'Phishing' scams: 5 things to know by Elise Viebeck
Cyberattacks are on the rise, and no method is proving more resilient and effective in the United States than "phishing" scams.
Phishing, sometimes called spoofing, is a way to trick someone into giving up valuable personal information by sending a fraudulent email.
In the email, fraudsters typically pose as a trusted brand or company and ask users to send back personal information for a reason that appears credible — and many comply, unwittingly participating in the theft of their own identity.
Some phishers achieve success by asking directly for information in an email. Others send victims to fraudulent websites that include forms to complete. Many scams automatically install malicious software, or malware, on a user's computer that can suck up data without a user’s knowledge.
Here are five things you need to know about the growing problem.
1) Fraudsters sometimes pose as the government.
Most people are on the watch for scams involving their bank or payment platform. But increasingly, would-be hackers appear to be posing as government agencies in a bid to gain a user's trust.
One common ploy is for fraudsters to pose as officials from the Internal Revenue Service. Particularly during tax season, an official-looking message from the IRS demanding payment can be believable — and intimidating.
Other cyber criminals have posed as the Federal Bureau of Investigation or other law-enforcement agencies.
There is virtually no form of communication that hackers have not used to try to nab personal details.
Software updates, error fixes, coupon offers, job ads and e-cards have all been manipulated by fraudsters to look legitimate.
Consumer advocates urge people to be suspicious of any unexpected contacts requesting personal information and not to fall for "scare tactics."
"These crooks will often try to push you into acting immediately, before you have time to think or check out their stories. … That's a tell-tale sign of fraud," the Consumer Federation of America states in an anti-phishing fact sheet.
2) It can happen on your phone.
Few people realize it, but phishing attacks can happen through text messages.
Younger people are more likely to fall victim of SMS phishing — or SMiShing — than traditional landline phone scams.
A considerable portion of text-message spam includes phishing attempts, according to security researchers, and attempts are becoming more common as the population of mobile users grows.
"Most of us are becoming more aware of phishing attempts and learning how to spot a phish email. However, we are still too trusting of text messages that come directly to our phones, perhaps because the device itself is so personal," wrote Linda Musthaler in an article on SMiShing for Network World.
The bottom line for mobile users: be wary of unexpected texts and avoid any links they might contain.
3) Your boss might be doing it.
Your boss might be sending you phishing emails to test your instincts.
As hackers become more sophisticated, they tend to target workplaces in a bid for access to company data. Employers are particularly sensitive to this possibility, and some have started to promote awareness with fake phishing emails.
There are a variety of companies offering this service to employers as a way to keep workers sharp. Newer workers in particular are seen as vulnerable to phishing attacks.
The software products allow bosses to see which individuals on their staff fall victim most often to phishing attacks. In response, employers can provide further training or beef up defenses around that worker's data.
4) Phishers might not be targeting you.
Scammers might not be targeting you for identity theft when they send you a phishing email.
You might work for a company or within an industry that hackers want information about. You might have access to databases full of others' data. Or you might be connected to someone that falls into one of these categories.
Sometimes, even a major data breach might not have been aimed at the company affected. Hackers will try to use any foothold they can find to reach their ultimate target, which might be another company, individual or government.
5) You're vulnerable after a data breach, even if your data wasn't stolen.
Victims of the recent data breach at the insurer Anthem Inc. will be at risk for identity theft for the rest of their lives, according to experts.
But a successful breach also puts people at risk whose personal information was not stolen.
When the hacking world is alerted to a successful hit, many phishers will send scam emails resembling official correspondence to customers who might have been affected.
In the case of Anthem policyholders, phishers immediately drafted messages posing as the insurance company and offering free credit monitoring — a service that Anthem had promised to provide.
The Federal Trade Commission called the tactic "phishing, part 2."
"If you get an email that says it’s from Anthem offering you services in response to the data breach, don’t reply, click on any links, or open any attachments," the commission wrote in a recent alert.