I recently assisted the wife of a good friend in unwinding one aspect of a set of problems they had due to a phishing attack. She was pretty distraught over what had happened, and rightfully so—it's nasty stuff. Thankfully, they were able to remedy the situation. And I was grateful to be of help.
The National Information Technology Laboratory (NITL) Computer Security Resource Center (CSRC) provides a helpful comprehensive definition of phishing:
- A technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a website, in which the perpetrator masquerades as a legitimate business or reputable person.
- Tricking individuals into disclosing sensitive personal information through deceptive computer-based means.
- A digital form of social engineering that uses authentic-looking—but bogus—emails to request information from users or direct them to a fake Web site that requests information.
- Using social engineering techniques to trick users into accessing a fake Web site and divulging personal information.
- Tricking individuals into disclosing sensitive personal information by claiming to be a trustworthy entity in electronic communication (e.g., internet websites).
Phishing cyberattacks are very common, and they claim many victims. According to the Anti-Phishing Working Group (APWG) Phishing Activity Trends Report for Q3 2022, phishing attacks hit an all-time high in 2022. With more than 1,270,000 attacks recorded in Q3 alone, this was the worst quarter on record. For context, these incidents have become more than three times as common as they were just two years ago.
As an example, according to AtlasVPN, there has been a reported a surge in retail websites impersonating Amazon on one of the year's busiest shopping days. In the 90 days up to July 12, 2022, 1,633 fake sites were detected, with 897 spoof Amazon sites active on Prime Day.
Making matters worse, attacks are becoming more sophisticated in terms of both the methods and the technologies they employ. That's why it's so important to do all you can to avoid becoming a victim.
In my experience, the most common attack on seniors is a malicious email or a text message that imitates (or "spoofs") a person or organization they trust, like a boss or coworker, a bank, or a government office. When the victim opens the email or text, they find a scary message meant to overcome their better judgment by filling them with fear. Or, they prey on another strong emotion: compassion (how insidious is that!). The message demands that the victim go to a website and take immediate action or risk some consequence, either to themselves or someone they care about—pure evil!
(By the way, the term "phish" comes from fishing. A hacker dangles some bait in front of you as a disguised hyperlink in an email or text message and hopes you will click—then they have you: hook, line, and sinker. If you're curious about the weird story behind how something that sounds like "fishing" is spelled "phishing," check out this short article on Computerworld. The name "Captain Crunch" comes up, but it's not who you think.)
Phishing attacks are easy and common as they can be implemented with text messages, email, or even phone calls. It's called a "social engineering" attack because rather than relying on technology to steal your vital information, it relies on you giving away that information in a moment of fear, confusion, compassion, or just complacency.
Why does phishing work so well?
Emails, text, voicemail, and even voice calls are not authenticated. This means that, just like a postcard sent through the mail, there's no real way to validate their origins. That gives scammers plenty of freedom to impersonate others or trusted companies in their communications.
Some people provide their sensitive information over the phone despite knowing that no bank, brokerage, or government office like the Social Security Administration will call, text, or email you and ask for your login credentials. The IRS does not announce an audit in an email.
Others click on a hyperlink in an email or text message because they believe they know the sender or the link looks familiar or harmless. It isn't difficult for a hacker or scammer to change an email sender's address using an attack known as "spoofing." You can't trust an email's source simply by looking at the sender's email address or a phone call's source by checking Caller ID.
Many people who should know better get hacked by phishing attacks. It's a highly effective strategy. Otherwise, intelligent and wise people become victims, not because they aren't good people, but because they are.
Remember, you can never be absolutely sure that the sender of an email, text message, voicemail, or phone call is who they say they are. That's why it's vital to approach every communication with a healthy dose of skepticism.
I wrote three articles previously about "protecting your digital assets." I delve into these subjects because a big part of wise retirement stewardship is about dealing with risk, and cyber security is a huge component of financial risk.
I'm writing this to help you protect yourself and your financial resources from phishing attacks.
Because phishing attacks are social engineering attacks that depend on tricking you, your diligence is the best protective measure. Think twice — no, make that three times — before you click on any link in an email or text message. If you have any doubt, clicking on it to see if you're right or "just to see what happens" is not a good preventative strategy.
Here are a few suggestions that may help:
1. Check the context
Let's say you get lots of emails from a friend named Mike. Maybe you get many texts and Facebook messages too. Most of the time, when you see something from your friend Mike, you click on it without giving it any serious thought.
But suppose you receive an email from Mike with nothing but a hyperlink (URL) for a website you didn't recognize, and that looked a little strange. Think about that for a minute. Why would Mike send a link without explanation (especially if he usually comments, and certainly would since it was an unfamiliar link with no context)?
Many phishing emails come with blank subject lines—67%, according to AtlasVPN. The subject line is almost never blank when sent by reputable sources. Scammers often use common business phrases in subject lines that seem out of context, such as "Business Proposal Request."
If you check the email's 'CC' list, it will often include a list of all recipients. If it's very long, full of names and addresses you don't know, and some of the addresses look very strange, then that's a big red flag flashing "do not click on the link."
You might also check the sender's email address. (Both the sender and the 'CC' list are usually in the email 'header.') Depending on your email service software and provider, you may have to 'right-click' or something similar.
If you think the link may be legit, contact the sender directly (not by replying to the email) and ask if the email or message was really from them. If the link is phishing, then by responding, you may be simply asking the fraudster/hacker if he is legit. And guess what—he'll probably say yes, of course, and offer more false or misleading statements to convince you that if the original message was an email. It's better to call or text the sender instead.
When you receive a suspicious email or text message on any of your financial accounts (especially credit cards), go to the account website and check for messages there. Finding none, you should assume the email or text message was a phishing attempt. Don't click the link to your account's website; open a new browser window instead.
2. Check the hyperlink
It's pretty easy to make a link look like a legitimate website even though it points to a hacker's malicious webpage. It's also easy to make the hacker's site look legit, like Bank of America's website, for example, using official-sounding wording that encourages you to "login" to the fake website, thereby unknowingly handing over your login credentials to the hacker. As you may know, what comes next isn't good!
Some (but not all) email systems and websites let you view the link by hovering your mouse pointer over the hyperlink. The underlying link will appear. Read the actual link details closely to detect small changes that indicate you might be led somewhere you didn't expect.
For example, you may find that a link that appears to point to retirementstewardship.com actually points to retirmentstewardship.com, a domain, and website that could be owned by someone else. Note the subtle misspelling (no 'e' in retirement). Hover your mouse over these links, and depending on your browser, the actual destination will appear on your screen.
3. Check the details
Most phishing emails and messages come with content, and they can be very comprehensive with lots of explanations and appeals. If you examine the content detail closely, there are other telltale signs that it's a phishing scam:
- Offers that seem too good to be true
- High-pressure sales pitches that stress urgency
- Alerts that there's a problem with your account (e.g., suspicious activity or outdated payment information); it may be an account that you don't even have, LOL
- Shortened or misspelled links (see above)
- Emails that don't address you by name
- Messages with poor grammar and spelling (I find this to be one of the most common—many scammers are not very bright, apparently)
- Direct requests or demands for payment (often by gift card)
- Requests to confirm personal and sometimes confidential information
- Requests to perform remote troubleshooting or maintenance on your computer (for a problem you didn't know you had, LOL)
Some email spam filters catch bogus scammer emails and block them. Most full-featured anti-virus and anti-malware software also incorporate anti-phishing features. It will detect and block phishing attempts before they get to you.
They may work differently from one application to the next and in different contexts (native email client versus webmail, etc.) Check your software's documentation on its website to know for sure. Still, it won't replace your diligence in examining the other things, especially hyperlinks sent to you before clicking on them.
Rule of thumb
I think the best rule of thumb is this: "If I'm not 100% sure this is a legitimate, I'm just not going to click it." Furthermore, "no legitimate business would ask me to provide sensitive information through an email or a phone call."
One last question you might ask yourself is, "What would happen if I didn't click this link?". Answer: the world won't end; if it is important, the sender will try other ways to reach you, even if it's a friend, just making sure you saw the link they sent to view their recent travel pictures. If it's a legitimate request from a reputable company, they'll contact you again unless it's just mass marketing (spam).
Phishing attacks aren't the only cyber threat you need to be aware of, but they are one of the most common and very effective. The best way to protect yourself is to treat any link sent to you as a potential threat. Never click on them without stopping to think about possible bad outcomes. Err on the side of avoiding the phisher.
If you're not sure, don't click.