Phishing scams–so-called because they bait victims into “biting” and handing over cash and personal information–are some of the fastest growing scams in the world. Phishing scams have grown by 65% in the past year, and 76% of businesses fall prey to phishing attempts every year. These scams cost individuals and companies millions of dollars in damages.
The most basic phishing attempt consists of a scammer reaching out in some way and presenting himself as someone he’s not in an effort to convince you to either give him money or information he can use to take your money later. He might offer you a product, service, or some kind of counseling to entice you, or he might make threats to scare you into coughing up your information (think the latest “you owe the IRS” scams going around).
Phishers–like a great many other kinds of scammers–frequently target seniors due to their retirement accounts, assets, the variety of opportunities and narratives a scammer has to dupe seniors, and most importantly the isolation and loneliness that many experience with age. And since the majority of phishers use the internet to contact and deceive their victims, it is likely thought many seniors won’t have the technical wherewithal to notice the red flags of a scam.
Here are three common ways you might encounter a phishing scam:
Phone calls
Responding to recent data breaches and an overall increase in fraud related to identity theft, Medicare beneficiaries received replacement Medicare cards featuring new Health Insurance Claim Numbers (HICN). Previously these numbers were based on the cardholder’s SSN, making seniors vulnerable to identity theft should they have their card stolen or copied.
Ironically, scammers used this security update as an opportunity to extract tons of sensitive information–including the SSNs Medicare was trying to protect–from beneficiaries who believed they were providing a legitimate agency with details related to the card update.
In reality, they were being phone-phished by scammers pretending to work for Medicare. In one scenario victims were told they’d need to pay for their replacement cards and were prompted for bank account numbers, credit card numbers, or asked to wire money for the fee. In another, they were told in order to receive the updated card, they’d have to verify or provide personal information.
In both cases, these phone numbers were often “spoofed” to appear as though the call were coming from a legitimate source, and callers came prepared with the name of the target.
Websites
It is estimated 46,000 phishing websites are created every single day, with an average of 1.4 million every month. These websites reach us via the email, social media links, and advertisements we view every day. Most masquerade as seemingly legitimate online stores or services, and more insidious versions are designed to mimic and sometimes totally replicate a well-known company or agency website.
Take for example the Google login page. Gmail is an incredibly popular web-based email service that millions of people log into every day. We all know the simple yet highly identifiable white login screen:
Actually, this isn’t the Google login page. This was a phishing site that was stealing users’ Google account credentials in order to gain access to their personal data.
THIS was the legitimate Google login page at the time:
This is how sinister these sites can be. To recognize the fake from the authentic, the user would have had to notice the serif font in the Google logo (Google abandoned its famous serif font for the sans-serif font seen on the authentic image in 2015) and the lack of a two-prompt login process (meaning you are prompted to enter your email first and then your password on the next screen instead of both on one screen–another change Google made in 2015).
Would you have paid that much attention? Do you even know the Google login that well? Most people probably don’t.
Now imagine it’s a Medicare site. Or a Social Security Administration website. Or an online pharmacy offering amazing deals on critical prescription medications. Maybe it’s a seniors dating service or a seniors travel club or a retirement community. All you need to do to access your amazing deal or offer is enter your name, your address, your phone number, your SSN, your credit card number, your bank account number, or enter the login details to your existing my SocialSecurity account or email.
According to the Canadian government, over 156 million phishing emails are sent every single day–and despite our best attempts to identify and destroy these mass emailings, as many as 16 million malicious emails sneak past spam filters daily.
Email is without a doubt the go-to weapon in every cyberattacker’s arsenal. Not only is it a great way to communicate with a victim or coax a victim toward a phishing website, but it opens the door to just about every way an online attacker can access your data, your devices, and your network.
As much as 91% of ALL cyberattacks begin with a simple email.
Typically the goal of these emails is to use trick the recipient into clicking a link to a phishing website. Like the websites, these emails can be cleverly disguised to mimic the branding of a trusted website, vendor, or online portal. But a scammer may reach out directly to message and manipulate an intended victim–such as in the now famous “Nigerian Prince” scam.
But these emails can be particularly harmful when they act as vectors for malicious code. Some of the most devastating exploits and infections in the history of the internet were released into the digital wild via an innocuous-looking email attachment.
A sophisticated cybercriminal can disguise just about any flavor of data-stealing, device-damaging malware (Cofense estimates over 97% of phishing emails now contain some kind of ransomware, a particularly brutal and usually irreversible malware that encrypts your hard drive until you pay a ransom for the decryption key–if the attacker plans on giving you that key at all).
And don’t be too hasty in thinking you’d instinctively recognize a malicious message or attachment: Intel found 97% of users globally are not able to identify a truly clever phishing email.
How to recognize a phishing scam
- Don’t trust anyone who contacts you and demands money or sensitive information on the spot. This is not how ANY legitimate business or agency does business. Email and phone are unsecure–nobody looking out for your best interests will demand SSNs and bank account numbers over these channels. And most of the agencies these people pretend to be from (like Medicare) will NEVER call you or email you asking you this information. They already have it.
- Don’t trust anyone demanding payment with cash or cash-like methods. Wiring money, buying gift cards in round amounts and reading the numbers over the phone, and sending cash are ALWAYS signs of a scam.
- Don’t trust anyone demanding payment or information with threats, pressure, or scare-tactics. Again, this is not how a legitimate agency does things.
- Always, always, always look closely at website URLS. The #1 giveaway that you’ve been navigated to a phishing website is the URL. Before you enter login information or credit card information into a site, check the URL to make sure it matches that of the legitimate site you’re trying to use. Though a phishing site may look dead-on, you’ll often find the URL exposes you aren’t where you should be. Dummy URLs often have long strings of gibberish, subtle misspellings or errors, are missing forward slashes, or don’t have the s in “https”.
- Don’t ever trust forms embedded in emails.
- Check the legitimacy of email links before clicking. Hover your cursor over hyperlinks in emails to show the true link URL. What is displayed in the text may not match the true URL.
- Make sure the sender email address is valid.The sender’s domain address may not be a legitimate email address of the company or agency the sender claims to be part of.
- Ignore pop-up ads that ask for your login or information.
- Use fake passwords to test the legitimacy of a login. A phishing site has no idea if the login credentials you’re using are correct–they will sign you in no matter what username or password you give because they are simply logging what you’ve entered. If you enter a fake username and password into a login screen and appear to be successfully logged into the site, it’s probably a phishing site.
- Don’t assume all links in an email are legitimate if one or two appear to be. It is a common tactic of phishers to hide bogus links in a cluster of legitimate links.
- Don’t click suspicious email attachments for any reason. Unless you are absolutely certain of the identity of the sender, you should never download unsolicited email attachments. The ONLY email attachments you should open are those you are already expecting to receive. Businesses do not send attachments unsolicited.
- Don’t trust display names or email address headers. In the same way a phisher by phone can spoof a phone number, an email phisher can spoof the name of the sender and the headers of email addresses. Always look closely at domains and never take display names for granted.