Safe Banking Tip #2: Go Fishing, Don’t Get Phished

This summer, go fishing, don’t get phished. Phishing is when a scammer uses fraudulent emails or texts, or copycat websites to get you to share valuable personal information, such as account numbers, Social Security numbers or your login IDs and passwords. The information is either then used by the scammer to steal your money, identity or both. Sometimes these scammers also sell this information to another party that then uses the information to the same end.

Scammers also use phishing emails to gain access to your computer or network and then install programs, called ransomware, that can lock you out of important files on your computer.

Scammers create a false sense of security by spoofing familiar, trusted logos of established, legitimate companies or pretending to be or know a family or friend. They utilize scare tactics and make you feel like something bad will happen if you do not provide the information to them. Commonly, they say that your account will be frozen, you will fail to get a tax refund, that a family member will be hurt, or you could be arrested. They tell whatever lies they need to, to get you to give the information.

So what steps can you take to avoid being phished?

1. Be cautious about opening email attachments or clicking unknown links. Even your friend, colleague or family members’ accounts could be hacked. Files and links can contain malware that can weaken your computer’s security.
2. Do your own typing. If a company or organization you know sends you a link or phone number, don’t click. Use your favorite search engine to look up the website or phone number yourself. Even though a link or phone number in an email may look like the real deal, scammers can hide the true destination.
3. Make the call if you’re not sure. Be incredibly suspicious of emails that request personal or financial information. Most of the companies you do business with, will not ask for that kind of information through an email or at all. Phishers use pressure tactics to prey on fear. If you think a company, friend or family members really does need your personal information, pick up the phone and call them yourself using the number on their website or in your address book, not the one in the email.
4. Utilize two-factor authentication wherever possible. For accounts that support two-factor authentication, the practice that requires your password and an additional piece of information to log into your account make sure you use it! The second piece of information required could be a code sent to your phone, or a random number generated by an app or token. This protects your account even when your password is compromised. As an extra precaution, you may want to choose more than one type of second authentication (a PIN, a secondary phone number or email address, etc.) in case your primary method (such as your cellphone) is not available.
5. Back up your files to an external hard drive or reputable cloud storage. Back up your files regularly to protect yourself against viruses or a ransomware attack. Be sure to use a reputable device or cloud storage company and ensure that any personal documents are kept private with password encryption or other form of encryption.
6. Keep your security up to date. Use security software you trust and make sure you set it to update automatically. This will ensure your devices are protected with the latest level of security protection. New malware, ransomware and viruses come out every single day.
7. Verify a website’s security. Before submitting any information on a website, make sure the URL begins with “https” and there should be a closed lock icon near the address bar. Check that the site’s security certificate is valid as well. You can see this by clicking the lock or information circle in the address bar of the browser window. Always close your browser if you get a message that a site may not be secure or contains malicious files.
8. Be wary of pop-ups. Pop-up windows often masquerade as legitimate components of a website. However, they are often phishing attempts. Most browsers allow you to block pop-ups and you can allow them on a case-by-case basis where needed. If one manages to slip through the cracks, don’t click on the “cancel” button; such buttons often lead to phishing sites. Instead click on the “x” in the upper corner of the window.
9. Report phishing emails, websites and texts. It is important to contact the individual or companies that you might experience phishing attempts from to notify them of what is happening. But it is also critical that you report these incidents to the authorities. Forward phishing emails to spam@uce.gov. Your report is most effective when you include the full email header, but most email programs hide this information. To ensure the header is included, search the name of your email service with “full email header” into your preferred search engine. You should also file a report with the Federal Trade Commission at gov/complaint. You can also report phishing emails to reportphishing@apwg.org. The Anti-Phishing Working Group, a group that includes internet service providers, security vendors, financial institutions, and law enforcement agencies, uses these reports to help fight phishing.

To learn more about how you can minimize your risk, visit identitytheft.gov.