What you can do about the alarming rise in phishing: Internet Scambusters #984
Phishing -- trying to steal victims' confidential information -- is by far the biggest source of identity theft scams. And it's getting worse day by day.
Research shows that despite all the warnings, consumers and employees continue to click on malicious email and text links that expose them to danger.
In this week's issue, we'll tell you the best ways to avoid phishing scams and how to monitor for other leaks of your private information.
Let's get started…
Use These Key Tips To Escape Phishing Attacks
Until a few years ago, most of us knew about "fishing," but not "phishing" -- tricking people into revealing their sign-ons and passwords for identity theft.
Today, Americans lose tens of millions of dollars each year through phishing scams. Now, cyber experts report an alarming rise in the crime that threatens us all. An estimated 80 percent of reported security incidents last year were phishing attacks.
The FBI reports that the number of attacks increased eleven-fold between 2016 and 2020. And, according to Google, the number of fake websites used to harvest personal information jumped from 1.7 million in 2020 to 2 million this year.
Furthermore, scammers are using increasingly sophisticated tactics to try to fool us. For example, they're using artificial intelligence to eliminate the poor spelling and grammar that usually signals a scam and to target victims by including personalized information that suggests a message is genuine.
And they're increasingly trying to get around two-stage security (known as multi-factor authentication or MFA) where a user first must give a password and then key in a second code to confirm who they are.
They're also using a technique called "layering," which starts with a link to a genuine website or document but eventually leads to the downloading of a file for which they're asked to enter their sign-on details on a fake site.
5 Important Tips
Here are 5 important things you should know if you don't want to fall victim to these crooks:
- If you use MFA, never provide the security code to someone else on the phone. That goes for even if you receive a call or email claiming the sender is running a security check.
However, some organizations might ask you to key a number into your phone that they have flashed up on screen. Make sure you're 100 percent certain you're connected to the right account before doing this.
Note: MFA does add another layer of security and you should still use it to sign on to important accounts.
- Don't click on links that supposedly take you to a sign-on page. If you receive a message asking you to log on -- for example, you're told there's something wrong with your account -- go to the home page of the organization using the correct website address and check from there.
This year, there's been a notable rise in phishing emails pretending to be from cyber-currency traders. For instance, one of the biggest trade houses, Coinbase, says some of its customers who got fake emails that looked like the genuine item signed on to a fraudulent page. With these details, the scammers immediately logged onto user accounts and drained their currency holdings.
- Keep Internet security apps up to date on your PC and mobile device. Make time to investigate security options on browsers and email programs and use settings to flag up dangerous sites or messages.
- Don't be fooled by messages that include personal information about you. This has almost certainly been harvested by "scraping" -- the tactic of crawling through social media posts to pick up bits of usable material such as info about your job, your friends, and so on.
- Plus, you should still look out for those basic spelling and grammar errors in emails. Many scammers are still using them.
To report identity theft, contact the Federal Trade Commission -- ftc.gov or call 1-877-438-4338.
Targeting Employees
But even if you take all the necessary security measures, you still can't be safe if someone else -- a store you do business with, for example -- is hacked in a phishing attack targeting employees.
Researchers at cyber protection company Proofpoint discovered that, globally, three quarters of all organizations suffered a phishing attack in 2020. Another study (Terranova) found that 20 percent of all employees who received phishing emails were likely to click on them. And two-thirds of these would enter their credentials on a fraudulent page.
The crooks then log onto the corporate network to steal information including, maybe, yours.
The key measures for individuals to protect against this danger or limit the damage caused is to use different passwords for each and every site you use and to change those passwords frequently. Also look out for news of firms whose information has been accessed via phishing. If you do business with them, change your sign-on details immediately.
It's easiest to do this with a password manager. See our earlier issue on this topic: Your Choices When a Free Password Manager Starts Charging.
In addition, check your online mortgage, bank, and store accounts and credit score/report regularly. Many banks and other services (e.g., Credit Karma) already offer check-ups from the big three reporting agencies -- Experian, TransUnion, and Equifax -- but you can also get it for free from AnnualCreditReport.com.
Finally, of course, if you are a network-linked employee, don't take chances by opening attachments or clicking on incoming email links. Chances are high that, sooner or later, you absolutely will be a phishing target, so be vigilant!
Alert of the Week
Who wouldn't want a free set of high-end EarPods? Well, you won't get them through a supposed Amazon raffle that's doing the rounds.
Targets receive a text message seeming to come from the online retailing giant saying they won the EarPods, another gadget or even a "mystery prize."
Sadly, this is just another phishing attempt. Victims who click on the link in the message are taken to a fake Amazon page to provide their sign-on information.
As we always warn, you can't win a raffle you didn't enter. Even messages that say "you've been selected" for some sort of promotion should be treated with great caution.
Time to close today, but we'll be back next week with another issue. See you then!