How to Avoid Phishing and Phone Scams and Identity Theft
Phishing scams represent a serious threat. This article describes tactics used by phishing scammers and strategies to avoid identity theft.
What is Phishing?
Phishing is an attempt to trick you into doing something you don’t want to do. Phishing attempts try to coerce you into giving away your most valuable information—bank account numbers, credit card numbers, passwords, social security number, even your mother’s maiden name. The people behind phishing scams want your personal info, and they are willing to go to great lengths to trick you into handing over your identity.
Phishing Scams Lead to Identity Theft
Phishing scams often arrive as cleverly disguised emails or deceptive phone calls. They may appear to be sent by trustworthy companies like eBay, PayPal, or your local bank or credit union. Phone callers may pretend to be from Microsoft, the IRS, or your IT team.
Phishing attempts over the phone often try to induce a sense of urgency by telling you things such as “You owe money to the IRS” or “Your computer has a virus”. This urgency is an attempt to get you to act quickly without putting careful thought into who might actually be calling.
Phishing emails may make threats like “Attention! Your PayPal account has been violated!” or “If you choose to ignore our request, we have no choice but to suspend your account.” These matters seem urgent and unless you recognize the email as a phishing scam, you might fall victim to it.
Some phishing emails try to convince you that something good will come from your participation. A phishing email might say, “We are pleased to introduce our fully upgraded online banking. By clicking the link below, you will begin the process of updating your user details.”
From Email to the Web
Clicking a link in a phishing email typically takes you to a fake website. The phishing site is designed to look like a company’s real website. The phishing site may even link to the official site and may use the same graphics, colors, and logos. This is all done to lull you into a false sense of security.
The phishing email and website are designed to get you to fill out their online web form. Once you have done that, the scam is complete.
An online web form used in a phishing scam asks for your personal info. They want anything you are willing to give them, including your bank account numbers, credit card numbers, social security number, passwords, etc. They might use your info to apply for new credit cards, run up bills on your existing cards, take out loans, and anything else they can do.
Phishing Over the Phone
Phishing scams are not just limited to email or the web, they can also come from a phone call. Their goal is to either acquire your personal information or to lead you to a remote access website, and take control of your computer. Oftentimes they will pretend to be from a well-known organization such as Microsoft, Apple, the IRS, or even Illinois State University.
Phishing calls will oftentimes spoof their phone number in an attempt to make their call look legitimate. A scammer can spoof their caller ID so that it looks like they are calling you from the University or from a variety of different places. If you are uncertain if a call is really coming from the University, insist on calling that department back on a publicly available phone number. Ideally, this will be a phone number listed on their website. If someone claims to be a member of your IT team, but you are not familiar with them, offer to call back on their official line.
Scammers may also attempt to learn about what kind of equipment you are using in order to later expose a vulnerability or establish credibility with later phishing attempts. These callers will often pretend to be conducting a survey or research, and may ask you questions such as what operating system you are on, what model of computer you are using, or what type of printer you have. While these questions are normal for an IT team to troubleshoot your issue, they should be seen as extremely suspicious when from an unsolicited call.
How to Recognize Phishing Scams
How can you tell the difference between a phishing scam and a legitimate call, email, or website? Unfortunately, phishing scams are becoming more and more sophisticated and increasingly difficult to identify. However, there are several strategies you can use to recognize phishing scams.
- Be skeptical. Since you know phishing scams are out there, be skeptical of emails you receive. Has your account really been violated? Do you really need to update your account information? Most companies don’t wait until the last minute to spring emergencies like this on their customers. They send several notices, often times through the regular mail, or they call to warn you of potential security breaches. If you get emails like this, look for clues that they might be fakes.
- Verify the web address and email address. Checking the addresses is a good way of discovering a scam. If the first part of the web address consists of numbers, the site should probably not be trusted. For example, this is an untrustworthy address: “https://18.104.22.168/ebay/account". Even though “ebay” is part of the address, the first part contains numbers (called an IP address). This is a sign that something may not be right.
- Look for signs of security. Real corporate websites use secure, encrypted web pages any time their customers are asked to send personal and financial information. Look for “https://” in the web address. The “s” stands for “secure”. Also look for a locked padlock icon in the lower part of your browser window. The locked padlock icon indicates the site is encrypted, which means your data is protected when you send it over the Internet. If you don’t see these signs, then the site could be a fake.
- Look for fishy details. Most legitimate corporate emails and websites look professional. Phishing scams try to fool you, but like a photocopied dollar bill, they just do not look right. Look for poor grammar, poor spelling, and poor design. If your instincts tell you something is fishy, it probably is. Phishing scams are becoming more sophisticated each day, so this is not a sure-fire way of sniffing out a fake, but it’s still a good place to start.
- Make a few phone calls. Before you click any links or fill out any forms, call the company—and don’t use the phone number in the email. Get a real person on the phone to help you verify the legitimacy of the email you received. If you can’t reach a company representative by phone, call the Technology Support Center (309-438-4357).
- Illinois State University will never ask for your password. If you receive a call or email explicitly asking for your password, this is likely a phishing attempt. University Tech Teams do not need your password in order to assist you, and will never ask for it.
- Do not grant remote access to an untrusted source. Phone phishing scammers will often try to get you to go to a website and remotely take over your PC. Any remote connection requests should come from a trusted source, and the University will only ever ask to screen connect (in circumstances to help diagnose a problem) by directing you to https://screenconnect.illinoisstate.edu
The following sites have good information about phishing and reporting phishing scams:
- Anti-Phishing Working Group
- Federal Trade Commission (FTC) - How Not to Get Hooked by a Phishing Scam
- Microsoft: Recognize Phishing Scams and Fraudulent E-mails