Email is a scammer’s dream come true. It enables them to easily contact tens of thousands people for next to nothing. Even if just a small percentage of the recipients are fooled into clicking on the link in the phishing email and giving out sensitive information like credit card numbers, the scammers still win.
It used to be that unsolicited “spam” email was the main avenue for email scams. However, these days, tricksters are finding increasingly clever ways to hide phishing emails as communications from legitimate, well-known companies like your credit card company, your bank, or an online greeting card site. Emails use the logos and graphics of the company they purport to be to make them indistinguishable from a genuine communication. Common phishing emails feign to be from trusted companies like eBay, PayPal, or even credit card issuers like Bank of America or American Express. A recent phishing scam even involved an email pretending to be an IRS communication promising receivers a tax refund from the Obama stimulus package.
Phishing emails used to be sent to a random selection of people, with the assumption that a percentage of the people receiving the email were indeed customers of the bank or service they purported to be from. However, as scammers have become more sophisticated, more targeted versions of phishing—also known as spear phishing—are becoming more common. In spear phishing attacks, cybergangs infect victims’ computers with spyware to discover which banks they are using. When they then follow up with phishing emails from that bank or service, victims are much likely to be tricked into clicking on the link in the bogus email and enter the personal information required.
How can you protect yourself from this new breed of sophisticated phishing attacks? Here are five questions to help you identify phishing scams.
1. Does the email address you by name? If the email addresses you by phrases like “Dear Cardmember,” or “Dear Customer,” it’s most likely a scam. Legitimate email messages from financial institutions always contain some information not available to outsiders. This may be your name, your account user name or in the case of credit card companies, the last four or five digits of your credit card number. Watch out, however, because some phishing emails include the first four digits of your credit card number to make the email look legitimate. However, the first four digits of credit cards are often generic for all clients of that financial institution.
Unfortunately the presence of personal information doesn’t ensure that the email is legit. If hackers have installed spyware on your computer, they may have been able to siphon off pieces of personal information to trick you into believing that you’re dealing with a legitimate email.
2. Does the email ask you to give out personal information? No credit card company, bank or online payment service will ever ask you for your personal information, including your full name, your password, your driver’s license number, social security number, credit card number or bank account number. Similarly, if the email contains a hyperlink that directs you to a website that asks for personal information, it’s a phishing scam.
3. Does the email contain any attachments? Your credit card company or other financial service will never send you an email with attachments. In general, never open attachments in emails other than from close friends whom you trust; it is all too likely to be spyware or a virus. In addition, don’t click on hyperlinks in an email that in any way looks suspect. Instead open a new browser window and type in the address of the company directly to log into your account.
4. Does the email seek to scare you into taking action? Many phishing emails use a fear tactic to scare victims into clicking on the hyperlink included. For example, the email may tell you that your account with the company has been compromised and exposed to fraudulent activity, and you need to take action. Or the email may claim that your account is about to be shut down, unless you click on the link provided to reconfirm your personal information.
5. Does the email contain spelling or grammatical errors or unusual turns of phrase? Many phishing emails are created by non-English speakers in distant parts of the world, so they often contain spelling errors or awkward-sounding phrases. While this used to be a dead give-away, unfortunately, cybercriminals have caught on, and most phishing emails these days contain much more polished language.
If you receive a suspicious email, forward it to the company that is being impersonated to help them take appropriate action against the fraudsters and protect other account holders. For information about known phishing attacks, check out the website of the Anti-Phishing Working Group. (http://www.antiphishing.org/phishing_archive.html. Another useful resource for general, up-to-date information on computer security and troubleshooting is DIYComputerHelp.com.
Report Suspicious Emails
Here is the contact information for the major credit card companies for reporting suspect emails.
Visa: phishing@visa.com
American Express: spoof@americanexpress.com
MasterCard: Call 1-800-MasterCard
Discover Cards: Call 1-800-DISCOVER
You can also help thwart cybergangs by forwarding suspicious emails to the Better Business Bureau at nophishing@cbbb.bbb.org and reporting phishing attempts to the Federal Trade Commission.
