We’re getting reports of a new round of phishing emails hitting inboxes which means it’s time to brush off your phishing-spotting skills.
Here’s an example of one we’re hearing about: “We have added new security features to our system, to view the changes click on the below link.” Others are saying you can give feedback if you sign into your account by following a link. You should never click on links like this, nor should you provide personal information over email.
Phishing attempts typically try to scare you into clicking on links and/or open a Google form and provide information. Remember: any company you do business with should already have the information being requested. And, when in doubt, contact the company directly rather than using links or information included in an email (get a refresher on five ways to spot a phishing scam).
If you’ve ever wondered how scammers even get your email address in the first place, here are some of the ways they do it (according to Microsoft, The Balance Everyday, and others):
- They use web crawlers that look for the @ symbol. Scammers have developed sophisticated automated tools that search the internet and gather email addresses. These can be found in insecure files, blog comments, winner lists, or even on social media profiles.
- They guess. Scammers will gather lists of common names and words, and combine them with popular email address services/internet service providers and just try and and see if it works. Again, scammers are using tools to do this by the thousands.
- They buy lists. Read the privacy policy on any website before handing of your email—the company may be able to legally sell your information, including your email address. On the dark web, there are also illegal lists available to purchase.
- Hacking. Cybercriminals are not above hacking into databases to get email addresses. They can use them, or they can sell what they find—or both.
- Fake websites. Fake sweepstakes are a classic method for getting people to readily give away their information. Always double check that it’s legitimate by checking out the company tied to the offer, and looking out for misspellings, bad grammar, and vague details.
One thing is for sure, phishing isn’t going anyway any time soon—not as long as people continue to fall for these scams. In the meantime, stay on your toes, and be sure to refresh your memory about how to spot a phishing scam (with real-life examples of attempts our customers have received!).
If you receive a phishing email, the Federal Trade Commission says you can report it at ReportFraud.ftc.gov and forward it to the Anti-Phishing Working Group at reportphishing@apwg.org. (If scammers contact you by text message or phone, report that, too.)
P.S. If you’re wondering if an email request for information is real, contact the business who “sent” it—but don’t use any links or phone numbers provided. Instead, look up their website yourself and/or give them a call (you should look that info up yourself, too). It’s the safest way to confirm whether the request in your inbox is for real.
Updated 5/9 with new phishing email copy example.
Thankyou