TL:DR: Phishing (when scammers pretend to be from a legitimate institution in an attempt to steal personal info like your banking data), social engineering, and other kinds of digital fraud have leveled up in recent years — so you need to be more vigilant than ever. But there are still a lot of ways to protect yourself, your family, and your money.
What is phishing?
Phishing is a crime in which a scammer contacts you by email, phone, text message, or via social media pretending to be from a legitimate institution—like your bank or credit card company, or even a tech or a social media company—and claims there’s some problem with your account. The scammer prompts you to share personal information like your banking and credit card numbers, passwords, or your social security number (SSN). With this info, they can access your account(s), steal your money and/or your identity, and generally make your life a nightmare.
Phishing is just one type of email fraud, which covers any kind of deception over email for personal gain. For example, a bogus request for “help” asking for money, or an alleged “hitman” asking for a ransom, yes, over email.
As for phishing attempts specifically, an attacker often will target someone’s work email because they work at a company that handles sensitive customer data. This scammer might impersonate a cybersecurity company or even the company’s CEO, tricking the target into entering company credentials or downloading malware that takes over the target’s computer.
Alternatively, personal phishing attacks target your personal accounts, including your own bank account, credit cards, social security number, and other sensitive data.
What do phishing attacks look like?
As fraudsters get more sophisticated, it can be tricky to tell the difference between an authentic email and a phishing email.
Both legitimate and phishing emails may be using the logo of the company they’re representing (or trying to represent), like a bank, credit union, or retailer like Amazon. Both may use alarming phrases like “account suspended,” “reset your password,” and “suspicious activity.” But there are key differences you should look out for.
For starters, look at the email address. The phisher might have named themselves “Venmo” but their actual email address could be from yahoo.com. More advanced phishing attempts might try to use a very similar URL to the one they’re impersonating — for example, replacing the “L” in PayPal with a capital “i.”
Within the body of the email itself, the scammer might have some words hyperlinked — but if you hover over the hyperlink (without clicking!), the URL that appears won’t actually be from, say, Venmo.
What are these emails asking for? They’re usually asking you to click a link. This link might download malicious code that can steal your data or monitor your computer’s activity, but more likely, it’ll take you to a page spoofed to look like a legit website. You’ll be prompted to enter info like your username, password, credit card numbers, bank account info, or more. Phishing emails might also ask you for the verification code that was recently texted to you by a P2P payment platform. They need this code to break into your account.
Answering these requests can lead to financial disaster. Scammers will use this data to log into your accounts, transfer your money to themselves, buy things on your credit cards, and, if they have your SSN, open new accounts under your name, which can destroy your credit.
Who’s most at risk of phishing?
Just because you don’t work at a corporate job doesn’t mean you can’t get phished. Anyone with an email address or phone number is a possible phishing target. In fact, those who only check email or “go online” rarely might be at greater risk, because they aren’t as vigilant or up-to-date on the latest scams.
Just clicking a few links on your phone can lead to the same kind of security breaches at big companies that you read about in the news — except you’re the target, and becoming a victim can potentially consume your life and rob you of all the money you’ve worked hard to earn.
How can I avoid being phished?
Above all else, always be extremely critical of unsolicited emails. Look out for these common red flags:
- unexpected attachments
- requests for personal information
- grammatical errors or typos
You should also be extremely cautious about clicking links or opening files in emails you don’t totally trust. To better determine the legitimacy of an email:
- First, look at the email address. (If you’re on Gmail, just hit the upside down triangle near the “to” field to see the sender’s full email address.) If the sender’s email isn’t from the actual company, it’s probably a scam.
- Even if the sender’s email includes the company’s name in their email address, do a quick Google search of the email address to help verify if it’s the actual company emailing you or an imposter.
- Unless it’s an Etsy store or tiny business, seeing a “company” email from “@gmail.com” can be a clear indicator the fraudster is trying to impersonate another entity.
- Hover over the links to see the URL it points to. If the URL isn’t a legit company domain, it’s probably a scam. This includes URL shorteners like bit.ly.
- Contact the company directly to ask if they sent this email. Not by replying to the email; go to the company website and use their contact info.
- Use multifactor authentication (MFA) — it’s free with major providers like Google. But also watch out for MFA prompt bombing. This is when you get absolutely bombarded with MFA requests — so many that you accidentally tap one to accept.
- Make sure your email account uses a spam filter.
What are the most common email fraud scams?
While phishing is the most popular form of email fraud, tons of other scams are trying to hit your inbox. Be on the lookout for:
- Google Voice hoax: When you’ve posted something for sale or a lost pet, someone contacts you and asks for the Google Voice verification code sent to your phone to “prove” you’re real. They’ll use it to set up a Google Voice account under your name to scam more people.
- Cryptocurrency ATMs ploys: A fake government official or utility agent demands you pay a fee via a crypto ATM to an untraceable digital wallet. There’s no way to get your money back.
- Rental assistance scams: With the rollback of Covid-era assistance, scammers have been emailing people offering help with rent — in exchange for your banking info.
- Fake job platform emails: Fake employers or reps from job platforms (like LinkedIn) will say they’re offering you a job, but what they really want is your SSN.
- Amazon impersonations: Scammers email saying your Amazon account has been hacked, and ask for fees, gift cards, even remote access to your computer.
- Fake Zelle receipts: Another online marketplace scheme, a buyer sends you a spoofed email from Zelle or another P2P payment platform saying the payment has gone through.
Phishing in particular relies on social engineering, when someone deceives or manipulates you to gain control of your online accounts. Spear phishing is a specialized form of attack, in which fraudsters do research on you based on your social media (including LinkedIn profile) so they can send you a fake email with very specific details based on your life and career. These details are meant to gain your trust so you’re more likely to give up sensitive data.
What should I do if I’ve been scammed or phished?
Pre-coffee, you just woke up, and you click a link on an email that turns out to be phishy. Look, it happens. If you did share sensitive data, take these steps immediately:
- Change all your passwords (particularly your email, banking, social media, credit cards, and Amazon and Google logins)
- Notify your bank, credit card companies, and other relevant institutions
- Enable multifactor authentication (MFA) on all accounts you can get it on
- Consider putting a temporary freeze on your credit through the three major credit bureaus, Experian, TransUnion, and Equifax. (It’s free)
- Report the incident to the FTC and the Anti-Phishing Working Group
Phishing email scams are everywhere. While some cybercriminals target employees of big companies for customer data, many others focus on scamming everyday people — anyone with an email address. But there are fast, easy ways to tell whether an email’s legit so you don’t get ripped off.