Phony emails and texts try to lure you into clicking through to a malicious website that’s designed to trick you into entering passwords and financial information: That’s phishing—and it’s getting worse, exacerbated by the pandemic and by the fact that it’s such a simple type of attack to pull off.
Phishers are also getting better at their trade, which means that consumers need to raise their level of vigilance. Here are six tips to help you avoid becoming a victim of a phishing attack.
1. Assume everything is a scam.
Sadly, we’re at the point where the smart move is to assume any message you receive involving money or account credentials, or that requests you to take any sort of action, is completely bogus—especially if time sensitivity is involved. “If the email or text is calling for the recipient to take urgent action or else experience a negative consequence, it is likely a phishing scam,” says Tom Kirkham, CEO of Iron Tech Security. “Legitimate companies will never send emails or texts threatening customers with an adverse action if something isn’t done quickly.”
It’s a cruel irony that scammers commonly prey on consumers’ fears that they are vulnerable to an attack or are already being taken advantage of (for instance: “Your account has been charged $300”), and assert that the only way to stop the damage is to take instant action. This tricks users into lowering their guard at the worst time.
2. Check the obvious warning signs.
It’s common knowledge that phishing attacks are filled with telltale indicators, but scammers have been getting better at grammar and spelling in recent years, and these glaring mistakes are becoming less frequent. While even the slightest typo should clue you in that a message is phony, look for additional signals: the use of “Dear customer” or a similar greeting, rather than your name; the suggestion that you use Whatsapp, WeChat, or another alternative messaging system to contact them; and anyone asking for payment or a donation in bitcoin.
3. Pay close attention to email addresses.
Hackers can spoof a sender’s email address to appear legitimate, but it’s often easier to create one that’s close enough. It’s an easy way to check for legitimacy: A message from amazon1.com is not from Amazon. App1e (with a numeral one instead of the letter l) is not the same as Apple. Similarly, check the recipient (or “to”) field to ensure that your direct email address is listed there. Legitimate senders will not blind-copy, or BCC, you on a message.
4. Hover over hyperlinks (but don’t click them).
The goal of most phishing emails and texts is to get you to click on a link. Doing so takes you to a website where the major damage is done. The link in an email can be easily disguised, but if you simply hover your cursor over the link (without clicking it) you can usually see where it really goes. A legitimate link will clearly belong to the company that sent the message; the destination for scam links will be much more obvious when you hover over them. Anything that is created using a URL shortener such as TinyURL or Bitly should immediately be suspect.
5. Turn the tables and do your own research.
An increasing number of online resources let you do recon on the sender of a message or text. Simply search an unknown phone number, and you’ll often discover whether consumer complaints have been reported against it, or, at the very least, whether it’s really the company it claims to be. Searching for email addresses rarely reveals anything, but if you’re unsure about whether an embedded URL is legitimate, try copying it (without clicking it) and pasting it into the Site Status form on Google’s Safe Browsing page. If the site is dangerous, you’ll find out without exposure to the linked website.
6. Be wary of calls and texts from nearby regions.
Phone calls and text messages are commonly spoofed by changing the area code and even the prefix so they appear to be from someone local. Be aware that this is just another tactic to get you to lower your guard. “Text messages and phone calls can be made to look like they are coming from whatever number the scammer wants you to believe,” says Steve Weisman, writer of the blog Scamicide.