Before we talk about the specific scams that you’ll see in your inbox, let’s look at the key factor across all phishing emails: getting you to forward personal information. Any email which suggests entering personal information via email, via a form after a link, even just by getting you to log into an account immediately, should be a red flag. Don’t let any email convince you to type a single word without giving some thought to the matter, and you’ll be safe against most phishing efforts, no matter the specific form or format of the scam.
What are Some of the Common Scams?
Many phishing emails purport to be from government agencies, such as the IRS or FBI, accusing you of either expensive mistakes or outright crimes. The push to make you panic is a key component in many forms of phishing email, as anxiety over a potential legal action, lost tax return, or other serious problem can make you overlook the details which give away a fraudulent source for the email.
Remember, it’s highly unlikely that the first you hear about a criminal or civil matter will be in the form of an unsolicited email, asking for information in such a highly informal manner.
Emails From a Friend
Emails pretending to be from a friend are another big phishing email threat. These come in a few different flavors. The laziest and most general simply pretend to be ‘a friend’ with a new email address and hope you’ll fill in the blanks on your own without thinking too hard. More sophisticated or targeted scams will have information on your friends, culled from social media and other places, and use that to pretend to be a specific person.
The most insidious friend-based phishing email truly does come from your friend’s account after it has been compromised via hacking, viruses, etc. If a friend starts acting weird and trying to send you to weird websites, contact them some other way immediately and make sure they’re the one sending the emails.
Account Expiration Dates
Phishing emails often take the form of a warning that an account is going to expire with a company, especially a financial company or some other entity that holds money or value. You’ll often see these pretending to come from payment processors, credit card companies, online auction sites, and various service providers. They’ll urge you to log in immediately to keep your account active, with a handy link to the site so you can do so immediately—but no matter how much the site looks the same, your information is going to thieves.
If you see an email like this and think it might be real, don’t click the link. Navigate to the website via your browser bar or a web search, and log in that way.
Billing or Shipping Issues
Closely related to the expiration claim is the billing issue claim. You over-drafted, your payment didn’t process, your payment processed but your shipment it delayed pending verification, etc., etc. These can be exceptionally dangerous if you do a lot of business online and don’t look closely at what is supposedly being billed for, click without thinking, and start typing in information. Fake Amazon and eBay pages linked to from a vague email have taken in many, many people.
Overdraft notices, mortgage foreclosure warnings, and all sorts of other warnings from banks and financial institutions remain popular methods of phishing. Low-effort emails won’t even bother to name a bank or give specifics, while a targeted effort may match your bank emails exactly and include highly personal information culled from other sources.
One of the simplest and most effective tactics used for phishing emails is the accusation. Any accusation that puts you on the defensive and leaves you eager to ‘prove’ the truth can work to pry information from you before you think too much about it. This type of email can be a claim that you were paid for something but didn’t ship it, accusations of being a scammer, accusations of a legal or civil nature, etc. If an email puts you immediately on the defensive and you feel like you need to quickly provide information about who you are to clear your name, stop!
There’s a very good chance you’re not proving anything, you’re just forwarding proof of your identity to someone who can turn around and use it for whatever they like.
One of the subtlest phishing techniques is to pretend to be an innocuous ‘security check up’ email from a company you do business with. This can be an email requesting information to confirm your identity for routine purposes, ‘due to suspicious activity’, etc. It may also pretend to be a confirmation of your identity to unlock your account—accusing YOU of being the scammer and leaving you eager to prove yourself and get your account ‘back’.
A more blatant variation tells you that you’ve been compromised, or even that your computer has a virus.
Like many scam artists, the people who send phishing emails love to bait the hook with opportunities of a sketchy nature; illegal or morally gray opportunities to make money, embarrassing products and services, anything you may be intrigued by but be afraid to run by other people. This also serves to give the scammer cover once you realize you’ve been phished because they’ll expect you to hesitate to out yourself by forwarding information to law enforcement or other relevant parties.
Pornography, gambling, insider trading, petty fraud, all of these can be baiting to draw you in, take advantage of you, and leave you without recourse because of the embarrassment or legal concerns.
Avoiding and Reacting to Phishing Scams
Of course, knowing phishing scams exist is important, but far more important is what you do to keep yourself protected from them. Even tech-savvy users who ought to know better fall for phishing scams from time to time—the more confident you are that you’ll never fall for a scam or get your information stolen, the more likely it is to happen. Stay alert and keep these points in mind.
We’ve talked about the common ways phishing scams occur, but nothing will better prepare you than hearing news in advance about phishing scams likely to target you soon. Read up on current phishing scams from time to time and pay attention to alerts from companies and organizations you have accounts with.
Think Before Clicking
Any time you would click a link in an email, stop and consider the risk involved. Email addresses can be spoofed, link destinations can be falsified or close enough to pass, and websites can be copied flawlessly. If you can achieve the same result by browsing to the link address without clicking an email link, that’s always going to be safer.
Don’t Engage Scams
Don’t engage a suspicious email in any way. It may be tempting to tell the sender off for trying to scam you, but all that does is confirm your email address and risk giving away further information about who you are. Engaging just flags you for more attention, no matter what that engagement may be. Once you’ve reported it and forwarded it to any appropriate law enforcement
Reporting phishing emails to your email service provider—usually as easy as clicking a ‘report phishing attempt’ button somewhere on the page—can help immensely in protecting you and others like you from the predations of phishing emails. You won’t have to worry about more emails from the same source, perhaps better designed to trick you. You may also consider reporting phishing emails to the appropriate law enforcement agency and any companies the email pretends to be associated with.
Don’t Enter Personal Information Via Email
You should never, under any circumstances, enter personal information via email without confirming the source of the email with the original sender. This includes forms inside the body of the email and forms you’re linked to via an email. Most companies and organizations know better than to request information this way; in the event that you must forward information via email, make sure you communicate with the sender, so you know exactly when it should arrive and what it should look like.
A Final Warning
Phishing isn’t complicated, but it’s so common that it’s easy to get caught by a single mistake. Any unexpected email should be a red flag, no matter how innocuous. If it gives you a reason to panic and act immediately, more so. The more pressure an email puts on you to click something or act immediately, the more suspicious it becomes.
Stop, take a breath, and make sure you’re dealing with the real thing; a few minutes of safety efforts can save you years of trouble in the future.