Going ‘phishing’

An in-depth look at online financial scams and how to avoid becoming a victim

Negative Space

Don’t become a victim of ‘phishing’ scams. Follow the checklist in our story to avoid falling into online financial traps.

Delnaz Kazemi, Reporter

Phishing, smishing and other types of financial scams are nothing new. Most of these scams are a way to get money out of the pocket of the victim in the situation.

There are many different types of online financial scams that one could stumble upon. The most common that anyone who is online has encountered are phishing/smishing/spoofing scams, which are all variations of the same scam. They usually include fake documents or communications, like email, that are disguised as legitimate with a call to action which then leads to the victim or receiver in the situation to enter sensitive information. The scammer “fishes” for information by conducting these scams.

Some very common types of phishing scams that victims have encountered are business fraud, credit card fraud and “419” fraud. There are also other types, such as investment fraud. Examples of that include Ponzi schemes, pyramid schemes and advance fee fraud.

The difference between phishing and smishing is simple: ‘phishing’ scams are typically received through email, and ‘smishing’, or ‘SMS phishing’, is through text message, hence, “SMS.” Spoofing scams are essentially the same thing. Scams often disguise themselves as legitimate.

James McQuiggan, a security awareness advocate for Knowbe4, explained the ultimate goal of cybercriminals.

“They go after one thing: they want money,” McQuiggan said.  “Cybercriminals nowadays go after the money by getting into organizations and stealing data.”

He went on to explain the different types of data that could by stolen. “That data could be anything from intellectual property to customer information.”

Ransomware is also common as a part of online scams.

“[Cybercrminals] end up stealing [the data] either selling it or holding it, which we’ve seen a lot of nowadays, holding it for ransom, which is the common ransomware attacks that we see a lot of,” McQuiggan said.

There are a number of ways you can protect yourself from falling victim to this type of criminal activity. One way is to use multi-factor authentication. McQuiggan said, “It’s having multiple ways to authenticate who you are.”

There are also ways to detect if a communication is a scam and/or has malicious intentions. The image below from KnowBe4 shows how to detect social engineering “red flags” and what questions you should ask yourself if you receive a suspicious email.

Social engineering scams happen when cybercriminals try to get people “to take an action that they normally wouldn’t do” in a phishing attack, McQuiggan said. “And in this case, there’s going to be some sort of an emotional lure to it. Something to entice you, whether that’s greed, fear, urgency or some type of helpfulness, it’s going to drive a certain emotion that you’re going to want to react to very quickly and click on that link.”

He further explains that when it comes to phishing emails, “It’s always good that if you see something weird, or you feel the need that you have to click on it, because of whatever emotional reason, take a moment, take a step back, look at the email, [and think to yourself], ‘Is this an email you’re expecting? Is this somebody you know?’ and go through a series of questions.”

Here is an example of a phishing scam through email that caused someone to take an action prompted by an emotional response:

You look at your email account. It says you have a new message from PayPal. You look closely and to your surprise, the email reads that suspicious activity has been detected on your PayPal account and that you need to follow the link in the email to log in and re-activate your PayPal account.

You immediately freak out, because you wonder if “suspicious activity” means that your account has been hacked. You follow the email link as instructed and log in with your email and password. After feeling relieved, you move on with your day.

One day later, you notice funds taken from your account and sent to someone you don’t know. Which starts the anxiety cycle back up.

What ultimately happened in this example is that the email that you got was not from PayPal, but instead an email that only looked like it was from the official PayPal website. Once the scammer got into your account with the information that you provided, they sent money to themselves, probably through multiple locations to avoid being tracked down by authorities.

This is a rather simple example. Cybersecurity precautions like two-factor/multi-factor authentication may help prevent something like this from happening, but you should still be extra careful with communications like that that you receive, especially if what you read makes you feel scared. That is the scammer’s goal, because fear will cause you to act quickly and makes you less focused and observant. Make sure to read and analyze the email addresses and phone numbers that you receive anything from, especially if the message is something regarding personal finances or anything similar.

However, if something like this does happen, it is important to know how to act to mitigate the damage.

Although you can never fully prevent yourself from receiving scam messages with malicious intent, you can keep your information from being at risk by paying close attention to where and to who you give that information.

You can report phishing scams to the Federal Trade Commission.

You can view info on different type of scams here.

Here is a link for Social Engineering Red Flags.