Phishing is an identity thief's way of "trolling for fish" who will bite on his barbed bait. The bait can be subtle. Often, a phish looks like something official from your bank, Facebook, eBay, or some other trusted source. But if you take the bait, you could unwittingly turn over your online banking password to Russian hackers. Or worse. Here's what to look for, and how to protect yourself from phishing attempts.
The bad guys have gotten very good at making these scams look real and convincing. Phishers even steal the graphic logos, fonts, and colors used by name brands in their email communications to make counterfeit phishing emails. But if you look carefully at an email you may see one or more of these telltale signs:
- "Dear Valued Customer..." instead of your name or unique user ID is a tip that the phisher doesn't know who you are. If it really was Paypal, for example, the greeting would be "Dear (first name, last name)".
- A Web link that doesn't point to where it should is an attempt to get you to click on a URL that will take you to a fake phishing Web site. Hover your pointer over the link and the underlying URL will appear in a mouse-over window. If the email says "click here to log into your bank account" but the URL contains some unfamiliar domain name, it's probably a phish. Don't be fooled by URLs spelled out in text in the email; the underlying URL may be totally different from what you see at first glance.
- Slightly misspelled domain names often go unnoticed. "EBAV.COM" looks a lot like "EBAY.COM", doesn't it? But the "ebav" domain is someone else's site, and you don't want to go there.
- Pressure to do something foolish is a favorite phishing tactic. "Reply with your password within 24 hours or your account will be closed!" No legitimate business will make such a demand. "Send money to cover processing" of your alleged lottery winnings is another clue.
- "Friendly phish" appear to be from someone you know personally. Perhaps your cousin's Facebook account has been hijacked and was used to send you a phish. If it doesn't sound like the cousin you know, pause before you reply or do what "cousin" says. It's a good idea to contact the person by phone, text or email to see if they're aware of the shenanigans.
Phone phishing relies on the totally unjustified tendency to trust telephones more than the Internet. "Call this number to speak with a customer service rep" often leads only to an automated system that demands your name, checking account number, online account username and password, Social Security number "for verification", and other data you wouldn't dream of sending over the Internet. Well, now you're speaking this identity theft data into someone's digital recorder! Again, legitimate businesses don't ask customers for such data by phone or over the Internet.