Phishing attacks are when a fraudster poses as a legitimate company and tricks the recipient of an email to reveal personal information. The number of attacks has exploded in recent years and here’s a not-so-fun fact: in 2004 there were 1,609 phishing attacks a month and in the last quarter of 2016 this had jumped to 92,564 attacks a month (which is an increase of 5,753%!1 )
In the old days, these attacks were sometimes easier to spot—for instance, spelling and grammar were often shaky. But today, the fraudsters have gotten quite sophisticated, making it almost impossible to know if an email was really sent by the company it claims to be from.
How did these particular emails trick people?
Consumers are getting more suspicious about emails and texts, but the fraudsters are very good at staying one step ahead. Here’s how they fooled people in the most recent phishing attacks:
- They used HTML attachments. Many people know not to click on unexpected PDF, EXE or DOC files, but HTML attachments haven’t typically been used in email attacks in the past. Plus, financial institutions often use this type of file to send out secure messages and documents. Long story short: even tech-savvy users had (some) reason to believe they were opening a “safe” file.
- They used a URL/website/email format that looked a lot like the real deal. Fraudsters are very good at mimicking real sites/emails or creating a URL that’s very similar to the real one—in some cases they just insert an extra word (like “the”) or one extra letter.
- They pretended to be from a trusted company. In this particular scam, the email came from the person’s financial company. Who wouldn’t want to trust that?
Here’s how you can protect yourself.
Fraudsters are working hard to come up with their next scam, but the following tips can help all of us avoid becoming their victim:
- Be suspicious—especially if the email says something is “urgent.” Fraudsters love to create a sense of urgency. We’re all better off assuming that every email could be a scam and investigating before we act.
- Don’t open email attachments. This is the only real way to avoid launching some sort of malware into your system or giving scammers access to your data. Of course, many of us do get legitimate files as email attachments every day. But if an attachment comes from someone you don’t know or you’re not expecting the attachment—even if it appears to be from someone you do know—it’s a good to make sure it’s real before opening it.
- Don’t respond to requests to share or verify your account details. Your financial institution will never ask you to verify your password, credit card information, PIN or other personal data via an email. Period, the end!
Worried there could actually be a problem with your account? Go to the website in question and log in. Don’t use the URL provided in the email: look at what you’ve bookmarked in the past or Google the company and look for a URL that has “https” at the front of it. The “S” means the site uses encryption, which protects your data. As mentioned above, the fake URL in a phishing attack is usually almost identical to the real one.
If you’re really concerned, call the institution. Look for the number on a bill, or on the back of your credit or debit card.
- Search for similar scams. Have you gotten an email that seems like it might not be on the up and up? Enter the name of the business you’re getting the email from plus “scams” or “phishing” and see what pops up. Often, these emails have been sent out to many people and the company is already taking steps to alert its customers.
Think you’ve been tricked? Do this pronto.
If you think you might be the victim of a phishing attack, contact your financial institution immediately to ask for help.
1 APWG News Feb 23. 2017 http://www.antiphishing.org/apwg-news-center/