Phishing Demystified: A Simple Guide to Online Scams for Everyday Internet Users

Understanding Phishing

Phishing is a scam where fraudsters trick you into sharing sensitive information, like passwords or credit card details, by pretending to be a trustworthy person or organization through emails, texts, or phone calls.

Sample Phishing emails

#1 – Technical Support Scam

Source: Microsoft

Scammers use fear tactics to deceive you into paying for unnecessary technical support for fake issues. They may impersonate well-known brands, like Microsoft, the most spoofed brand in 2021, and present device issues in technical terms.

You might see error messages when opening files or scanning, but these are just phishing techniques. Tech support scams typically involve asking for money to fix non-existent problems and allowing remote access can lead to malware or ransomware installation.

To spot scams, remember that legitimate companies won’t contact you about device issues. Be cautious with remote access requests, don’t enroll in suspicious maintenance programs, verify the sender’s address, and never share financial information.

#2 – Bank Scam email

When your bank reaches out about suspicious activity, you pay attention. Cybercriminals exploit this by sending fake emails, texts, or calls related to account transactions, aiming to obtain sensitive information like usernames, passwords, and account details.

Bank scams function like other phishing schemes, with scammers impersonating banks like Chase, Wells Fargo, or Bank of America. The email may include false transactions or withdrawals, and providing information could lead to identity theft or drained funds.

To spot scams, check the sender’s details to ensure it’s from your bank’s official domain. Look for unusual language, spelling, or grammar errors, and odd formatting. If you receive an urgent request to verify your identity or unlock your account, it’s likely a phishing attempt.

#3 – Social media phishing email

Scammers utilize social media phishing emails to steal personal information, sell it on the Dark Web, or access financial accounts, often targeting corporate email addresses. A common phishing email might claim to be from a social media site’s support team, like LinkedIn.

In social media phishing scams, the scammer might pose as Instagram’s “Copyright Center” to trick recipients into clicking on a phishing link. They claim there are copyright violations that can be “verified” by logging in. Always examine the sender’s email, as it might not be an official address. Clicking the link and signing in could grant the scammer access to your data or hack your account.

To identify scams:

1. Check if the link’s destination matches the claimed social media site.
2. Watch out for requests to download attachments.
3. Verify the sender’s address comes from the site’s official email.
4. Look for odd spacing, strange layouts, or suspicious account images.

#4 – Account suspension phishing email

Phishing scammers often send account suspension emails, pretending to represent institutions like Bank of America or well-known companies like Amazon, claiming your account has been suspended.

How account suspension scams work:

1. The scammer instructs you to click on links for information on reactivating your account. These links may contain malware and request personal information, such as passwords and account numbers.
2. Clicking the link could infect your device, while providing information allows the scammer to hack your account.

How to spot them:

1. The sender’s name and email address may seem legitimate, but watch for extra wording, such as “fraud department.”
2. Be wary of short and vague subject lines.
3. Beware of requests for your password.

#5 – Tax refund scam email

Source: ABC7 Chicago

Another common phishing scam tactic involves impersonating the IRS. Scammers may send fake IRS emails, asking for money or personal information, often with urgent subject lines.

How tax refund scams work:

1. Scammers send messages about refunds, directing you to a fake IRS site via a phishing link. The message claims you’re eligible for a refund and asks you to log in to their website.
2. Entering personal information, like your SSN or bank account number, hands it over to the scammer.
3. Scammers may also install malware by asking you to open an attachment, or request your W-2 form to steal your identity.
   

How to spot them:

1. Check the email’s origin. Fraudsters may use fake IRS names, so hover over the name to see the real email address. If it’s not a “.gov” address, it’s a scam.
2. Protect your devices and home network with a VPN and antivirus.
3. Be aware that the IRS won’t ask for personal information or payment via email.
4. Avoid opening attachments, as the IRS typically doesn’t send them in official emails. Opening one may download a virus.

#6 – Google Docs Scam

Source: Wired

In May 2017, the “Google Docs worm” phishing scam spread rapidly, wreaking havoc for users. Scammers stole emails and contact lists from Gmail accounts by impersonating Google Docs through special web apps, tricking people into believing requests came from friends.

When recipients granted access, the scam email was automatically sent to their contacts. Despite Google’s efforts, the scam persists.

How the Google Docs scam works:

1. Clicking the link takes you to a Google-hosted page listing your accounts. You’re asked to choose an account and grant access to a fake “Google Docs” third-party app.
2. By clicking “Allow,” the fake app can read your emails and send scam emails to your contacts, eventually infecting everyone who has ever emailed you.

How to spot them:

It’s difficult to spot before falling for it, but you can check the small “Google Docs” link on the Google-hosted page and review app permissions. The real Google Docs has default access to your account, so if you see an app called “Google Docs,” remove it.

#7 – SMS-based phishing scams (smashing)

SMS phishing scams, or “smishing,” involve fraudulent text messages sent to deceive recipients into sharing sensitive information. Scammers may impersonate banks, government agencies, or popular brands.

To spot smishing scams:

1. Watch for unsolicited messages from unknown senders.
2. Be cautious of urgent requests or offers that seem too good to be true.
3. Check for suspicious URLs before clicking on any links.
4. Don’t respond to requests for personal or financial information.

Take a phishing test

By testing your ability to spot phishing emails and scams, you can improve your awareness and reduce the risk of falling victim to such attacks.