You might’ve heard the word “phishing” and had no idea what it meant (no poles required), or known all too well what phishing is, or maybe you think you know but aren’t totally sure…. we’ve been there.
Ever received an email from an address that looked suspicious? Or an unsolicited call from “your bank” asking you to verify personal information like your Social Security Number? If so, you may have experienced phishing, which is a common cyberattack these days.
It seems like practically everything we do nowadays revolves around our computers, our cell phones, and often both. We’re in a state of almost constant connection, but being so “connected” can make us vulnerable to threats.
If you had a chance to check out our guide to cybersecurity best practices, you might remember reading about phishing, which is a common type of threat. Or maybe you (unfortunately) have had some first-hand experience with phishing scams. Either way, it can be helpful to brush up on what exactly phishing is, and of course, how you can protect yourself and your sensitive information.
Let’s quickly cover the basics before we jump into more of the nitty-gritty issues.
Phishing is a cybercrime where someone poses as a legitimate source to get you to reveal sensitive information. How do they do this? Phishers will typically send you an email, text message, or call you, looking for a combination of personal info such as your name, date of birth, and Social Security Number.
They also may try and “phish” for financial data such as credit card numbers and bank account information.
Once the phisher has this information, they can potentially use it to access your most important accounts. They might try to withdraw money from your bank accounts or even steal your identity.
No one wants to experience a phishing scam. They’re scary, they’re stressful, they’re likely no one’s idea of a good time. Below we’ll cover some common phishing scams, as well as tips for staying protected.
One typical phishing scam is impersonating a bank. Phishers might call you, pretending to be your bank, and possibly asking you to verify (read: give them) your account credentials or one-time PIN information.
Once they have it, the phisher can then call your bank’s customer center pretending to be you. And armed with your personal information, they could potentially access your accounts.
Phishers also might make fake email addresses that sound like the name of your bank, and send you emails requesting information or verification of your account credentials. Again, if you give it to them, they can then use this information to either hack your accounts or impersonate you . . . even to your own bank.
Phishers can utilize information you share about yourself on social media to gain your trust and/or impersonate you to family and friends. Pop quiz: what was the last thing you shared about yourself on social media this morning? Over 1.3 billion people log into their social media accounts every month, making them fertile hunting grounds for phishers. What you post and the accounts you follow reveal a lot about you.
Phishers can use that information to learn personal details about your interests and hobbies, and even possibly your whereabouts.
They might also use fraudulent links. If you click on them, they could infect your device with malware.
People can create fake social media accounts on platforms like Twitter and Facebook. Phishers might do this to impersonate your bank or companies you’re familiar with.
They’ll try to get you to engage or click on posts, messages or links. How? Phishers will often use language expressing urgency to avoid an issue, or take advantage of some too-good-to-be-true offer. Phishers do this in order to get you to act quickly and without thinking – it’s part of their plan!
Sometimes it’s not always obvious if an email you’ve received is from a phisher or not. And that’s no accident! Phishers have gotten very good at creating fake email addresses designed to impersonate people or businesses you’re familiar with. There might be slight spelling differences that could be easy for you to miss.
Well the idea is that you won’t notice the difference(s). You’ll just open the email or click on links. Be careful, though, because clicking the link could lead to a malicious attachment.
That malicious attachment could then install malware on your computer. And this malware could steal your account details, and possibly even one-time PINs.
Here’s how it works. Fraudsters might go about sim swapping by calling your cell phone provider and impersonating you, saying you’ve lost your SIM card and need to replace it.
They then ask customer service to activate a new SIM card in the fraudster’s possession, and that activation then transfers your phone number to the fraudster’s own device and SIM card.
Another variation of this is when fraudsters connect your number to a new carrier. They let the new carrier issue a new SIM card to the fraudster that’s connected to your phone number.
Access to your phone means access to your communications with banks and other businesses, including your text messages. That means they can receive codes and password resets sent to your phone.
Before you start freaking out about all of the many ways phishers can access your information and use it against you, take a deep breath. Luckily, there are a number of things you can do to help protect your sensitive information (and there’s a fair chance you already do some of these!).
We don’t mean to sound like a broken record. But seriously – think about how much we all share on our social media accounts on a daily basis.
Being conscious of how much personal information you’re sharing on social media, especially things like “checking in” at businesses you frequent, is a good place to start.
It also might be helpful to think about the ways anything you share could be used against you (even though we know that’s probably not the thought you have right before hitting “post”.)
If you’ve learned anything so far, it’s that phishers can be really sneaky. They can create email addresses that appear to come from your bank or other sources you’re familiar with.
Before you open emails or click on links, carefully check that the email address matches the sender’s name before you open the email. It’s also a good idea to check the email address’ spelling and ensure it matches the business name.
If you’re suspicious of any emails you receive, don't even open them. Send them to spam or your trash—even opening the email has the potential to release malware on your device.
We know, clicking on a link in a message is just so easy and probably automatic for a lot of us. But it’s also an easy way to accidentally give up your personal information.
You might not notice if a link in an email or text message that you think you recognize is off by a letter or two and could end up sending you to a completely different webpage, that could possibly infect your device with malware.
This tip specifically deals with those SIM swapping scams we mentioned. If a hacker is able to port your number to their own device with a new SIM card, you’ll notice you lose service on your cell phone (as if you had taken the SIM card out).
If you can’t send or receive text messages, are unable to access your accounts, or you receive notice that your SIM card has been changed, immediately contact your cell phone provider. Since you may not have access to service, you can do this by borrowing someone’s phone, contacting them online, or addressing the issue in-person.
Be sure to sign up for transaction alerts on your credit cards and bank accounts. That way any time a transaction occurs, you’ll be notified and can quickly take action if it’s been a fraudulent charge or withdrawal.
It can be helpful to get into the practice of regularly checking statements from your bank and credit card issuer. If you ever come across suspicious activity or suspected fraudulent charges, contact your bank/financial institution immediately.
In some cases, phishers may contact you posing as a government agency (like the FTC) or “tech support” or some other reliable source, and ask you to give them remote access of your computer.
They might make you believe you’re entitled to receive a payment or have a computer virus only they can help with, and all you have to do is grant them remote access to your device.
Never give any person remote access unless you have verified they are who they say they are. You can always ask them for a call back number and see if they give a valid phone number, or hang up and contact the company directly and verify the information given to you by the (potentially) fraudulent caller.
This article is for informational purposes only and is not a substitute for individualized professional advice. Articles on this site were commissioned and approved by Marcus by Goldman Sachs®, but may not reflect the institutional opinions of The Goldman Sachs Group, Inc., Goldman Sachs Bank USA or any of their affiliates, subsidiaries or divisions.