It’s your annoying alumni association emailing you again about its latest endowment campaign, but this time -- whether you’re feeling extra guilty or you just got a promotion -- instead of striking delete on your keyboard, you click on the link to donate, taking you to a website where your university's mascot is doing a little leprechaun dance. After you stop grinning, you compliantly enter your pin, social security number and other pertinent financial information to complete the transaction, and you feel good about finally supporting your school.
Across town, a customer of a telecommunications firm receives an email explaining a problem with his latest order. He's directed, via an email link, to furnish his account information. After the customer complies, an auto message thanks him for his business and assures him his equipment is on the way. In both cases, the computer users were spear phished.
Rather than targeting an individual, spear phishers (a more sophisticated type of email spammer) are more likely to send a generic, but authoritative, message to a group of like individuals or specific organization, hoping to gain access to a few new accounts after every phishing expedition. One week they could target the members of an alumni association, the next week, their focus could zoom in on the members of national fitness chain.
Once the Internet fraudsters have secured your personal and financial information, which you've unwittingly supplied, they can drain your bank accounts and destroy your credit in seconds. According to data furnished by the Identify Theft Resource Center, more than 669 million users had their confidential records exposed from 2005 to 2014.
To avoid email scams like these, let’s look more closely at how these fraudulent schemes unfold. Then we’ll share some tips to prevent you from getting cyber-hooked.
Selling the veneer of credibility
You’ve always been smart enough to delete emails from unfamiliar or unrecognizable sources, but when the email hails from a reputable party or individual with whom you have an existing relationship (your bank, alumni association, your book of the month club), you’re more likely to give it a glance. You recognize the typeface, the logo, the professional, authoritative demeanor and the salutation that makes you feel like an insider. Nothing in the communication seems the least bit suspicious. After all, the email isn’t coming from Nigeria. You’re on to that scam. No, this one is from Chase or eBay or Amazon, with whom you regularly conduct business.
Yet, unbeknownst to you, you have become a highly targeted virtual phish in a barrel, ready to be shot and gutted with impunity. As instructed, you blithely click on the email’s embedded link whereupon you arrive at a very realistic (but phony) website, where you freely and trustingly divulge your passwords, PINs, account numbers, user IDs and other phish food that keeps these worldwide fraudsters in business.
When finally learning of the scam (via your bank or the evening news or when you go to tap your ATM for $20), you can’t help but ask how all this could have happened. How did someone get a hold of your contact information?
There are usually two primary avenues. A phisher could have pulled your personal data from any social media site (basically, you’re an online open book), or one of the businesses you implicitly trusted got hacked. But to be successful, the hacker, at least initially, doesn’t require your personal or financial information. The hacker needs only your contact information to get the hook or spear into you.
For example, earlier in the month, JPMorgan Chase & Co revealed a data breach affecting and possibly compromising 83 million households and small accounts. That’s some 65 percent of all U.S. households. Chase was quick to note than no personal or financial information was compromised, but to sophisticated phishers, contact information is like leaving the door to the vault open or at least ajar.
You’re not completely defenseless
First, don’t beat yourself up because you got phished and duped into passing your personal and financial information to some virtual criminal. On Tuesday, it was reported that the White House got hacked, so it can happen to anybody.
That said, there are a number of self-defense measures you can take to avoid email scams. Unlike the White House, which has the Secret Service, FBI and NSA coming to its defense, you’re in this pretty much by yourself.
As Chase has been telling its customers, be wary of any call or email asking for personal or financial information. Verify that a real representative or legitimate organization is contacting you.
If you receive a call asking you for information, disregard the call and report the suspicious activity right away. Normally, on the back of every debit or credit card, you’ll find a customer service number listed. Call it!
If you’re contacted via email, keep in mind that most companies, banks, agencies and other reputable organizations never request personal or financial information via email. If they don’t request personal or financial information, but instead ask you to click on a ink they’ve furnished for your convenience, delete the email without hesitation.
Again, if you have any doubts or suspicions about the email you’ve received, call the sender. Just don’t use the contact number furnished in the email. It’s probably bogus, too.
Meanwhile, keep your computer’s anti-virus software and firewalls updated and enabled at all times. Many of the latest browsers have a built-in phishing filter, as well, which should be enabled for additional protection. Many browsers also offer these filters as plug-ins (a software ad-on giving the browser more functionality).
Finally, if you believe you may have fallen victim to a spear-phishing attack, file a complaint with the FBI’s Internet Crime Complaint Center.
Keep your guard constantly up
If phishing were confined to just emails, these cyber scams might be containable with user vigilance. Indeed, only about 12 percent of all registered phishing attacks were launched via spam mailings. The majority of cyber attacks come from links to phishing pages accessed using a web browser, a messaging system (like Skype), or other routine interaction with the computer.
No computer user today is safe from cyber attack, not even the White House or the nation’s largest bank. Just as you wouldn’t walk down a dark, crime-infested alley in the middle of the night, there are some dark areas of the internet that are better left unclicked.
But if you must try, verify!