Phishing is when someone tries to “fish” out information from you by pretending to be someone else. Have you ever gotten an email from your bank or credit card that looked suspicious? They usually say something ominous like “there’s been a security breach, we will need you to log into your account and provide your social security number to prevent account closure.” They’re designed to get you to panic and unwittingly click on the link, which takes you to their fake website to collect your information.
Once you try to log into their site with your legitimate credentials, you’re screwed. You’re screwed because they will have captured all the information they need to pretend to be you for just long enough to either steal your money or set up their systems in order to steal your money.
What’s unfortunate is that we’re usually pretty aware of this type of stuff when it comes to banking. A strange email from “Bank of America” is going to set off our fraud radar but a similar one from Twitter or Facebook might not. A lot of social sites send a barrage of notification emails for when people send you a message, when someone adds you as a friend, or when you need to do something in a game. The deluge of email can lower our guard and someone trying to steal your Facebook account might sneak through. While losing your Facebook account is not as bad as losing your bank account, there are still costs to losing it as the thief might pretend to be you and ask your friends for money (the classic “I was traveling in London and was mugged, please wire me money!”).
How do you identify a phishing attack? First, use an email service that has the ability to identify the sender of emails. Gmail, which is 100% free, will tell you if they think the sender’s information (who the emailer says he is) doesn’t match the email header’s information (which computers the email has passed through). Alternatively, if you are computer savvy, you can view the headers yourself for anything strange.
Next, never click on a link in an email. If it’s from Bank of America, go to the Bank of America website. If it’s Citi, go to the Citi website. You might have to jump through a few hoops to find the source but it’ll be worth it.
Finally, phishing goes beyond emails, thieves are also known to call or text you. If someone does call you, the best option is to call them back through the company’s Customer Service number. Ask them for a transaction ID or a call ID number they can reference to speed up the process (if it’s fraud, they usually assign some number). If you think it’s really them, make them authenticate themselves with your information. If they really are with the company, they will have that information. If they aren’t, they’ll probably hang up (remember, it’s a volume business).
In the end, the safest way to interact with a company is to call them directly yourself. If you suspect something is wrong, give them a call and you can sort it out. This will take some extra time but it’s far less than what you would spend if you were the victim of a phishing attack.