In 2009, I wrote What Is Phishing And How To Avoid Online Scams. While the information in that article is still very valid and worth a read, I thought I should follow up with an updated guide on how to spot and avoid scams online.
Social Engineering And Phishing
Phishing is the act of fishing for sensitive information from a target. This is usually done by baiting the hook with either something very tempting or a sense of urgent attention needed to something they value. Social Engineering is the art of getting someone to do what you want using only creative manipulation. Phishing is more closely associated with fraud and illegal activities. Social Engineering can be used in Phishing and hacking, but is also useful in many legal and morally neutral situations.
Examples of phishing largely include those fake bank and PayPal emails everyone eventually gets. Usually, the email will report that they are upgrading security or that your account is frozen (or in danger of being frozen). The quality of the email lends to how believable it is and can vary widely, but the goal is always the same. The sender wants you to feel the urgency to log into your account to prevent a threatened interruption in your access to your money. Similarly, you may have seen emails, seemingly from Facebook, telling you that you need to log in to keep your account open or for some other immediate reason. Don’t narrow your suspicion to just these examples, though. This type of bait email can apply to anything from your banking site to your Amazon wish list. Phishing isn’t just for a username and password, either. The rule of thumb is that any piece of information (or pieces in combination) that should be considered sensitive should be guarded carefully and you should think twice before giving anyone this information.
Social Engineering is a little broader in concept, but is just as important to be aware of. In fact, it may be more important to think about because your web browser can’t warn you about something suspicious when someone calls you on the phone and has a trick up their sleeve. Social Engineering relies heavily on perception and the target’s openness to trust that perception. For example, if a scammer calls you, sounding very professional and polite, and wants to confirm account information for your PayPal account, they are creating the perception that they are already in posission of your sensitive information and that you shouldn’t worry about giving them any of it.
Luring you in with something tempting is another trick people use all the time, and it’s one I fell for once, as careful as I usually am. It may be something as simple as information about who’s viewing your Facebook profile or it could be something as tempting as a free iPad. Either way, these scams attempt to trick you into giving your account credentials, signing up for a spammy Facebook group, or emailing a link to all your friends or worse. In my case it was worse, but I’ll share that below.
How To Spot A Scam
The sad fact is that nobody can truly spot every scam. Sadder still, is that most people don’t even think about it and could easily spot scams if they did. For scams we can’t spot, there are some rules to live by below, but for those we can spot, there’s some easy things to look for.
The number one thing I always ask myself is “Did I expect this email/message/phone call?” If receive any form of communication, that I didn’t expect, claiming to be from my bank or anywhere that might need sensitive information confirmed in order to discuss my account, I become immediately suspicious. About 95% of the time, I’m right and it’s a phishing attempt or a scam of some kind.
Who was the email sent to and who was it from? An alarming number of people don’t pay any attention to this, assuming that the email designed to look like it came from Bank of Arizona actually did. Sometimes, you can see the suspicious email easily and other times you may need to “View All Headers” in your email program to see the details. In GMail, you simply hold your mouse over your name or the sender’s name. When you can’t see who the email is to or from, it’s best to defer to the Rules to Live By below. This applies to phone calls as well. If my cell phone rings and I don’t recognize the number, it goes to voicemail. Any reputable company or person worth calling back will leave a message. No message = no call back from me.
With any unexpected contact, ask yourself what the end goal is. Usually, you can elevate your suspicion depending on the apparent goal of the communication. For example, if asked to log in somewhere or to reply with your phone number, name, address, and birth date, you should be pretty suspicious. On the other hand, if an email just says “Welcome to Bank of Arizona” and doesn’t prompt you for any action at all, it’d probably pretty safe.
Even If It Doesn’t Look Or Walk Like A Duck
Sometimes, we just assume that scams are obvious when we’ve fallen for them because our Facerbook accounts get hacked or our bank accounts get drained. Unfortunately, not all scams look like scams, even after you’ve fallen for them. My wife and I came upon a couple great reminders of this while searching for a new place to live recently.
While looking on Craigslist for a house to rent, Michelle found a house that was listed for about half the monthly rent she’d expect. Curious, she searched for the address on Google and found it listed by a realty company in several places with a more realistic rent requirement. The realtor confirmed that the Craigslist ad was not posted by them. The most likely scenario is that someone responds to the ad, eventually paying deposits and first month’s rent only to find that the key doesn’t work in the lock.
Later, Michelle found another home listed for a too-good-to-be-true price and emailed to inquire about the exact location and how we could drop by for a walk-through. The response she received indicated that the owner was worried about dealing with strangers on Craigslist and could only arrange a walk-through and give out the exact address after a potential renter got a credit check at a site that the email linked to. Although the credit check site is legit, the scam is that there’s no home to rent. If we get the credit check, the person who listed the ad gets a referral commission and would probably then email and say that the house had been rented or some other excuse. This type of scam happens all the time with domain sales… “I want to buy your domain name, but I need to you get it appraised at this site first.” I recognized it right away, having seen it when selling domains, but I imagine a lot of people fell for it and still don’t know they were scammed.
Rules To Live By
I’ve been online since Yahoo was just a couple hundred links organized by a couple guys in a dorm room, and in my time online, I’ve developed some rules that I live by to help keep me out of trouble. While these rules help me avoid phishing scams, they have also helped in keeping viruses away from my computer and I think they’re just good rules to live by, if just a little paranoid.
1. If I don’t expect it, I don’t trust it. I touched on this above, but I think it’s the number one defense I live by, so I’ll mention it again. If you get an email from someone and it has a file in it, call them and ask. If really is the “funniest think [they've] ever seen”, they’ll get to enjoy your laughter over the phone. If it’s an email from your bank, PayPal, Facebook, Ebay, etc. just go to a browser and manually type in the URL or use your existing bookmark. This way, you’re sure you’re on the real site and if it really is important, you’ll probably have a notification in your account, too. It’s when you just blindly trust everything that comes your way that you open yourself up to scams.
2. Look at the URL. Most of the phishing emails I see would have you click on a link to log in somewhere. While I don’t think you should ever click on an email link to log in to an account, some links are just way easier to click. For these, don’t just look at what’s on the surface. Mouse over the link and see what the real URL is. Watch out for domains like login.facebook.com.ru or www.bankofarizona.com.cn. As clever as these face domains are, they’re easy enough to spot if you take a second to look.
3. Use the tools available to you. Use anti-virus software and malware detection. You wouldn’t leave your car unlocked with your wallet in it, would you? You shouldn’t leave your computer wide open to this stuff. There’s even free anti-virus software out there and most modern browsers will warn you if you try to visit a site that they deem suspicious. Listen to your browser and your instincts.
4. If it looks too good to be true… You know the saying. “If it looks too good to be true, it probably is.” To be fair, the occasional internet goodies are out there. I have gotten free iPods and PlayStations before, but most of the time, those things are scams. Don’t be so greedy that you dive in head first without looking. Weigh what you have to do and information you have to give against the prize. Aside from contests, nothing is truly free. If the promise is for an iPad with no signing up friends, no purchase and no random drawings, it’s probably a scam.
You are not perfect. Chances are that one day, you’ll slip and give someone what they’re phishing for. I did. I feel a little dumb even admitting it, but I once gave out my debit card pin online in response to an email that I’d won an XBox and just had to cover the shipping myself. I have my rules, I can usually see scams, and I think I’m pretty smart. Still, I got suckered in, thinking I’d won and getting excited at the idea of a free game system. As bad as that is, it could have been worse. I could have just prayed nothing would happen, hoping to avoid having to cancel a card or I could have been too embarrassed to call my bank. Instead, as embarrassed as I was, I called my bank only minutes after sending the email and admitted that I’d been suckered and needed to cancel the card. I felt really dumb, but more importantly, I felt relieved that I had reversed the problem quickly by canceling my card.
If you get scammed, don’t let your pride get in the way of the damage control.
The internet is a giant community. When you see scams, report them. I always forward phishing emails to the real companies the email is disguised as. They have incredible incentive to go after the scammers and usually do. Don’t stop there, either. Most of you have a lot of friends online. Let them know about any phishing scams going around. I’d rather a friend be quietly aware of scams than hear that they fell for one I could have warned about.
On that note, use the comment form below to tell us about scams you’ve come across or any tips you have for staying safe online. And don’t forget to “Share” and “Like” this article on Facebook.