To avoid phishing scams, verify every request for personal information you receive.
It’s easy to purchase email addresses in bulk from direct advertising firms, as well as magazines and other sources. There are companies out there that claim to be able to offer databases with as many as 500 million different email addresses. If you own a Twitter account, you can even purchase up to a million followers too. Padding your social media accounts has become a big business. That’s fuel for “phishing” scams.
Scammers take advantage of the availability of these lists by purchasing them for their own use. “Phishing” is a portmanteau that combines “phreak” (which itself is a combination of “freak” and “phone”) and “fishing.” In phishing scams, scammers go fishing for victims by email. Their goal is to obtain your trust or financial information. That typically includes your bank account or credit card number. And then rob you or your personal information in order to commit identity theft, or both. A relatively new portmanteau that you may come across is “vishing” (voice phishing), which refers specifically to phishing attempts over legacy or VoIP telephony.
Phishing is becoming a multi-billion dollar worldwide problem, both for individuals and for corporations. A report prepared in 2018 by Verizon found that 30% of phishing messages were opened by recipients and 12% of them actually clicked on the malicious attachment or link. The overall increasing trend was only made worse due to the 2020 COVID-19 crisis. In that year, one in four Americans received a coronavirus-related phishing email.
How big a problem is phishing? As of January 17, 2021, Google had identified 2,145,013 confirmed phishing sites. That represents a jump of 27 percent from the 1,690,000 that it found just 12 months earlier on January 19, 2020. One estimate is that out of the 369 billion emails sent every day, one out of every 2,000 is a phishing attempt. Which country is most affected by malicious phishing attempts? That depends on the year. In 2019 it was Saudi Arabia (one in every 118 emails). But the United States reported the highest percentage of organizations that experience successful phishing attacks (65 percent, compared to a global average of 55 percent).
How Do Phishing Scams Work?
Typical phishing scams begin when you get an email with the logo of your bank, credit card company or a major online merchant. But it’s all fake. The email will inform you that for security reasons you have to re-confirm your account information. A link is provided. You click and reach an online form that looks perfectly legitimate. It also carries the same official logo. The form asks you for your name, address, account number, password or PIN number (whichever one is relevant). And perhaps a few additional bits of information as well. You fill out the form and click “Submit.” Those who do are victims of phishing scams.
There are several alternate methods for transmitting phishing scams. One is through SMS messages, a phenomenon known as “smishing” (SMS phishing). Another is by implanting fake QR codes in email messages. That option, known as clickjacking, is even more devious than the standard phishing email, since the URL is not discernable in the text.
Operators of phishing scams can be ingenious. In Florida, for example, Duke Energy customers reported a wave of phone calls promising them refunds for overpayment of bills. All the customers have to do is re-confirm their personal data, including, in some cases, their Social Security numbers. The calls were fake and the scammers can now use their personal information as they wish.
Take a look at the following text of an actual phishing email received by one of our employees. How many red flags can you spot?
Kindly reconfirm your name,phone number and your address for verification and immediate payment of your unpaid Contract/inheritance/lottery fund within 24 hours.The amount approved is Ten Million Seven Hundred Thousand Dollars. Kindly respond urgently.
Individuals and Corporations Are Both Targeted by Phishing Scams
If you think that a scam like this would stay clear of the largest and most secure corporations associated with the internet, then think again. From (at least) 2013 to (at least) 2015, an elaborate international phishing attack targeted Google and Facebook employees. It tricked them into sending an estimated $100 million to an overseas banking account. It was the most expensive phishing attack in history.
In March 2017, at the request of U.S. authorities, Lithuanian police arrested a suspect at his home in that Baltic country. He was extradited to the U.S. five months later to stand trial. He allegedly impersonated a Taiwanese electronics manufacturer. That Taiwanese firm provided equipment to both Google and Facebook. Using that false persona he was able to send massive numbers of these fraudulent emails to employees of those companies. He was convicted of wire fraud, money laundering and aggravated identity theft and sentenced to five years in prison.
How Was the Scam Cracked?
Google first uncovered the scam itself, and immediately contacted authorities. Both Google and Facebook claim that they were able to recover most of the funds lost by their staff. But large corporations are not only victims of phishing scams. They can also inadvertently create the problem itself.
Equifax is one of the three largest consumer credit reporting agencies in the world. It collects and aggregates information on over hundreds of millions of individual consumers and businesses around the globe. And in 2017 it too fell victim to a large-scale security breach. To reassure consumers, it set up a dedicated website to allow them to access their credit records. Shortly thereafter, a cybersecurity researcher cloned that site. That not only proved that Equifax didn’t solve its security problem. It also proved that scammers could access the passwords and personal information of the consumers they already victimized a second time around.
One of the most widely identifiable examples of phishing began with scammers in Nigeria as early as the 1980s. Their bulk emails are also known as 419 scams, a reference to the section of the Nigerian criminal code that outlaws fraud. Since then, however, copycat scammers have set up shop in Amsterdam, London and other locations as well.
These emails follow a predictable pattern. They usually claim that someone who sounds respectable died without heirs and left a fortune. The sender generally identifies himself as the deceased’s attorney or a high-ranking government or tribal official. He claims he’s writing to ask you to allow him to transfer the funds into your bank account. That’s supposedly in order to overcome local financial bureaucracy, a legal problem or local chaos. In exchange, he says he will share the fortune with you equitably.
If you respond, he’ll invite you to meet overseas to sign some paperwork. Those who took the offer up and flew out to meet the scammers soon learned they had to pay thousands of dollars in processing fees. Or pay the supposed attorney his own percentage in advance. And once they do, the scammers disappear. Or instead give you a check in exchange for your cash. The check, however, will bounce when you deposit it back home. In actuality, those victims were lucky. Others wound up dead.
Always Exercise Caution
By every standard – technology, content, graphic design, and psychology − phishing is a very sophisticated scam. An email with your bank’s logo that informs you that you should reconfirm your password due to a security threat seems perfectly legitimate. So your immediate reaction will be to assure your online security and comply with the request.
But here’s a general rule: First verify the legitimacy of every request for personal information that you receive. You can do this in several ways:
- Call or write the bank, credit card company or other financial institution that ostensibly is asking you to respond
- Surf the internet for phishing warnings using keywords from the same text
- Check the latest phishing warnings on the website of a government cybersecurity agency such as the U.S. Computer Emergency Readiness Team
- Consider purchasing anti-phishing computer software