Don’t Take the Bait: Email and Phishing Scams

Don’t Take the Bait: Email and Phishing Scams

Anyone with an email address has, at one time or another, received email attempts to con you into giving up information, buying into a scam, or clicking on malicious links or files. They are often sent to spam (where you know you can’t trust the mail), but what about the ones that aren’t?

These attempts cannot be taken lightly and it is vital to always be aware. Do you know the person you are receiving the email from? Were you expecting this email? Can you trust what the email is saying? Even if you said yes to all of these, the email could still be corrupted.

They come in many forms, however, the most common are: too-good-to-be-true schemes (business/investment opportunities, luxurious trip winnings, or lotteries/prizes), crisis alerts (either someone seeking help or indicating you are at risk), or “phishing” for account/personal details by impersonating a trusted institution.

With the ease of hacking (considering work put in and the low-risk factors), these attempts have become increasingly sophisticated. Scammers can create convincing emails that appear to come from trusted sources, including your bank and even universities. They mimic the trusted sources email presentation so that you would never be able to tell otherwise.

We have created guidelines that, if followed regularly and correctly, will dramatically reduce the risk of falling victim to email and phishing scams.

How to spot a phishing message?

Before clicking on a received email message, please consider these points:

  • Are there red flags?
      • Does the message ask for any personal information (password, credit cards, SSN, etc)?
      • Hover your mouse over the links in the email. Does the hover-text link match what’s in the text?  Do the actual links look like a site with which you would normally do business?
      • Does the message ask you to immediately open an attachment?
      • Does the message ask for sensitive information about others?
      • Bulk commercial solicitation: Are there lots of recipients to whom the email is addressed?
      • Click ‘Reply’ – Does the address in the ‘To’ field match the sender of the message?
    • Does the “From” email address look like either someone you know, a business you work with, or a proper email account?

Is there a lack of positive indicators?

    • Is the email from an entity/person with whom you do not do business?
    • Is it difficult to think of how the sender legitimately obtained your email address?
    • Is the message missing a digital signature/certificate?
  • Were you not expecting an email of this nature (e.g. password reset, account expiration, wire transfer, travel confirmation, etc)?

If you are unsure about the legitimacy of an email sent to you we will gladly help you decipher it.

DOs and DON’Ts to protect against email and phishing scams

DON’T send passwords or any sensitive information over email

There is no reason that a legitimate business or organization will ask you to send your password, account information, social security number, or other sensitive data over email. NEVER respond to an email requesting personal, financial, or other protected information, even if it appears to be from your bank or another trusted institution.

Rather, you should directly contact the institution that the email appears to be coming from. Ask them if they sent out something such as what you received.

DON’T click on “verify your account” or “login” links in any email

ALWAYS open a new window and use the institution’s official homepage to log into any account.

Links in an email may appear to go to the trusted site, but actually, redirect to a page that steals your login information.

DON’T reply to, click on links, or open attachments in spam or suspicious email

Send spam straight to the trash or immediately report it the FTC at [email protected]. Don’t even click on it if you can avoid it. Clicking through or replying to spam can verify your email address and encourage more such attempts in the future. NEVER open attachments from senders you don’t know.

DON’T call the number in an unsolicited email or give sensitive data to a caller

The risks associated with email phishing apply equally to phone calls. By using Voice over Internet Protocol technology, scammers can disguise their true phone number just like they can disguise their email or web address, so don’t assume that a familiar area code or prefix is safe to call.

Phone phishing can be even harder to detect than email phishing. Callers may impersonate institutional personnel, employees (or students) needing your assistance, or even police officers. Never give sensitive information to a caller you don’t know personally. If the need is legitimate, you will be able to call the person back using trusted numbers or email addresses you find on the official institutional website.

DO report impersonated or suspect email

As stated above, if you receive an email asking for personal, login or financial account information and appearing to be from your bank, or another trusted institution, forward the email to the FTC at [email protected]. Also forward the email to the organization being impersonated. (Most organizations have information on their websites about where to report problems. You might start by searching on the website for “fraud protection” or “spam” to find the correct email address.)

You also may report phishing email to [email protected]. The Anti-Phishing Working Group is a consortium of ISPs, security vendors, financial institutions and law enforcement agencies that is building a database of common scams to which people can refer.

DO be cautious about opening attachments, even from trusted senders

Email accounts can be hacked or impersonated by scammers. Files and attachments that have been infected with viruses and malware can be embedded in your account or email. If opened, these can access your data and/or harm your computer. Be wary of opening unsolicited attachments or downloading materials from an email, even if they appear to come from someone you know.

If you cannot find the information in the attachment elsewhere, examine the file extension on the attachment before opening it. If the extension is among the extensions listed below, it is more likely to be malicious. (This list is non-exhaustive.)

    • .exe
    • .msi, .bat, .com, .cmd, .hta, .scr, .pif, .reg, .js, .vbs, .wsf, .cpl, .jar
    • .docm, .xlsm, .pptm (may contain macros).
  • .rar, .zip, .7z

Caution: no file types are  100% safe – especially if your operating system or any of your programs/apps have not been adequately patched. Consider verifying the legitimacy of the email and attachment with the sender before opening it.

DO install antivirus and firewall programs

Anti-virus software and a firewall can protect you from accidentally accepting malicious files on your computer.

We can provide antivirus software that will keep your computer safe. Anti-virus software scans incoming communications and files for malicious content. It is important to find an antivirus software that updates automatically and can perform real-time protection.

A firewall helps make you invisible on the Internet and blocks all communications from unauthorized sources. It’s especially important to run a firewall if you have a broadband connection.

DO check financial statements and credit reports regularly

This should be done for security purposes in general. Read your monthly bank account and credit card statements to be sure all charges are authorized and request free annual credit reports to be sure there are no unauthorized accounts open in your name.

Other Tips:

    • Do read the small print. Get all promises in writing and review them carefully before you make a payment or sign a contract.
    • Do protect your personal information. Share credit card or other personal information only when you’re buying from a company you know and trust.
    • Do take your time. Resist any urge to “act now” despite the offer and the terms. Once you turn over your money, you may never get it back.
    • Do know who you’re dealing with. Don’t do business with any company that won’t provide its name, street address, and telephone number.
  • Don’t pay for a “free” gift. Disregard any offer that asks you to pay for a gift or prize. If it’s free or a gift, you shouldn’t have to pay for it. Free means free.

Through these preventative steps, you will be prepared for any sneak attacks on your email. Don’t make it easy for hackers to access your information. Education and action are key! We can help you get started!