You just received an email ostensibly from your bank, alerting you to suspicious account activity and prompting you to click on a link to log in. Is it authentic?
As phishing attempts grow in breadth and sophistication, consumers are finding it harder to tell, says Shirley Inscoe, senior analyst at research firm Aite Group.
“In the early days of phishing, you’d get an email from a prince from a foreign land that wanted to wire you millions of dollars,” she says. Other than for the obvious reasons, “those were easy to recognize because of misspellings and poor grammar. But it’s a different world now.”
Phishing is serious business. Via legitimate-looking emails, texts, and phone calls from familiar organizations—banks, credit card issuers, social networks, utilities and government agencies, and retailers, for example—successful phishing scams have infiltrated corporate networks such as those of Snapchat and Magnolia Health, as well as consumer bank accounts.
The messages are often designed to elicit fear, says Tom Landesman, security researcher at security company Cloudmark. They could say your electric service will be terminated, for example, or that you are in trouble with the IRS.
With the credentials you enter in response, phishers generally hope to access your financial accounts, Inscoe says.
“They load your credentials into computer bots and can hit every financial institution to see if they work anywhere,” she says. They want to “steal money for their own benefit, or to fund nefarious activities—even terrorism.”
Although phishing attempts are often difficult to spot, there are telltale signs. Here’s what to watch out for—and what you should do if you fall victim to one.
Look for oddities
Although many phishing emails might look convincing, closely compare them with ones you know are real, advises John French, security analyst at email security company AppRiver.
“If you receive something from Apple or Google, for example, look for images that don’t line up, colors that don’t look right, words that are misspelled, and pictures that aren’t loading,” he says. “Marketing teams are going to do their homework to make sure everything is done correctly before they send an email. If you find any of these things, usually, it’s a sign something’s not right.”
Beware of fake log-in pages too, French adds. Sometimes it’s easier for criminals to set up fake websites than it is to blast emails out to consumers.
Inspect the links
Phishing emails often include links that, at first glance, look legitimate. Before clicking, hover over the link with your cursor to reveal the actual URL, French says.
The links often “look like they go to a domain that you’re familiar with, but it won’t be quite right,” he says. Look for added character or misspellings. The page it directs you to could infect your computer with ransomware, or resemble an authentic log-in page, he says.
Contact the company
Still not sure if a message or site is real? “If you have any doubt whatsoever,” French says, don’t touch it or “spend too much time and effort trying to figure out if it’s real.” In a fresh browser tab, manually enter the address of the company’s home page to log in to your account and pull up its official contact information.
Update your security software
Since malware is a major side effect of phishing scams, it’s important to keep your antivirus software up-to-date, Inscoe and French say.
“The bad guys are always coming out with so many new forms of malware, which makes it tricky for antivirus companies to keep up with,” Inscoe says, “but the added protection is still worth it.”
French says mail filtering is equally important: “You want to prevent these emails from ever getting to your inbox in the first place.”
Know how to respond to phishing scams
If you have fallen victim to phishing, “change your password as quickly as possible,” French says. This includes the password for the account that was compromised, and any other accounts for which you use that same combination of email address and password.
Pay attention to your credit card and bank account activity, Inscoe says. If you notice anything unusual, alert the financial institution immediately.
And if you’re worried that you’ve been infected with malware, consider hiring someone to disinfect it, Inscoe adds. “There are forms of malware that know how to hide on your machine. They can take action and erase any trace of what they’ve done, so you need to know what you’re doing in order to find them.”
Lastly, reflect on why it happened, French says. “The best thing is to slow down, figure out what made you fall for it,” he says,” and decide “what you can do better next time.”