In an age of widespread identity theft and cybercrime, it’s very important that you safeguard your sensitive personal information (SPI). Examples of SPI include your social security number; login details for social media accounts, online retail sites, and bank accounts; vehicle registration plate number, as well as credit card numbers.
You may use background report providers like MyLife.com to prevent your sensitive personal information from being exposed. Background report providers allow their members to see the sites that expose their SPI and remove the data directly with one click. Users also receive alerts if their data appears or is stolen in data breaches.
By removing your SPI from public sources, you can prevent cybercriminals from accessing personal data which they can use against you in phishing scams and other internet scams.
The Dirty Art of Phishing
Every day, hundreds of millions of phishing emails that target the customers of banks, online payment systems, retailers, and other institutions are sent by cybercriminals. According to statistics gathered by the Government of Canada, about 80,000 people fall for phishing scams every day, and the results can be devastating for victims.
Phishing is an illegal attempt to obtain your sensitive information, such as usernames, passwords, social security number, and credit/debit card details. The cybercriminal may pose as a trustworthy entity in electronic forms of communication such as email and chat.
The email or chat message will ask targets to click on a hyperlink. This hyperlink usually leads to a spoofed website, and targets will be asked to provide sensitive information on this website. The spoofed website may be infected by malware, and a Trojan may be installed in the victim’s computer.
Generally speaking, people continue to fall victim to phishing scams because they do not know how these scams operate and because they haven’t been properly educated about internet fraud.
The Latest Phishing Scam Targeting PayPal Customers
On March 7, 2016, the online watchdog Hoax-Slayer reported on the latest phishing scam targeting the clients of PayPal. The phishing email, supposedly sent by PayPal, claims that the user’s account has been closed because the company is concerned that someone has been using the account without the user’s knowledge.
This email did not come from PayPal, and the information in it is not true. This phishing scam tricks users into divulging their PayPal account login details to cyber criminals, who then use the stolen information to perform illegal activities.
The email further states that users can reactivate their accounts by clicking a button and logging into PayPal. Those who click on the button will be directed to a fake website that contains a fake PayPal login box.
If users enter their PayPal email addresses and passwords and then click the “login” button, the fake web page will simply reload. By then it would be too late, as this information will be sent to the phishers, who will use the stolen login information to do the following:
- Access the victim’s account and perform a number of illegal activities such as transferring funds to other accounts and making purchases. The phisher may also change the password, which locks the real owner out of his account.
- Gain access to the victim’s credit card details and make purchases that are charged to the victim’s account.
- Steal the victim’s identity (if the scammer has gained enough sensitive personal information). The scammer will use the stolen identity to commit criminal activities in the victim’s name.
How to Spot a Spoofed Email Sent by a Phisher
Spoofed emails sent by phishers can be hard to spot by the untrained eye because such emails will copy the institutions they’re trying to impersonate right down to the logo, secondary links, contact information, copyrighted information, and style of communication.
Listed below are some of the tell-tale signs that indicate an email message is probably spoofed:
- The “TO” field of the email is blank or is for another person.
- The email is unsolicited and contains an urgent request for personal information.
- The email has numerous grammatical or typographical errors.
- The email has a link or submit button. When you hover over the link, it directs you to a suspicious address other than what is displayed.
- The email has an attachment.
- The email contains a generic greeting (ex: “Dear account holder”), though social engineering may also be used to personalize the email to its target.
Genuine messages from PayPal always address recipients by their full name and never use generic greetings.
What to Do If an Email Looks Suspicious
If you receive a suspicious email like this from a sender claiming to be PayPal, report the phishing scam immediately. You should forward the entire email to spoof@paypal.com.
Targets are advised not to alter the subject line or forward the message as an attachment. Once it has been reported, the suspicious email has to be deleted. Just as importantly, targets should not click any links or download any attachments within the suspicious email.
Upon receiving the scam report, PayPal will look into the issue and will email a response to let targets know if the email is indeed fraudulent.
Protecting Yourself from Phishing Scams
As a general rule, be suspicious of any email, chat message, or text message that urgently requests for your financial information. Listed below are additional tips:
Be Careful with Links
Avoid clicking on links in emails or instant messages that direct you to other web pages if you suspect that the message might be from a phisher, or if you don’t trust the sender’s/user’s handle.
Make it a point to hover over the link to see if the URL directs you to a suspicious address. For touch-based devices, like smartphones and tablets, users should press and hold the link rather than tap to reveal the link’s true URL.
Avoid Readily Sharing Your Personal and Financial Information
You should guard your sensitive personal information such as your credit/debit card information, social security number, and account login details. To avoid identity theft and other forms of fraud, you should avoid giving out your personal and financial information unless it’s really necessary and safe.
You should also avoid filling out forms in email messages that ask for personal and financial information, and avoid giving out such information over the phone to untrusted sources.
Restrict Access to Your Personal Social Media Profiles
While you can use your professional social media profiles to build a positive online reputation and network with other professionals, you should restrict access to your private social media profiles so that only trusted contacts (such as family members and close friends) can view the information you share.
A lot of personal information can be gleaned by cybercriminals from publicly-accessible social media profiles. This information can be used to craft highly targeted phishing emails which trick victims into giving out their SPI.
Visit Only Secure Websites and Install a Web Browser Tool Bar
Always ensure that you’re visiting secure websites when submitting credit/debit card information and other sensitive information. The address of the web page should start with “https://”, and the lock icon should be displayed in the browser’s status bar. If these aren’t present, that means the site isn’t secure and any information you enter won’t be protected.
Also, consider installing a web browser tool bar to protect you from fake websites. These toolbars match the websites you’re trying to visit against a list of known phisher websites and will alert you of the danger.
Recovering from Phishing Scams If You’ve Been Victimized
Unfortunately, it can be difficult or close to impossible to track down scammers should you be victimized. These cybercriminals use fake addresses and relay points around the globe, and usually shut down the servers and addresses used in scams in less than 24 hours.
Listed here are some tips to follow if you’ve been victimized by a phishing scam:
- Go to the official website of the Federal Trade Commission (FTC) to file a complaint or log an identity theft concern. The FTC’s “Privacy and Identity” page has useful tips on credit freezes and identity theft repair.
- Contact the Attorney General Office in your state and log a complaint.
- Contact the three credit bureaus (Experian, TransUnion, and Equifax) and place a fraud alert on your social security number.
You can help combat phishing scams by reporting them to watchdog groups like Hoax-Slayer as well as the relevant authorities. By keeping others up-to-date about the latest tactics used by phishers, the threat of identity theft and data breaches will be minimized.
