"There was something not right with that email. But I replied anyway," member Cheryl M. recalled after she received an email from someone she thought was the County Manager. "Clicking was a mistake."
Cheryl’s story is an all too common example of phishing, the practice of sending a fake email believed to be from a known source to trick you into sharing personal information. There’s no way to prevent all phishing attacks, but here’s how to spot the red flags and avoid potential trouble ahead.
Think before you click
Thieves often target you with fake emails made to look like people you know or companies you do business with. Phishers apply pressure and prey on fear to get you to click or respond. It’s important not to be drawn in immediately.
"These emails play on your emotions. It may look like it’s from someone or some company you trust telling you to act now," said Terry W. Phelps, Jr., LGFCU’s Senior Vice President of Managed Information Systems. "Before taking action, ask yourself, 'Is this something that person would do or say?' If the answer is 'no,' don’t click and don’t reply. If you’re unsure, go to the source."
Be aware of the information you share
Never send an email with sensitive information to anyone. Make it a habit to carefully check the sender's email address. Oftentimes, the fake email is so similar to the real address you may not spot the error (e.g. email@example.com or firstname.lastname@example.org).
"It seems like the messages come when you’re at your busiest. You don't pay close attention to the details," said Cheryl. "Plus, we just talked about this topic so I replied."
According to Phelps, before clicking on a link or replying to a request for information, think about how you normally do business with that person or organization. For instance, he said if you typically receive a paper statement, but you receive an email prompting you to view your account balance online, you should be suspicious.
Common phishing techniques
Deceptive phishing. The sender impersonates a legitimate company or person you’re familiar with. The thief makes an urgent plea for you to share personal or financial information right away.
Spear phishing. With spear phishing the email is more personalized in an effort to increase the likelihood of you falling into their trap.
CEO Fraud. Spear phishers target top executives in an attempt to steal the executive's login credentials or trick the executive into performing an action they wouldn't normally do such as wiring $10,000 to a new account.
Link fraud. Thieves embed a link in an email that redirects you to an unsecure website that requests private information they can steal.
Tips for reducing phishing attack effectiveness
Turn on your firewall. Cheryl said the County's firewall prevented the fake email from possibly doing damage to the computer network. According to Phelps, a firewall serves as a barrier between you, your computer and outside intruders at home or at work. Ideally, you should have a desktop firewall and a network firewall turned on.
The first option is a type of software and the second is a type of hardware. When used together, they drastically reduce the odds of hackers and phishers infiltrating your computer or your network.
"Having multiple layers of security is like having multiple locks on your front door. It’s harder for thieves to get in," said Phelps.
Spam filters. These filters catch emails that don't belong to legitimate companies or persons you normally connect with sooner. Set your filter to your highest comfort level to keep out unwanted email.
Antivirus software. This guards against known tactics used by thieves and online security loopholes.
Keep your web browser updated. Browser security patches are released all the time, so make sure to install them or set these updates to automatically install. When a new patch is available, you’ll be protected right away.
Think twice about pop-ups. Pop-up windows often look like they come from trustworthy websites. Carefully consider which pop-ups you allow or click on since they could be phishing attempts.
Turn to your Credit Union: Help prevent fraud on your account and identity theft with tips on detection, prevention and resolution.
Added Cheryl, "Next time, if I’m not sure or I think it’s something that requires an answer immediately, I'm going to pick up the phone or walk into their office."
What to do if you're a victim of a phishing attack
The Federal Trade Commission encourages you to report phishing attacks:
- Forward phishing emails to the FTC at email@example.com and to the organization impersonated in the email.
- You can also report phishing email to the Anti-Phishing Working Group at firstname.lastname@example.org. This organization includes Internet Service Providers (ISPs), security vendors, financial institutions and law enforcement agencies that use these reports to fight phishing.
- File a report with the Federal Trade Commission website.
- Visit https://www.identitytheft.gov to learn how you can minimize the risk of becoming a victim of identity theft.
March 4-10 is National Consumer Protection Week. Use these tips to better protect yourself against phishing attacks.
The advice provided is for informational purposes only.