Phishing is a deception criminals use to obtain your personal information by posing as a legitimate company or service through e-mail or internet sites. Most phishing attacks start with an e-mail asking you to either respond to the e-mail with personal information or visit a website that looks “right” but is actually controlled by the hacker. This is why it is important to know how to protect yourself from phishing scams.
The most recent data from PhishTank, an anti-phishing working group, indicates that financial websites like Paypal and Mastercard are the top phishing targets, but other sites like Facebook that could give criminals the info they need to steal your identity are popular targets, too.
This means that the best defense against phishing remains being aware of the possibility that even websites you are visiting regularly might not be legitimate, and learning how to recognize and report these sites so that they are taken down before others who aren’t as vigilant put themselves at risk of identity theft.
How Can You Protect Yourself from Phishing?
“How do you protect yourself from phishing?” is one of the questions I receive most frequently. I always say that when dealing with phishing attacks, protecting yourself means being aware of the information you are sending and ensuring that you are sending it to the right person or company.
I don’t usually recommend paranoia as a defensive measure, but when a friend told me recently that she and other residents in her apartment complex were victims of a phishing scam when the apartment manager’s e-mail account was hacked, I realized that no scam is too small for phishing criminals.
With that in mind, I suggest that no matter how realistic an e-mail or website appears, you should be on your guard anytime log in or financial information is involved. I use these tips to help myself remember how to protect against phishing, and I believe they will be helpful for you to learn how to protect yourself from phishing scams, too.
- Add Financial Institutions to Your E-mail Contacts – Most financial institutions only use one e-mail address to send you account reminders or alerts. If you have this e-mail address saved to the contacts in your e-mail address book, you’ll know when an e-mail that should be treated as suspicious arrives.
- Don’t Respond to Suspicious Emails, or Follow Links –If you receive an e-mail that looks like it’s from your bank or credit card company but isn’t from an address in your contacts, don’t click any links. Manually enter the web address that you know to be correct for the company in another browser, or better yet – pick up the phone and call.
- Pay Attention to the Web Address When Browsing – I have found that the easiest way to avoid phishing scams, aside from not clicking links in e-mails, is to look carefully at the web address for any log in page or page requesting personal information. Double check your spelling when you enter a web address, and be very careful when following links from a search engine.
- Don’t Open Attachments – I recommend that unless you were expecting it, never open an attachment from your e-mail account. Hackers often attach malicious file attachments to e-mails in hopes that if the target (you!) does not follow the phishing link, you will open the attachment, which could then download malicious software to your computer.
- Look at Spelling and Grammar – Most phishing e-mails I see bear many of the hallmarks of standard spam e-mail, such as slightly off or downright wrong spelling and grammar, like an e-mail I once received addressed “Dear PayPal Costumer.” This is funny, but potentially dangerous. If you are ever in doubt, again, visit the website by manually typing in its address in another browser or calling the company that you think could have sent the e-mail.
What To Do If You Suspect Phishing
If you suspect phishing, the first thing to do is mitigate the damage and start protecting yourself. Next, I always recommend that users report phishing to someone who can take action against the scammers. This protects you and others who might be led into the same scam.
- Run Your Anti-Virus – If you open a phishing e-mail or accidentally visit a phishing website, even if you did not enter any personal information you should run your anti-virus programs to make sure that no harmful programs were downloaded to your computer.
- Report Phishing to the Hijacked Company – According to a University of Cambridge study, “The Impact of Incentives on Notice and Take-down” (pdf), the time it takes for a phishing website to be taken down drops dramatically when the corporation that owns the name and website being imitated is aware of the situation. Call or e-mail the company being imitated in a phishing attack to let them know what happened so that they can stop the attack before it gets worse.
If you shared any information in a phishing attack, your identity might be compromised – even if it was just a username and password.