In today’s world, email scams (aka phishing attempts) are common. But if you’re vigilant and know the warning signs, you can avoid falling prey.
There are plenty of helpful tips on how you can protect yourself from a phishing attempt. I recommend doing a quick Google search to learn all you can about how to spot a suspicious email (I’ve done this for you already..keep reading below for detailed information on Phishing) In the meantime, here are a few tips to help get you started:
1. Trust your gut. If an email just doesn’t look right, delete it. Or, if you’re unsure, look for a robust signature line, including phone number, credentials, and the brokerage address. Call to speak with the agent directly to make sure the communication is not a scam.
For example, you’d want to look for something like this:
John Smith, Realtor
Smith Real Estate
1876 Colorado St. Suite 100
Denver, CO 80203
303.123.1234
[email protected]. com
www.JohnSmithRE.com
And be wary of a signature line that looks like this:
John Smith
Broker, Realtor
Smith Real Estate
2. An email you receive may look official, but if it asks for any personal information, asks you to review an attachment, or asks you to click a link you don’t recognize, consider that a warning sign. Under no circumstances should you send info, open attachments or click links without first confirming that the communication is legitimate.
3. Check for poor spelling and grammar. If the message is full of mistakes, it’s probably not legitimate.
4. Closely examine the email address. Often, the address is someone you know, but if you really look, there’s almost always a letter or number missing. This is how scammers fool you into thinking the email is from someone you know.
What are phishing scams and how can I avoid them?
Phishing explained
Phishing scams are typically fraudulent email messages appearing to come from legitimate enterprises (e.g., your university, your Internet service provider, your bank). These messages usually direct you to a spoofed website or otherwise get you to divulge private information (e.g., passphrase, credit card, or other account updates). The perpetrators then use this private information to commit identity theft.
One type of phishing attempt is an email message stating that you are receiving it due to fraudulent activity on your account, and asking you to “click here” to verify your information.
Phishing scams are crude social engineering tools designed to induce panic in the reader. These scams attempt to trick recipients into responding or clicking immediately, by claiming they will lose something (e.g., email, bank account). Such a claim is always indicative of a phishing scam, as responsible companies and organizations will never take these types of actions via email.
Specific types of phishing
Phishing scams vary widely in terms of their complexity, the quality of the forgery, and the attacker’s objective. Several distinct types of phishing have emerged.
Spear phishing
Phishing attacks directed at specific individuals, roles, or organizations are referred to as “spear phishing”. Since these attacks are so pointed, attackers may go to great lengths to gather specific personal or institutional information in the hope of making the attack more believable and increasing the likelihood of its success.
The best defense against spear phishing is to carefully, securely discard information (i.e., using a cross-cut shredder) that could be used in such an attack. Further, be aware of data that may be relatively easily obtainable (e.g., your title at work, your favorite places, or where you bank), and think before acting on seemingly random requests via email or phone.
Whaling
The term “whaling” is used to describe phishing attacks (usually spear phishing) directed specifically at executive officers or other high-profile targets within a business, government, or other organization.
Avoiding phishing scams
To guard against phishing scams, consider the following:
- Reputable organizations will never use email to request that you reply with your password, full Social Security number, or confidential personal information. Be suspicious of any email message that asks you to enter or verify personal information, through a website or by replying to the message itself. Never reply to or click the links in such a message. If you think the message may be legitimate, go directly to the company’s website (i.e., type the real URL into your browser) or contact the company to see if you really do need to take the action described in the email message.
- The safest practice is to read your email as plain text.Phishing messages often contain clickable images that look legitimate; by reading messages in plain text, you can see the URLs that any images point to. Additionally, when you allow your mail client to read HTML or other non-text-only formatting, attackers can take advantage of your mail client’s ability to execute code, which leaves your computer vulnerable to viruses, worms, and Trojans.
- If you choose to read your email in HTML format:
- Hover your mouse over the links in each email message to display the actual URL. Check whether the hover-text link matches what’s in the text, and whether the link looks like a site with which you would normally do business.On an iOS device, tap and hold your finger over a link to display the URL. Unfortunately, Android does not currently support this.
- Before you click a link, check to see if the message sender used a digital signature when sending the message. A digital signature helps ensure that the message actually came from the sender.
When you recognize a phishing message, first report it as noted below, and then delete the email message from your Inbox, and then empty it from the deleted items folder to avoid accidentally accessing the websites it points to.
Warnings
Reading email as plain text is a general best practice that, while avoiding some phishing attempts, won’t avoid them all. Some legitimate sites use redirect scripts that don’t check the redirects. Consequently, phishing perpetrators can use these scripts to redirect from legitimate sites to their fake sites.
Another tactic is to use a homograph attack, which, due to International Domain Name (IDN) support in modern browsers, allows attackers to use different language character sets to produce URLs that look remarkably like the authentic ones.
Reporting phishing attempts
- You can report a phishing scam attempt to the company that is being spoofed.
- You can also send reports to the Federal Trade Commission (FTC).
- Depending on where you live, some local authorities also accept phishing scam reports.
- Finally, you can send details to the Anti-Phishing Working Group, which is building a database of common scams to which people can refer.
If you’ve fallen for a phishing scam
If you believe you’ve been scammed, file your complaint with the FTC, and then visit the FTC’s Identity Theft website at ftc.gov/idtheft. Victims of phishing can become victims of identity theft.
Follow the guide below for specific steps to take according to the type of information you shared:
I accidentally sent…my email/username & password/passphrase.
You should… Change your password/passphrase immediately!
If you’re using a free provider (Gmail, Hotmail, etc) and you find an increasingly and uncontrollable amount of spam, you may wish to change your email address as well. Unfortunately, IU is unable to change your Network ID/email address for spam-reduction purposes.
I accidentally sent…personal information such as: address, bank/financial account number, credit card number or information, answers to security questions, other personal information that can be changed, driver’s license/license plate.
You should… While there’s no way to “unsend” the email, many of these pieces of information are changeable (especially credit card numbers). Contact the appropriate organization or financial institution. You should also report this as identity theft and take action to protect your accounts.
Please note: the theft of a credit card (or credit card number) alone does not constitute identity theft (as determined by the FTC). You should, however, promptly call the financial institution and have the number changed. You can also work out any erroneous charges on your account.
Also, technically, yes — your address is changeable, if you move. However, consider that only as a last resort; most identity thieves attempt to collect thousands (even millions) of individuals’ information during phishing scams; they’re likely not singling you out as a target. If you feel your personal safety threatened, contact your local police department.
I accidentally sent…personal information that isn’t changeable — such as: Social Security number, mother’s maiden name, date &/or city of birth, health/medical information.
You should… Unfortunately, there’s not much you can do about this except defend yourself (electronically). Visit pages on identity theft on Google and taking action to protect yourself. Being proactive and staying alert/aware of your credit is your best defense.