Phishing is one of the most common of all Internet scams. Phishing scammers continually target many major financial institutions, companies, government departments, and online service providers around the world. Phishing scams attempt to trick people into giving their personal and financial information to criminals. People caught by phishing scams can become victims of financial fraud and identity theft.
How Phishing Scams Work
Phishing scams attempt to trick people into providing sensitive personal information such as account login credentials, credit card numbers, banking details, driver’s licence and social security numbers, name, address, and contact details, and other identifying data. In order to carry out this trick, the phishing scammers usually send a fraudulent message disguised as some form of official notification or warning from the targeted company. The scam messages are often distributed via email. However, scammers also commonly distribute phishing messages via SMS, Skype, and social media sites such as Facebook.
Scammers usually create a fraudulent website that is designed to closely resemble the targeted company’s official site. The fake website may appear almost identical to the official site. Style, logos, images, navigation menus, and other structural components may look the same as they do on the genuine website.
In many cases, recipients of the scam messages are requested to click on an included link. Clicking this link will cause the fake website to open in the user’s browser. Once on this fake website, the user may be presented with a web form that requests a large amount of their personal and financial information. Often, the visitor is instructed to log in using his or her account username and password. All information entered into this fake website, including login details, can subsequently be collected and used at will by the criminals operating the scam.
Some phishing scams may distribute the fake forms as email attachments. Victims are instructed to open the attachment and complete the form. Usually, the bogus form will load in the victim’s Internet browser when opened. When the victim hits the “Submit” button on the fake form, all of the information supplied will be sent to the criminals.
Other variations attempt to trick recipients into installing malware, either by opening an email attachment or downloading the malware from a website. The scammers can then use the malware to collect information from the infected computer.
Identical scam messages are sent to many thousands of Internet users in the hope of netting even a small number of victims. The majority of people who receive these scam emails will probably not even be customers of the targeted institution. However, the scammers rely on the statistical probability that at least a few recipients will:
1. Have accounts with the targeted institution.
2. Will be unaware of such scams and believe the message to be legitimate.
Phishing scam campaigns can be a lucrative exercise for the scammers even if only a very small percentage of recipients ultimately become victims.
The following videos from the Hoax-Slayer YouTube Channel provide further insights into various types of phishing.
How Scammers Use Information Harvested From Phishing Scams
Scammers are able to use information stolen from victims in a variety of ways. They may:
- Take over the victim’s account.
After the scammers have harvested information such as usernames and passwords, they are able to directly access the victim’s account. They can then transfer funds to other accounts, conduct fraudulent transactions, and generally manipulate the account in the same way that the legitimate owner could. If the scammers have stolen login details for email or social media accounts, they may subsequently use these hijacked accounts to launch spam and scam campaigns in the name of the victim. They may also change the account passwords so that the victim is locked out of the compromised accounts.
- Use the victim’s credit card details.
If the scammers have stolen credit card details, they can then use these details to make purchases that will be charged to the victim’s account.
- Steal the victim’s identity.
If the scammers have gained enough personal information from their victim, they may be able to steal his or her identity. They can then commit a variety of fraudulent activities in the victim’s name. Identity theft can have very serious and long-term repercussions. Identity theft victims can spend months or years trying to clear their name, sort out legal issues, recover from debt, and repair damaged credit ratings.
Common Characteristics of Phishing Scam Emails
- Unsolicited requests for sensitive information
The entire purpose of a typical phishing scam is to get you to provide personal information. If you receive any unsolicited message that asks you to click a link and provide sensitive personal information, then you should view the message with the utmost suspicion. It is highly unlikely that a legitimate financial institution, government department, company, or online service provider would request sensitive information in such a way.
- Content appears genuine
Phishing scam emails are created to give the illusion that they have been sent by a legitimate institution. The message may include logos, styling, and contact and copyright information virtually identical to those used by the targeted institution. To further create the illusion of legitimacy, some of the secondary links in these bogus messages may lead to the institution’s genuine website. However, one or more of the links featured in the body of the email will point to the fraudulent website.
- Disguised links and sender address
Links in phishing scam messages are often disguised to make it appear that they lead to the genuine institution site. The sender address of scam emails may also be disguised in such a way that it appears to have originated from the targeted company.
- Generic Greetings
Because they are sent in bulk to many recipients, scam emails often use generic greetings such as “Dear account holder” or “Dear [targeted institution] customer”. If an institution needs to contact you about some aspect of your account, the contact message will most likely address you by name.
- Use various ruses to entice recipients to click
Phishing scam messages use a variety of ruses to explain why it is necessary for you to provide the requested information. Often, the messages imply that your urgent action is required. Some of the most common ruses are listed below. The scam messages may claim that:
- Your account details need to be updated due to a software or security upgrade.
- Your account may be terminated or limited if account details are not provided within a specified time frame.
- Suspect or fraudulent activity involving your account has been detected and you must therefore provide information urgently.
- Routine or random security procedures require that you verify your account by providing the requested information.
What to do if you Receive a Suspected Phishing Scam
- Do not click on any links in the scam message.
- Do not open any attachments that arrive with the message.
- Do not supply any personal information of any kind as a result of the message.
- Do not reply to the message or attempt to contact the senders in any way.
- Do not supply any information on the bogus website that may appear in your browser if you have clicked a link in the email.
- Report the phishing scam. (Reporting methods are discussed below).
- Delete the message as soon as possible.
If you need more information about a suspected phishing scam, visit the legitimate website of the targeted institution or contact the institution directly. The institution’s website may provide information about current phishing attacks.
What To Do If You Have Already Been Tricked into Submitting Information
If you have already submitted information to scammers as a result of a phishing scam, you need to contact the targeted institution for advice immediately. It is imperative that you act quickly to protect the account that has been compromised in the phishing attack.
You should also take steps to protect yourself from identity theft.
To learn more about identity theft, click the link below:
More information about Identity Theft
How to Avoid Becoming a Victim of a Phishing Scam
- If you receive any unsolicited message from a bank or other institution that asks you to click an included link and provide sensitive personal information, then you should view the message with the utmost suspicion. If you have any doubts at all about the veracity of the message, contact the institution directly to check.
- Never click on a link in a message in order to access the website of a bank or other institutions that may be the target of scammers. The safest method is to manually enter the URL of the institution’s website into your browser’s address bar.
- If you supply sensitive information on a website, always ensure that the site is secure. The address of the page should start with “https://” not just “http://” and the “lock” icon should be displayed in the browser’s status bar. If these indicators are not present, it means that the site is not secure and information you enter on the site is not protected. Fraudulent web forms related to phishing scams are often non-secure sites. Please note, however, that even an apparently secure site may be fraudulent. The fact that a site appears to be secure is not by itself a guarantee that the site is legitimate. However, legitimate sites that require users to supply personal information will always be secure.
- Use firewall, antivirus and anti-malware software to protect your devices. Some phishing scam emails may carry trojans or other malware that may compromise your system.
- Ensure that your browser, system software and other applications have the latest security updates available. This will reduce the risk of scammers accessing your system via unpatched software vulnerabilities.
Reporting Phishing Scams
Most entities targeted by phishing scammers will include information on their website about how to report fraud attempts. Look in the security or privacy section of the entity’s website or search for “phishing” on the site’s internal search engine if it has one. Often the site will provide an email address that you can use to forward phishing scam messages to the entity for analysis.
Help Combat Phishing Scammers
Generally speaking, people become victims of phishing scams simply because they do not know how such scams operate. You can help by ensuring that friends and colleagues are aware of such scams and what to do about them. You might like to point them to this web page or another resource that provides information about phishing. The power of such “word-of-mouth” education is substantial. You CAN make a difference by sharing your knowledge of phishing scams with other Internet users.
You can also help by reporting phishing scams (see above). Your submissions help to increase awareness of phishing scams and allow anti-phishing websites and targeted institutions to maintain up-to-date information about current phishing threats.
Examples of Phishing Scams
Click here to view a list of links to reports about phishing scams that have targeted many different companies and financial institutions.