they use the same tactic as the scammers, because both know it helps increase the number of people who end up clicking/confirming. @ Courtney – Also a good point. Several people have suggested hovering over the link to check where it *actually* links to, but there… Read more »

Kosmo @ The Casual Observer
Kosmo @ The Casual Observer

I got two email notices from the “IRS” about a tax underpayment / fraud application today. With a convenient link to click on the get the details, of course.

(sigh)

Cibola
Cibola

I was recently hooked by one of the phone scams, and it really sucked. I called my bank a few moments after I got the call because it felt weird, and nothing was stolen but my dignity.

I wrote about it on Momknewbest.blogspot.com

Tyler@Frugally Green

Several years ago when I would get phishing emails all the time, I would submit nasty messages to the phishers in the username/password fields they would provide in the email.

A bit childish, but it gave me more satisfaction than just forwarding to the fraud dept.

FMM
FMM

Phishing scams are only increasing due to the economic environment. And the scams are becoming more elusive. For example, some work environments have their own IT staff under a certain name and many are now calling claiming they are from the department and asking for a password or your e-mail will be shut off. I think most are now immune to the countless spam messages. Yet on the phone, surprisingly many people will give out their password. Once this is done, someone can access an account with usually sensitive information. The IRS scam is prominent as well as some have… Read more »

Soup and Song
Soup and Song

Great post. One thing that I didn’t see mentioned in the article or in the comments is that legitimate emails from both Paypal and Ebay will always address you by your first and last name when emailing you. The phishers always address you as “valued customer” or something along those lines.

John C. Kirk
John C. Kirk

A few people have recommended typing the URL yourself (or using a saved bookmark), which is good advice. However, I came across a situation a while back where someone’s PC was infected with a virus, and it updated the HOSTS file. Without getting too technical, that meant that it automatically redirected her to a different website when she typed in the bank’s URL herself; fortunately, she noticed that it looked different, and called me for help. Even if your computer is clean, the same thing could happen if you use a DNS server that’s been compromised, e.g. a wireless router.… Read more »

Not My Mother
Not My Mother

“Phishing is relatively young. The first major cluster of phishing activity focused on obtaining information through America Online accounts only 15 years ago.” Doesn’t that put the start of phishing around 1994, which is before the majority of people got online, and before online banking really took off? So to most people phishing’s been around as long as the internet. It’s more like, as long as there’s been a way to fool people into giving up their personal details, phishers have been doing it. I’m amazed by how many people still get fooled by these things. Rule #1 of internet:… Read more »

yourfinances101
yourfinances101

I would add one bit of advice to avoid falling prey to “phishers”. That is, Use Your Head!!!

I am not saying that all of these types of attempts are obvious and blatant, but as long as we all realize that these types of thieves are out there, and we do our best to not make it easy for them, and again, use your head, for the most part, you should be just fine.

Be vigilant, keep your eyes wide open, and always keep in mind that the internet is a very very public place.

David Turnbull
David Turnbull

For all the Firefox users out there you should use the Web of Trust add on https://addons.mozilla.org/en-US/firefox/addon/3456

Members mark websites as good or bad and if you stumble across something that has been rated as dangerous a big warning will pop up before loading the page. Very useful for avoiding being tricked by phishing attacks.

Jason @ One Money Design
Jason @ One Money Design

Thanks for the helpful tips. I recently received an email (supposedly from paypal) which seemed like it could be such a scam. I saved it and didn’t do anything with it. Reading your article confirmed this email is probably in fact a scam to obtain my personal information. When I checked my paypal account (by logging in directly on their website) everything was fine. Here is a small excerpt from the email: We recently received a report of unauthorized credit card use associated with this account. As a precaution, we have limited access to your PayPal account in order to… Read more »

kenyantykoon
kenyantykoon

this is a scarily eye opening post. i dont remember ever reading a blog post ever so carefully. i will take heed and keep myself out of problems because of ignorance and not being observant enough. thanks man. i think that i will link to it in my blog(i will notify you first)

Sabine
Sabine

In GMail there exists a lab gadget called “Authentication icon for verified senders” which indicates whether an e-mail can be verified. Currently only works for PayPal and eBay, but it is still very handy. None of the phishing attempts ever get through!

SimplyForties
SimplyForties

Those scammers are getting trickier. Good to have a refresher!

Free Your Mind
Free Your Mind

In light of what John Kirk said, one thing to do is whenever you sign up for any type of account is to take down the customer service number right away. If you get ANY e-mail asking for ANYTHING and you are unsure, just call the number. 999/1000 Those e-mails are scams. Why would anyone need to “verify” an account anyway? And of course, if a company did “lose” your info, as a result of an upgrade (or whatever reason one may claim), you need to be calling them anyway. You should never have to correspond with a company in… Read more »

DDFD at DivorcedDadFrugalDad
DDFD at DivorcedDadFrugalDad

Very informative.

General rule I live by:

If it doesn’t seem “right”, it probably isn’t.

Mike
Mike

Good post.

A relatively easy way to determine if a message you received is legitimate or not is to call the company or organization that sent you the message via a publicly accessible (ie posted online) customer service number to follow-up.

As has been mentioned in several comments, do not click through the email itself — and if it sounds scammy — it probably is.

Kristen
Kristen

Wombat Security offers a game that teaches employees and customers how to avoid phishing scams with anti-phishing Phil. You can swim over a worm to reveal its URL and then decide if it is a legitimate web address or a fake. Play part of the game here: http://wombatsecurity.com/antiphishing_phil/index.html.

Sidd @ Insurance License
Sidd @ Insurance License

Very accurate information. I remember we got hit by some large fraudulent orders when running an online ecommerce store. The folks whoes credit cards were used got their money back from the bank but as a business, you’re always at a risk, so we lost the products and didn’t get paid either. That sucks. It’s important to safeguard yourself and get your PayPal account verified and addresses confirmed before you start shopping around. And like they say, they will always refer to you by your first and last name and will never ask you to enter your email address and… Read more »

Snarkfinance
Snarkfinance

I hate phishing scams for a multitude of reasons, all in addition to the fact there is a need to spell it with a “ph”… is there some other animal based fishing scam we need to visually distinguish it from? Anyway…

I think phishing will only increase as technology moves towards more mobile and personal platforms. I fully expect “phishers” to know my name, my lifestyle and preferences and loved ones. Its like evil Google.

Beth
Beth

Exactly. With travel scams, crooks often look at people’s social media accounts to find out when and where they’re travelling. It makes all those “I’m stuck in this country and need you wire money to me” scams all the more plausible.

I remember reading somewhere that scammers are often early adopters of new technology. Those phoney, badly written emails leave the impression that scammers are behind the times, but that’s not the case.

Lauren {Adventures in Flip Flops}
Lauren {Adventures in Flip Flops}

That is why I never post my travel plans on Facebook or my blog except in vague terms. It’s a bit tricky since I live overseas, but I’d hope that my friends and followers would know by now that if they saw a random “send money now” message that they’d know that I’m well looked after in my country of residence.

Beth
Beth

All good tips! But in recent years, scammers have gotten more sophisticated. They can copy the HTML code of a legitimate bank email, download the logo and use better grammar than they did in the past. Just because an email looks legit, doesn’t mean it is. Sometimes, you can “hover” over the links with your mouse and see that those links have nothing to do with your bank. I never do what I’m told 😉 If I see a suspicious email or receive a suspicious phone call, I’ll go to the financial institution in question’s website to see if they… Read more »

Trudy Connor
Trudy Connor

I take caution on any incoming emails. Selling on line I get many incoming emails, I do answer each one. One of the things I have noticed is an increase in people asking for donations of items it have for sale. While I do donate, I do not donate to charities I have never heard of, cannot find a physical address for or just are to far out there. The charity I give to the most is the Salvation Army.

Money Saving
Money Saving

You can usually check out the hyperlinks also. They will link to something that looks official, but is usually not the main site. So, instead of linking to AmericanExpress.com it will link to AmericanExpress.ResolveIssues.com – that’s a dead giveaway!

Brian@ Debt Discipline
[email protected] Debt Discipline

We get calls at home all the time from operators stating they are calling from Microsoft and there is an issue with our PC. Its a scam where they ant you to click on a link for their software and it cost $ to have it removed from your PC. I tell them I don’t own a PC and the hang up. I report the number to the National do not call list and it has seems to help.

Winterlady
Winterlady

I have gotten those types of calls-they claim my computer is sending out error messages. I assume they want to hack my computer.

Anna
Anna

My 83yr old mother received one of those calls, and right away she said to the person on the phone “you’re trying to get some money..I know you’re not calling from Microsoft. Don’t call me back!!” She may forget a lot of things as she gets older, but she certainly doesn’t forget to protect her money God love her!

Priswell
Priswell

These calls come and go for us, but I find them both maddening and hysterical. . .I have no Windows computers in my house – I use Linux.

I did have some friends succumb to the scam, too. Fortunately, their bank caught it, and I cleaned their computer of the program they were using.

Note: The program they use is a variation of program VNC. VNC is a legitmate program that enables tech support people to sign into a clients computer to fix it. These scum-dwellers modify it to their own evil ends.

Laraba
Laraba

I know this is off topic, but I’ve read that one should be cautious about sharing one’s SS# with even legitimate entities, like doctor’s offices. All of my doctors want SS#’s but I leave that section blank in the registration forms and they never protest. I don’t know WHY they want it…maybe for insurance reasons?

Donna Freedman
Donna Freedman

When I moved back to Anchorage I got a new dentist and politely declined to give my SS#. The young woman at the desk kept repeating what I assume was a script they gave her, and I kept politely saying, “I don’t share my Social.”
Did they refuse to see me? Of course not.
More on that here:
http://www.forbes.com/sites/kellyphillipserb/2013/10/21/losing-your-identity-in-five-easy-steps-step-one-go-to-the-doctor/

shares