- slide 1 of 5
What Is Phishing?
Phishing basically boils down to stealing someone's information. The easy way to remember it is that they're "fishing" for your information. In general, phishing scams just put out a big tasty hook online and make their fortunes from the hopefully small number of people who bite.
In general, phishing encompasses a wide range of scams that all boil down to information stealing. It's usually easier to just cover a few examples. They're pretty obvious once you see them in action.
One very prominent phishing scam is the PayPal email scam. This scam involves someone sending a phishing email to a large number of email addresses. These are obtained through various sources. Some less reputable websites sell collected emails. Other programs automatically search the web for email addresses and scrap them together. Spam lists are often traded between spammers and scammers, so it can be hard to track a source. Knowing how to avoid spam in general is the first way to not be caught by a phisher.
The emails themselves are doctored to make them appear to be from official Paypal support. They'll then feature some type of call to action. A popular one is that there was a security problem with your account and you need to login or provide new information to register again. You are then directed to a spoof site: a fake website that is made to look like the real one. The website then records your information and puts it into a scammers hands. Depending on how much you had tied to the account, they can steal your money and lock you out of your own account. They would also now have a password that you like and your email address, which means that they may lock you out of your email account too (unless you used a different password, which you should).
Sometimes the scam will even occur through the mail or over the phone. Regardless, phishing scams for information can happen in just about any online format. The scam is always the roughly same though. Someone provides false credentials and tries to get your personal information.
- slide 2 of 5
Reasons for Phishing
The reason that scammers try to get ahold of your information is pretty simple. It's almost always about money. Sometimes it takes a bit more of a roundabout form.
Phishing for banking or credit card information is pretty simple to understand. If a dishonest person gets your sensitive personal information, then they have a lot of options for normal theft or different forms of identity theft. Naturally, this information is in hot demand. Online banking and online shopping open up tons of possibilities for making easy money with stolen information. You should be incredibly suspicious of anything that is asking for your banking information.
Note that Paypal and Ebay, in particular, seem to be targeted often. This is probably because money stolen from a paypal account can be withdrawn to a foreign country through a dummy account very quickly. If done properly, then it will be impossible to retrieve it. Paypal phishing scams are extensive enough to warrant their own article.
Of course, they don't just try to get your banking information. Sometimes scammers are more creative. If there's a chance to earn money doing something, someone will eventually figure it out. For example, phishing scams exist that try to steal online accounts. Steam Accounts, Xbox Live Accounts and World of Warcraft accounts have all been targeted through standard phishing scams. In these efforts, someone usually claims to represent the support team for the game. They then cite a problem with the account and get the person to hand over their login information. With a few clicks, the victim is locked out of his account and the phisher has his prize (which could usually be sold for a fair sum of money). More inventive scammers would target people who were selling their own accounts on online marketplaces. Since this technically violates the terms of service for the account, phishing emails would claim that the relevant service would permanently kill the account unless they gave them the necessary information in an "amnesty program." This turned out as you would expect.
The point you should take away from this is that phishing scams are constantly changing to take advantage of new markets. They will do whatever they can to separate people from their money.
- slide 3 of 5
Well, now that I've hopefully scared you into understanding the great danger that phishing scams pose, it's time to tell you what you can do to stay safe. Avoiding phishing scams isn't that hard. For the most part, you just need to stay calm and follow some basic tips.
Remember that you are not dealing with some type of Hollywood hacker. It's just some guy sending out a ton of email hoping that a few people will bite. They don't have any information on you. They may not even know your email as they will try different combinations of letters generated by a program, hoping that some are actually email addresses. The power is all in your hands. If you're careful with your information, then you have nothing to fear.
- slide 4 of 5
There are a lot of simple habits that you can develop that make it really hard to get phished.
1. Stay Calm - This may sound a little patronizing, but it's the best advice that I can give. In a number of the phishing scams that I know about, the victim usually panics and makes a mistake. Stories of phishing victims have this as a recurring element. This even happened to a relative of mine once too. She freaked out upon hearing that her eBay account might be closed down, so she gave a bunch of her information to a scammer (She figured it out in time and cancelled her credit cards, but she's a lucky case).
The people who send phishing emails depend on you not examining their email or their claims. That's why they always have a strong call to action to try to make you act without thinking. Overcoming this will usually be enough to overcome their scams.
2. Never Share Your Information - I'll cover some specifics in a little bit, but this simple step is another great habit. You should always be very careful about giving out your information. Only give it out to websites and individuals that you completely trust. When you do this, also look in the bottom right corner of your browser for a locked padlock. If your trusted website isn't encrypted properly, then it's possible that someone can snag your information in transit. Also check the address bar to make sure that you're really on the right website. Several scammers use websites that look like official pages, but in reality are fake versions of the website on a different domain name.
3. Examine Your Emails - This is another simple one. Just check the suspected phishing email for the usual signs. Do they just call you a "member?" Most banks and organizations will have your name or a nickname and it will be automatically inserted into their form letters. You can easily avoid phishing scams by just checking to see the header to see whether they actually know anything about you. Also check to see whether the logo and headers are lined up right. Most phishing emails are pretty poorly made. Finally, since many phishing scams are based out of countries where English is not spoken as a primary language, there are often spelling errors. Check for those.
4. Think - This is close to number one, but the point is the same. Why do they need this information? If you're already signed up, then why don't they have it? Your bank or credit card company doesn't usually need your number. They should already have it. Steam, Xbox Live and World of Warcraft do not need your login information. They could look it up quickly.
- slide 5 of 5
Know the Company
This is a quick note, but an important one. As I mentioned (and linked to) earlier in the article, we have an article specifically on how to tell if an email is a Paypal phishing email or not. The important note is that most companies are well aware of the issue and have standards that they use to protect you.
Most companies will constantly remind you that they will NEVER ask for your information through an email. They will also clarify what greeting they will use to talk to you. Make a note of this (most just say that they'll use your first name when talking to you). A number of banks also let you pick a special image and phrase that they will show at your password screen. If it doesn't show up, then you know you're on a fake login page.
Companies and websites will also often have a security page to warn you of new scams that you are likely to encounter. It's worth taking a look to see whether they offer this.
Finally, some offer special support email addresses that you can use to report emails that you suspect are phishing emails. Paypal has an account at firstname.lastname@example.org. If you forward an email, they'll check it and usually confirm that it isn't from them. If you're worried that you might ignore an important email, then just use this feature. This also helps them to warn other clients about the latest version of the phishing threat circulating.
Browsers and anti virus software also have options to call out phishing scams. We have a full guide for how to use Internet Explorer's Anti Phishing Protection.
All of these little tricks should help you stay safe online and avoid phishing scams.