Phishing FAQ: How to Spot Scams and Stop Them in Their Tracks – CNET
Phishing FAQ: How to Spot Scams and Stop Them in Their Tracks - CNET
It might be an email asking for donations to help Ukrainian refugees or maybe the victims of the latest earthquake or hurricane. It could even be a text message telling you that your antivirus software is expired or an ad on social media pushing what looks like an amazing deal on designer sunglasses.
But no matter what the sales pitch is, or how it’s packaged, if that email, text or post came to you unsolicited, chances are it’s probably phishing.
Phishing isn’t anything new. It dates back to the days of snail mail and Nigerian princes looking for help in moving their millions out of their country. What is new, experts say, is the rapidly increasing scale at which the attacks can be produced and their growing sophistication, with both aspects often now boosted by the power of artificial intelligence tools similar to ChatGPT.
In terms of quantity, phishing accounted for more than 300,000 of the more than 800,000 complaints made to the FBI’s Internet Crime Complaint Center last year, making it more prevalent than any other kind of cybercrime, though it’s worth mentioning that its combined losses of $52 million fell well behind those of investment fraud-related crimes, which accounted for a total of $3.3 billion in losses.
More recently, cybersecurity researchers say volumes of phishing emails, already vast, are skyrocketing. For example, the cybersecurity company Vade says the number of phishing emails detected by its systems more than doubled in the first quarter of this year to about 560 million compared with the fourth quarter of 2022.
Those numbers don’t include phishing attempts sent by texts or in social media posts. And law enforcement including the FBI have spotted rare phishing attempts in the form of QR codes, specifically stickers put on parking meters in places like Austin, Texas, that send motorists to fake websites that steal their credit card and other information.
At the same time, phishing attacks are getting more convincing. Gone are the grammatical errors and broken English of the past. Today’s phisherman use technology to mine social media and other data sources for personal details that can be sprinkled throughout an email to make them more convincing. They may know where a person banks, who their relatives are or where they went to school.
Labor-intensive research that was once reserved for the highest-profile targets can now often be automated for a minimal cost, allowing scammers to target more people in more convincing ways. And open-source AI tools make the writing process quick and easy, even for non-native English speakers.
All of that may seem pretty frightening. After all, if a person can’t tell the difference between legitimate communication and a scammer, how can they avoid them?
But don’t despair. There are things you can do to avoid getting caught in a phisherman’s net. Here’s what you need to know.
What does phishing look like?
Emails, texts and social media posts that you didn’t ask for. If a person or a company reaches out to you and you didn’t contact them first, you probably should ignore it. It doesn’t matter if it’s an email saying that your Windows subscription has expired, a text from your bank saying that your account has been compromised or a post on Instagram pushing a great deal on designer sunglasses. Mass layoffs in a handful of industries also have scammers targeting the unemployed. Don’t clink on any links or download any attachments. Instead go straight to the bank or company’s website. If a “recruiter” reaches out to you, only send your personal information to the company you’re applying to. Any unsolicited job offer that looks too good to be true should be treated as such.
Requests for payment in gift cards or cryptocurrency are red flags. Does it seem weird that a retailer, government agency or debt-collection service wants payment in these forms? It’s probably a scam. These are the preferred ways of payment for cybercriminals, because they largely can’t be traced and can be liquidated easily. The IRS, for example, won’t take payment for alleged back taxes in either of these forms. On a related note, the IRS also won’t reach out to you by email, text or phone. They work exclusively by snail mail.
Pleas for money from people you don’t know (they might even say they’re in love with you). Think nobody falls for romance scams? Think again. According to the Federal Trade Commission, online romance scams accounted for a staggering $1.3 billion in losses last year. The email might come from a woman who claims she’s trying to escape the war in Ukraine or a guy serving in the military who just thinks you’re cute. Regardless, if they can’t meet you in real life for whatever reason, be very skeptical. The same goes for if they ask for gift cards or crypto.
Charity scams are a thing, too. Just like with the romance scams, these scammers are also looking to take advantage of people with big hearts. They’ll say they’re looking for donations to help victims of the latest natural disaster, war or what looks like a legit aid organization. They’ll say you need to give now in hopes you’ll do it before you think. Don’t. Only donate to verified and established charity groups. Go straight to their websites or connect to them through a trusted source.
How can I protect myself if I think I’ve been phished?
Use good antivirus software and update everything. A big part of the antivirus software mission is to filter out spam and scam emails, as well as stop malware that might be attached to them. But AV can’t stop threats it doesn’t know about, so make sure that yours is updating constantly to stay on top of all the new ones. Meanwhile, updating your devices’ operating systems and your apps will fix bugs that cybercriminals could potentially exploit.
Great passwords are a must. If your email account gets compromised, it could be used to swindle your contacts out of their money or identities. It also could be used to help reset the password for your financial and other super-sensitive accounts. As a rule, passwords should be long (at least 12 characters), unique (‘password123’ is always a bad idea). Resist the temptation to reuse them, even if you think they’re really good. If that’s too hard, password managers can help.
Two-factor authentication is a no-brainer. Even the best passwords can be cracked. Two-factor authentication (2FA) will go a long way toward protecting you if that happens. It requires a second form of authentication like a biometric indicator, push notification sent to your phone or the connection of a physical key, in addition to your password. But avoid the SMS text version of this. While it’s rare, phones can be “SIM swapped,” allowing cybercriminals to intercept those texted codes.
Think about a credit freeze. If you think that your Social Security number or other super-private details have been compromised, freezing your credit will prevent cybercriminals from taking out loans in your name or otherwise using that information for identity theft. Some security experts recommend freezing the credit of children until they need to use it, since identity theft committed against them can often go unnoticed.