Prepare To Be Phished
4 Tips To Keep Your Family Safe From Scammers
For the second time in just two days, a friend of mine had their Facebook account hacked. Now, as soon as I said the word hacked, you probably picture someone in their basement somewhere with the lights dark and a green tint coming off their computer monitor as they use advanced coding and trickery to make their way into your account. But most of the time, that's not how it actually works. When we see something like this happen, we want to use the word hack because that’s what it feels like. Someone must have gotten into my account. But actually, this type of scam is not hacking, it's a type of phishing.
Today, the "hacks" that occur are mostly based on social engineering. This means that having antiviral computer software isn't enough to protect you. Instead, we need to be on the lookout for any email or interaction that causes a strong emotional reaction. Sometimes it will be a negative emotion: you get an email from your bank saying your credit card has been stolen or that you forgot to pay your bill. Other times, it's a positive emotion: someone has sent you a package. Yes! I love packages, I wonder who it's from!? I better sign into my account to see what it is.
All of these are attempts to gather information from you that can be used against you in the future. Or, in the case of financial scams, you could find yourself sending money directly to a stranger. If you've ever fallen for these, I hope you don't feel any shame right now. These types of scams are specifically designed to trick you, and they work on everyone. From the young and naïve, to the old and wise, there is no demographic that is safe. We need to stay current with what scammers are doing so we can proactively protect ourselves with the right settings, and reactively spot the scams when they happen.
Most of these tips are applicable if you are in the work force, but I am not writing this article for you. I am writing it for your parents, for your aunts or uncles, or anyone else you care about that is vulnerable to these attacks. I'm writing it for you to send off to the people you care about because I am sick of seeing people targeted because they are kind, innocent, and just don't know what to look for. There isn't an organization out there these days that isn't running simulated phishing or teaching their employees about this, and it's because 90% of data breaches are caused by phishing attacks. Therefore, most of us in the workforce know how to spot the scams, but our families might not.
I know all this because someone once taught me what to look for. It's not because I'm smarter than anyone else, it's just because I work in an industry where it matters. It is literally part of my job right now to research phishing. My team creates simulated attacks and learning experiences that prepare organizations to fend off scammers. I love what I do but I find it unfair that anyone outside the corporate world is more vulnerable. So here are some top phishing tips that I think every human adult should know.
Tip #1: Beware the Facebook Friend Scam
Have you ever gotten a Friend Request from someone and thought - wait a minute, aren't we already friends? Maybe this knowledge was enough to give you pause. Or maybe you saw their name and a familiar picture and so you just accepted and moved on. This is one way scammers get past your privacy settings. If you are on Facebook, chances are you have your Privacy set so only your Friends can view your posts and information (if you don’t, you should). This is why Scammers will pose as your friends, so they can get more Personally Identifiable Information, also known as PII, that they can use against you later. Or, they may even reach out pretending to be your friend asking for help or money.
When you receive Friend Requests from someone, click on the Profile. If you only see a couple pictures and no activity, then this means the request is most likely not coming from them. Look through your Friends list and check if you see their name. It's likely you'll find it there with a lot more activity because you are already friends, and the request you just got is a stranger.
To protect yourself and your friends from this, be proactive by hiding your Friends List. In your Facebook Account, go to your profile picture in the upper right corner and then click settings & privacy. Then, click Settings. In this menu, select Privacy on the left-hand side and then select "Who can See Your Friend's List" and change it to "Only Me." This will prevent people from stealing your name and picture and going after your friends.
Tip #2: Always Double Check Financial Requests
One of the most common scams I've seen is the Gift Card Scam. This is when someone sends you an email, or maybe they text you, claiming to be someone you know. They will come up with some reason why they need you to go out to the store and buy Gift Cards. Then, they will ask you to send them the code so they can redeem the cards. Before you realize what has happened, you've lost $250. The reason this scam is so easy to fall for, is because when people do it they usually have found PII about you. Whether it be from something like the Facebook Scam, or just from public information found on social media platforms, scammers will put on a pretty big act to get money from you.
Financial scams can also be more complicated, like pretending to offer you a job or telling you that something is wrong with your account and you need to transfer money right away. To protect yourself from this, always double check financial requests by reaching out directly to that person via a different source. If they sent you an email, then text or call them to make sure it's legit. If it's a business reaching out to you by phone or social networking platform, always go straight to their website.
Tip #3: HOVER before you CLICK
Sending links is the most efficient and secure way to share information these days, which means we are naturally click happy. It's a part of our life to just click and find out more, but links are how scammers gather more information from you. You may assume these attacks will be obvious, but they are more clever than you might think. A common trick is to spoof big organizations like Amazon. When you see a name that you recognize, your guard drops because it looks familiar. When you click on the link, they can even bring you to a website that looks exactly like Google or Amazon or something else you visit every week. You put in your information, hit enter, and never realize that you just sent your personal details off to a stranger.
The next time you go to click on a link in an email, take a second to hover over the link. Trainer friends of mine love to call this hover to discover. When you hover, you can see the URL (website address) that the link is sending you to. When you see the URL, the first thing to look for is at the beginning: you want to see https. The S tells you that the website is secure. If you don't see an S and only see http, this may be a sign that the website is not what you're looking for.
Once you know it is secure, the next thing you want to beware of is a sub-domain. In simple terms, scammers will use names like amazon in their URL so you think it's real, but anyone can create a sub-domain with amazon. This might be something like this. If you hover over the link you'll see the URL. Depending on your device, it may appear near your pointer, or in a corner of your screen. If you click on it (which I hope you didn't, if you're following my advice) it won't take you to anything that works. With real scams, however, it will take you to a page that looks just like the real thing. Any version of that, where the name like Amazon comes first in the URL but not immediately followed by ".com", is wrong. The real version should be like this. Any alternatives that direct to legitimate sub-sites will have words that come after the ".com" like this, or this, or this. All those are good. Anything that is amazon.sometingelse.com is not.
As a best practice, just don't click on links from emails you get. If you get an email from any organization, go straight to their main website and navigate to where you need from there. That goes for any shipping orders you may get, contact from your bank, computer or business support line, etc.
Tip #4: Don't Check Email On Your Phone
Okay, I realize this one is a tall ask, but hear me out. 96% of phishing attacks arrive by email, and chances are if you are checking your email on your phone then you aren't fully paying attention. This is where scammers get you. You see a subject line that says something like Urgent, Request, or Important (which are the top 3 subject lines used in business email attacks), and you click on it without thinking. Everything I taught you in Tip #3 is much harder to carry out on your phone. Not only is it harder to hover and check links, but you are also more likely to be distracted and react to the emotional draw of social engineering.
Protect yourself by keeping the habit of checking your email for when you're on your computer. If the nature of your job or life doesn’t allow you to do this, then instead of hovering, hold as you press the link and a preview will appear. If you’re reading this on your phone right now, scroll back up and try holding down any of the links I shared in the previous tip. If you want to be prepared, practice makes perfect.
Data Source: Phishing Statistics (Updated 2022) - 50+ Important Phishing Stats - Tessian