Identity fraud is running rampant as more consumers turn to digital technology to interact with one another, purchase products and services, and join social media groups, chat groups, and online clubs.
Unfortunately, in doing so, personal data is shared and stored in ways that make those users vulnerable to an onerous form of data theft - phishing.
The problem is only growing, as more personal information is now publicly available on social media channels and websites, and hackers are able to craft targeted phishing attacks that are personalized for the recipient and therefore more convincing and likely to bypass many organizational security systems.
Make no mistake, targeted email attacks, primarily through phishing and pharming scams, represent one of the most critical threats facing both digital consumers and the companies and organizations they join after sharing private information.
Whether it's the theft of one's Social Security number, bank account or credit card number, or even a breach involving an email password or home address often leads directly to identity theft.
Thus, taking steps to stop phishing attacks in their tracks is job No. 1 for consumers.
What Is Phishing?
A phishing or spear phishing scam is the practice of sending emails crafted and sent by an identity fraudster, who claims to be from a legitimate company, to steal personal information. Especially useful to fraud artists are user IDs and passwords, which can be used to commit identity theft.
Phishing scams trick web users into downloading an infected file, clicking a toxic hyperlink, or giving up private information, which can lead to identity theft.
The end result of successful phishing attempts differs from one scam to the next. The most common types of attack result in a hacker gaining access to sensitive information (like the password to your online banking site or your email account), access to the information you store on your laptop or mobile device, or even control of your device.
Perhaps that's why phishing scams have earned a spot on the Internal Revenue Service's "Dirty Dozen" financial scams for 2018.
Top 7 Types of Phishing Scams
These variations of phishing scams may be the biggest threats out there in cyberspace right now - that's why you should get to know them, and take action if you see them.
1. "Dear Customer" Email Scams
It's a good idea to be aware of emails that begin with the words "Dear Customer." Normally, companies will always use your actual name when sending you an email - it's good business practice and shows the recipient that the company knows their customers. These types of phishing scams depend on you not noticing your name isn't used in the greeting, and having you click on a link that wants you to check on a recent purchase, FedEx (FDX) delivery, or payment problem, and swallows your data when you do so. Besides the "dear customer" giveaway, always check for other signs of potential fraud attempts, like major grammatical errors or the use of generic terms like "invoice issue" or "payment issue" without being more specific.
The general rule of thumb? If you're suspicious at all about an email, don't open it, and don't open any links inside it.
2. Brand Name Phishing Attacks
Some phishing scams rely on widely recognized brand names to cash in on your trust, as fraudsters use more specific brand name terms like "Walmart," (WMT) "Visa," (V) "PayPal," or "Apple" (AAPL) just to get your attention, even though those companies aren't trying to reach you. This involves a more sophisticated strategy known as "spear phishing," which targets individuals who could be using a specific credit card, bank, or other online payment system attached to a popular brand name company. Phishing scammers are counting on you to be more likely to open a message sent that is sent from a familiar company, bank or credit card company. Once you open a message, you're usually asked to "confirm your identity" by clicking on an attachment or link. Once you do so, fraudsters can easily harvest your personal data, using those brand name companies as a hook.
3. Lottery Scams
Who doesn't want to win the lottery? Just about everyone, and that's a scenario that attracts more phishing scammers. One time-tested instance of a lottery scam is the so-called Foreign Lottery scam, which often comes from an African point of origin. Here, phishing fraudsters send you a message (often headed with official titles like "Global Trust Agency" or "Government Promotions Office") that you have won a large sum of cash via a foreign lottery. All you need to do is send your name, address, bank account or PayPal/Venmo information, and claim your prize. Another version asks you to pay a small "fee" to claim your lottery winnings, that requires your financial account information. These lottery scams are to be avoided, not only to keep from sharing your financial account information, but to keep phishing thieves from reselling your personal data on the black market.
4. "Pharming" Attacks
So-called "pharming" represents a next generation of phishing attacks, which makes clever use of social engineering to gain access to credentials such as user names and passwords. Pharming is a potentially more sinister threat in the phishing family, since it circumvents the need to lure digital consumers into responding to spam email messages. A pharming attack works by misdirecting users from legitimate websites to similar-looking websites designed to look like the original web portals. Pharming exploits DNS/Internet server vulnerabilities, allowing the pharming fraudster to acquire website domain names and redirecting the site traffic to a mirror site. These fraudulent sites then grab key personal data like account IDs, user names, passwords and credit card data and transmit it all to the pharming hacker, all without the user's knowledge.
With the increased use of mobile phones across the globe, the rise of "smishing", which attacks users via SMS/text messaging is becoming a dangerous threat. With a smishing threat, smartphone consumers see a text that often contains a link or a phone number that the user is urged to contact or call. When you click on the link or make the call, your data is siphoned off, and you become immediately vulnerable to data loss and financial theft.
6. Banking Scams
Often computer viruses, sent to individuals via phishing scams, can be used to harvest critical personal financial data. One perennial phishing scam is the bank ACH transfer scam, where a digital user gets an email or text saying their bank ACH transmission was rejected. Invariably, the user, who fears a fraudulent transfer was made in their name, will click on the link provided in the phishing message and leave their data vulnerable in the process. Another variation of this scam involves unsuspecting new employees who click on the link, thinking there is an issue with their direct deposit program. When they click on the link, the victim's computer is redirected to a site that will infect the victim's computer with malware, which harvests the employee's actual banking credentials, which can be used to make fraudulent transactions.
7. Pop-Up Scams
These phishing scams occur when a digital user is browsing the web on his or her smartphone or computer, and sees a small graphic "pop up" on their screen. Fraudsters are smart, and they make sure the graphic is similar to the content being viewed by the consumer, making it easier to steer that consumer to a bogus website or page where their data can be harvested and stolen. Often, the pop-ups will say the computer or phone has been infected with malware, and the only solution is to click on the link or call a phone number where the user is asked to share personal data, which can be stolen to commit financial fraud.
Actionable Steps to Prevent Phishing Scams
Once digital consumers come to grips with the fact they have a target on their back from phishing scam artists, they can take some common-sense steps to thwart cybercriminals.
Start with these key action steps:
- The "big picture." Never give your account passwords out; never open links on questionable emails, and use comprehensive security software to protect your computer and mobile devices.
- Vary your passwords. Changing your password can prevent future phishing attacks The idea is to use sophisticated and varied passwords for different accounts, thus curbing the odds that anyone will break into your accounts. Doing so also minimizes the damage done in the event your personal data is hacked.
- Never, ever give your personal data to strangers. Financial institutions and U.S. government (especially the Internal Revenue Service and the Social Security Administration) all have policies against calling or emailing and asking for your Social Security number or credit account numbers. If you get a suspicious email, text or phone call asking for personal data information your bank, credit card provider or government agency already have on file, just ignore it.
- Be suspicious of unsolicited emails and texts. Make it a priority to watch out for unsolicited emails asking you for either money or your private data. Don't hesitate - hit the "delete button" right away immediately and never click on any embedded links in such emails.
- Install security software on your mobile devices and computers. System security companies like LifeLock and Identity Guard do a good job of protecting your personal devices and data, but you've got to install the programs to get the security. Usually, you can get system protection on a 30-day trial basis, so you can choose which identity protection program works for you.
Your best move against phishing? Always treat your personal financial data with respect, and don't share it with others. Do that and follow the tips above, and you'll vastly reduce your chances of being laid low by phishing attempts and I.D. theft.
If you do suspect a phishing attempt has been launched against you, contact The U.S. Federal Trade Commission. The agency has a special email address for scam complaints, at email@example.com.