Phishing, the sport of tricking Internet users into clicking through to what looks like a legitimate link, is becoming more personalized and harder to detect. Instead of sending mass emails, fraudsters are posing as companies of which you are actually a customer. This can make it much harder to distinguish phishing emails from legitimate emails. For example, they may see that you “checked in” on a social platform at a certain bank. The fraudster then knows they should send a phishing email from that institution.
As more and more interaction moves to social platforms, fraudsters are abandoning email phishing in favor of posing as familiar faces on social networks. This move into the social networking and mobile arena has changed fraudster tactics. Instead of sending emails, fraudsters are posting updates and sharing links as legitimate users or friends. This is dangerous because users are much more likely to trust a link on a social network that came from one of their friends than some unknown email address.
One of the most common scams is the “Stranded Traveler” scam. If a friend posts online that they’re traveling, a fraudster can hack into that persons social media profile or email and send messages to friends saying they have lost their wallet and are stranded and in desperate need of cash. The goal is to get a money transfer from a friend and after they have all of the bank details, the fraudster can collect the funds. Status updates and information sharing on social networks give fraudsters the opportunity to take advantage of schemes like these, that prey on friends who think they’re legitimately helping.
Here are some tips to protect yourself:
- When receiving an email that looks suspicious from a company you do business with, such as social network or bank account, go directly to their website as opposed to clicking on a link.
- If something sounds too good to be true than it is. Fraudsters prey on giving you something for free or promising a deal you can’t get anywhere else.
- Look for misspellings of words, scammers will commonly use a misspelled domain to make it harder to notice the link is fake; they will also add extra words to the domain such as mybankofamerica.com or chaselogin.com.
- Do not ever enter username or password information into a page linked from an email even if it is sent from a trusted sender like a friend. Account hijackers often will send out phishing links to the network of the account they hijacked. If you receive a suspicious email from a friend make sure to call them immediately. Your friend will appreciate that you have notified them that their email or social media account may have been hijacked.
- Be careful of phishing scams in non-traditional places, I recently received a phishing scam sent via SMS. When the link has strange spaces in an SMS it often makes it harder to detect a phishing scam. If in doubt, call your financial institution or the entity sending you the message to make sure it is legitimate. I obscured the bank name to protect the bank and myself.
- Use banks and websites that offer two-factor authentication. In addition to requiring a username and password to complete a transaction, websites can send a voice call or SMS to confirm that you actually authorized a particular action. If your bank or institution doesn’t offer it, let them know it’s something you want.
Learn more about the benefits of two-factor authentication.