What is phishing?

Phishing is when a fraudster pretends to be a reputable person or company and steals personal information to be used for financial crimes or identity theft. Phishing happens on social media, via email, over the phone, and in pop-ups and search engine results.

How does phishing work?

This classic scam illustrates how phishing works.

  1. You get an email pretending to be from your financial institution. It says there’s a problem with your account and has a link that looks like it’s from the institution’s website.
  2. You click the link to go to the website, and you’re presented with a login page. It looks like the institution’s official website, though the words and graphics may not be 100% accurate.
  3. You enter your User ID and Password.
  4. You’ve been phished – thieves now have your online banking User ID and Password. Now they can log in to your account, transfer money out, and steal more personal information.

Besides email, phishing can happen via cold calls, pop-ups, search results and social media.

What’s cold call phishing?

This classic cold call phishing scam happens when “tech support” calls and claims to be from a reputable company (like Microsoft or Norton) and states that your computer has a problem. The criminal will then ask you to install software on your computer, or to give them remote access to your computer.

If you install the software or give the caller remote access, you’re giving thieves access to steal your money and personal information. Sometimes, these scammers will even ask for a fee to fix the issue.

What are phishing pop-ups?

When browsing the internet, you might see pop-ups that tell you there’s something wrong with your computer, or that offer to “fix” or “scan” your computer. Often, you will see these when you’re searching for a related problem – for example, a pop-up that claims to have found a virus on your computer appears when you search for information about viruses.

Sometimes, the pop-ups will look like they come from a legitimate source, such as Microsoft or Norton. If you click the pop-up, provide personal information, or download software, you may end up being phished.

Examine the message closely — look for obvious signs of fraud such as poor spelling, unprofessional imagery, and bad grammar. If there’s a phone number listed in the pop-up, you can also do an internet search for that number to verify its legitimacy. In general, it’s a good idea to steer clear of pop-ups!

How does phishing work with search engine results?

Fraudsters frequently use paid search results to advertise “support services”, cheap products, employment opportunities or amazing deals. Beware of the following when you’re looking at search results:

  1. Deals, discounts or giveaways that sound too good to be true. If you provide personal or financial information, you’ll lose your money or identity.
  2. Credit cards with very low interest rates from banks you’ve never heard of. These applications are often simply designed to steal your information.
  3. Employment applications requiring lots of personal information. Online job searches can show fake job offers from companies that don’t exist – especially for work-from-home opportunities or too-good-to-be-true offers. The applications for these jobs will ask for personal information that an employer wouldn’t need to hire you.
  4. Websites promising to scan your computer for problems or fix viruses. Although there are legitimate antivirus companies who offer services online, much of what you find in search results are fake companies that only want to steal your identity and money. Exercise caution before downloading anything!

How does phishing happen on social media?

From Facebook to LinkedIn, social media is full of phishing attacks.

  1. Advertisements on social media – especially for fake products or too-good-to-be-true prices – may be attempts to steal your credit card and personal information.
  2. Direct messages (DMs) can contain phishing attempts, especially if a friend or family member’s account has been compromised. Hacked social media accounts can be used to send phishing links through DMs, attempting to trick you into visiting malicious websites or downloading file attachments.

For example, a friend’s Twitter account that has been compromised might send you a direct message with a fake link to connect with them on LinkedIn. This link would direct you to a phishing site that looks like the LinkedIn login page, but is really a phishing site designed to steal your LinkedIn credentials.

  1. Fake customer support accounts are when scammers impersonate major brands such as Amazon, PayPal, or Samsung. Because many people turning to Twitter or Facebook over traditional customer support channels, scammers are taking advantage of this.

For example, the Twitter handle @Amazon_Help might be used to impersonate the real support account @AmazonHelp. To make sure you’re using real customer support accounts, begin your search for help at the company’s official website.

  • Spam comments often appear on trending content – they contain links to phishing sites that try to trick you into entering your personal information, such as a username and password to an online account. Be careful with any links you see in comments, and don’t ever log in to sites linked in comments.
  • Compromised accounts of friends can also be used to make posts that are phishing attempts. Because you know and trust the person making the post, you may be more included to trust the link. The post you’re looking at for a great electronics deal or travel sale may be legitimately posted by your friend – but know that social media accounts can be hacked, so don’t automatically trust everything you see posted.

How can you protect yourself against phishing?

There’s many phishing scams out there, but you can protect yourself from them online if you remember the five RIVER practices: Refuse, Ignore, Verify, Exercise and Review.

Refuse – Refuse to download software or provide remote access if there are phone calls about your computer asking for remote access – hang up, even if they mention a well-known company such as Microsoft.

Ignore – Ignore suspicious text messages, close pop-up windows, and avoid clicking on links or attachments in emails from people you don’t know – delete them instead.

Verify – Verify the identity of the contact (if you’re unsure about a message) through an independent source such as an online search, or call them at a known number. Don't use the contact details provided in the message sent to you!

Exercise – Exercise caution when shopping online. Beware of offers that seem too good to be true, and always use an online shopping service that you know and trust. Think twice before using virtual currencies (like Bitcoin) or alternate payment methods (like prepaid debit cards or iTunes gift cards) — they do not have the same protections as other transaction methods.

Review – Review your privacy and security settings on social media. If you use social networking sites such as Facebook, be careful who you connect with, and learn how to use your privacy and security settings to ensure you stay safe.

What should you do if you think you’ve been phished?

If you think you’ve been phished, take these 4 steps to protect yourself.

  1. Change your passwords to your computer, to financial institutions, and to your online accounts. When you’re changing your financial institution and other online account passwords, do that using a different computer than the one you think you were phished on.
  2. Run a full system scan on the compromised computer using the built-in antivirus software (if the computer has it), or the software from a reputable company.
  3. Contact your financial institution to report that there has been potential fraud performed on your account.
  4. Consider asking the credit bureaus to place a fraud alert or credit freeze on your account – their contact information can be found on this page.