Cybercriminals are continually working on new strategies to profit from stealing your credentials and even your identity, and they are continuing to refine forms of cyberattacks that have proved profitable in the past. That’s why the volume of phishing threats continues to grow.
According to PhishLabs, the volume of phishing messages increased by 40.9% in 2018 alone. Of those phishing messages, 83.9% targeted acquiring credentials for financial accounts, email, cloud payments, and e-commerce. Rather than using malware, 98% of those attacks relied on social engineering techniques to trick recipients into surrendering personal data.
Phishing is a cyberattack sent in the form of an email designed to fool the recipient. The message is designed to convince you to surrender sensitive information such as a password, credit card number, or Social Security number. The usual sender assumes the identity of a trusted source, such as a business or, more often, a financial institution such as a bank or credit union. Big banks are a growing target. In fact, Lookout, a mobile security system company, recently detected a phishing attack that used SMS messages, and apparently more than 4,000 mobile phone users fell for the scam.
What makes phishing attacks so insidious is that messages look like legitimate requests for information from sources you trust. Anyone can fall victim to a phishing attack unless they know what to look for.
How to Detect Phishing
The most common types of phishing messages are sent via email. These messages are designed to look like legitimate messages with the same format, company logo, and other details you would expect to see. They also typically request some form of actions, such as checking your account, verifying information for an invoice, addressing a problem with your account—something that would require you to surrender sensitive information. Most phishing messages include a link that will lead you to a phony website where you are supposed to enter information such as your password or account number.
There are a number of ways to detect phishing emails:
- If the message looks legitimate but could be a phishing attack, look for telltales. For example, if there are typos or grammatical errors, then it is likely a phishing message. Check the sender’s email address to see if it is from a legitimate source.
- Never click on a link in a suspicious email. Phishing messages rely on the recipient clicking through to a phony website where they surrender sensitive data. Even the act of clicking on the link could install malware.
- Never click on a suspicious attachment such as a phony invoice. Any file attachment could be a way to infect your computer with a virus or keystroke-tracking software.
- Beware of typosquatting. This is a form of cybersquatting that takes advantage of mistyped domain names, such as Goggle.com or Gooogle.com. When you type in the incorrectly spelled domain you are directed to a website that looks legitimate but is actually owned by cybercrooks seeking personal data.
- If you are not sure whether an email is legitimate, the best strategy is to ignore the suspicious message and go directly to your web browser to log in to your account to address a question or problem.
- If you do receive a phishing message, you should report it to your bank, credit union, credit card company, or whatever organization is being impersonated. Most organizations offer an easy way to report phony messages.
Detecting a Vishing Attack
Vishing is becoming an increasingly popular strategy, but instead of an email message, you will receive a phone call or voicemail message.
Vishing messages usually come from an unknown number, often a local number that the caller has created. It could be a caller claiming to be your bank, or asking you to verify your identity in order to break two-step verification. Another increasingly common attack is that callers claim to be from Microsoft offering to help you address a security problem when they are really trying to access your computer. You could also receive a voicemail saying that they are from the IRS or a collection agency, or claiming you are a contest winner. Some voicemail spammers just want a return call because they get paid if they can get you to verify your phone number.
The best strategy for vishing attacks is to ignore them:
- Never offer personal information over the phone if you aren’t sure who is on the other end of the call.
- Never respond to suspicious or unsolicited phone calls.
- Remember that legitimate agencies such as the IRS or creditors don’t usually leave messages; they use the U.S. mail as their first means of contact.
Smishing Is a Growing Threat
With the use of mobile devices on the rise, cybercriminals are increasingly using SMS text messages for phishing attacks. Phony SMS texts or smishing messages usually claim to be from your bank, mortgage company, car loan company, or some other trusted source, and ask you to reply, call, or click through to verify an account or deal with an issue. As with vishing, your best defense against smishing is to ignore unsolicited text messages.
- Never reply to a text message that urges you to click or call.
- Ignore text messages from unknown senders.
- When in doubt, look up the number and call the vendor directly to verify that it is their text request.
Take Additional Security Measures
In addition to applying caution and common sense when dealing with phishing attacks, there are additional security steps that you should take to prevent online fraud:
- Be sure that your computer is equipped with antivirus software that can detect malware that could be introduced by phishing emails.
- Be sure to keep your computer operating systems and mobile operating system software up to date with the latest release, which will include security software patches.
- When it’s available, use multi-factor authentication to keep your passwords and your identity secure.
- For mobile devices, use biometrics such as fingerprint identification for added security.
If you are ever in doubt about a message or communication, you should feel free to contact the vendor directly to be sure that the communication is theirs. You will be safer, and the company will appreciate that you reported a possible security issue.
When it comes to your bank accounts, you should feel secure using online banking, but use common sense and be sure that you are the one who initiates an online transaction. Be wary of any incoming queries asking for information about your accounts.
Remember that you can call us anytime to verify any of our communication. You can also learn more about securing your identity through iQ’s Identity Theft Protection. The team at iQ Credit Union is always available to help.