Phishing, Vishing, or Smishing

Phishing Scams: How to Spot Them and What to Do – A SCARS Guide to Prevention and Recovery

Phishing is a type of social engineering attack that uses fraudulent emails or text messages to trick victims into revealing personal information, such as passwords, credit card numbers, or other sensitive data.

The Phishing attacker will typically pose as a legitimate entity, such as a bank, credit card company, or government agency, in order to increase the chances of the victim falling for the scam.

NOTE: Phishing scams can look and feel similar to other types of scams, such as romance scams, job scams, and investment scams. But phishers are typically not after the money, they are after information. Often Phishers are after information that they can sell to other cybercriminals

Common Phishing Scam Types

Here are some common phishing scams:

• Password reset emails: The attacker sends an email that appears to be from a legitimate website or service, such as Gmail or Facebook. The email will say that your password has expired or been compromised and will provide a link to reset your password. When you click on the link, you will be taken to a fake website that looks like the real website. The fake website will then steal your password and other personal information.
• Invoice or shipping emails: The attacker sends an email that appears to be from a legitimate company, such as Amazon or UPS. The email will say that you have an invoice or shipping confirmation for an order you never placed. The email will often include a link to click to pay for the order or to track the shipment. When you click on the link, you will be taken to a fake website that looks like the real website. The fake website will then steal your credit card number or other payment information.
• Tech support emails: The attacker sends an email that appears to be from a legitimate tech support company, such as Microsoft or Apple. The email will say that there is a problem with your computer and that you need to call a tech support number. When you call the number, you will be connected to a scammer who will try to trick you into giving them remote access to your computer. The scammer can then steal your personal information or install malware on your computer.
• Government impersonation scams: The attacker sends an email that appears to be from a government agency, such as the IRS or the FBI. The email will say that you owe money or that you are under investigation. The email will often include a link to click to pay the money or to provide more information. When you click on the link, you will be taken to a fake website that looks like a real government website. The fake website will then steal your personal information.
• Sweepstakes or lottery scams: The attacker sends an email that says you have won a sweepstakes or lottery. The email will often include a link to click to claim your prize. When you click on the link, you will be taken to a fake website that looks like the real sweepstakes or lottery website. The fake website will then ask you to provide personal information or to pay a fee to claim your prize.
• Romance scams: The attacker sends an email or text message from someone who claims to be interested in you romantically. The scammer will build a relationship with you and then ask for money or personal information.
• Fake job postings: The attacker sends an email that says you have been selected for a job. The email will often include a link to click to apply for the job. When you click on the link, you will be taken to a fake website that looks like a real job posting website. The fake website will then ask you to provide personal information or to pay a fee to apply for the job.
• Malware attacks: The attacker sends an email or text message that contains a malicious attachment. When you open the attachment, the malware will be installed on your computer. The malware can then steal your personal information or damage your computer.
• Business email compromise (BEC) scams: These scams target businesses and attempt to trick employees into making fraudulent wire transfers or giving up sensitive information.
• Whaling scams: These scams target high-profile individuals, such as executives or celebrities. The attackers will often impersonate someone the victim knows and trust in order to gain their confidence.
• Supply chain attacks: These scams target the suppliers of a company in order to gain access to the company’s systems.
• Smishing: This is a phishing scam that uses text messages instead of emails.
• Vishing: This is a phishing scam that uses phone calls instead of emails or text messages.
• Clone phishing: This is a phishing scam where the attacker sends an email that looks exactly like an email from a legitimate company. The only difference is that the link in the email has been changed to a fake link.
• Spear phishing: This is a phishing scam where the attacker targets a specific individual or group. The attacker will often research their target in order to make the scam more believable.
• Watering hole attacks: This is a phishing scam where the attacker targets a specific website or service. The attacker will then create a fake version of the website or service that looks like the real one. When the victim visits the fake website, they will be tricked into giving up their personal information.
• Angler phishing: This is a phishing scam that targets users of social media platforms. The attacker will often create a fake profile that looks like a legitimate user. The attacker will then send messages to the victim that try to trick them into clicking on a malicious link or providing personal information.
• Pharming: This is a phishing scam where the attacker takes over a legitimate website and redirects users to a fake website. The fake website will then steal the victim’s personal information.
• Malvertising: This is a phishing scam where the attacker injects malicious code into a legitimate website. When the victim visits the website, the malicious code will be executed and can steal the victim’s personal information or install malware on their computer.
• USB drop attacks: This is a phishing scam where the attacker leaves a USB drive in a public place. When someone picks up the USB drive and inserts it into their computer, the malicious code on the USB drive will be executed and can steal the victim’s personal information or install malware on their computer.
• QR code phishing: This is a phishing scam where the attacker creates a malicious QR code. When the victim scans the QR code, the malicious code will be executed and can steal the victim’s personal information or install malware on their computer.
• Fake job scams: These scams offer employment opportunities that are too good to be true. The scammers will often ask for personal information or money upfront.
• Fake dating scams: These scams involve someone pretending to be interested in you romantically. The scammer will build a relationship with you and then ask for personal information.
• Fake investment scams: These scams offer high-return investments that are actually fraudulent. The scammers will often use social media or email to target their victims and get their information.
• Fake government scams: These scams claim to be from a government agency and ask for personal information or money. The scammers will often use official-looking logos or websites to make their scams seem legitimate.

Vishing – Another Type of Phishing Scam

Vishing is a type of social engineering attack that uses phone calls to trick victims into giving up personal information, such as passwords, credit card numbers, or other sensitive data. The attacker will typically pose as a legitimate entity, such as a bank, credit card company, or government agency, in order to increase the chances of the victim falling for the scam.

Here is how a vishing scam typically works:

1. The attacker will call the victim and claim to be from a legitimate entity, such as a bank or credit card company.
2. The attacker will then say that there is a problem with the victim’s account and that they need to verify the victim’s personal information in order to fix the problem.
3. The victim will then give the attacker their personal information, such as their name, address, Social Security number, or credit card number.
4. The attacker will then use the victim’s personal information to commit fraud, such as stealing money from the victim’s account or making unauthorized purchases.

Vishing scams can have a significant impact on their victims. Victims of vishing scams can lose money, have their credit ruined, or have their identity stolen.

Smishing – Another Type of Phishing Scam

Smishing is a type of phishing scam that uses text messages (SMS) to trick victims into giving up personal information, such as passwords, credit card numbers, or other sensitive data. The attacker will typically pose as a legitimate entity, such as a bank, credit card company, or government agency, in order to increase the chances of the victim falling for the scam.

Here is how a smishing scam typically works:

1. The attacker will send a text message to the victim that appears to be from a legitimate entity, such as a bank or credit card company.
2. The text message will say that there is a problem with the victim’s account and that they need to click on a link or call a number to fix the problem.
3. If the victim clicks on the link or calls the number, they will be taken to a fake website or a phone call with the attacker.
4. The attacker will then try to trick the victim into giving up their personal information.

Phishing Can Become a Real Danger

Phishing scams can be used in domestic abuse cases or to track down people at risk in a number of ways. Here are a few examples:

• To gain access to the victim’s accounts: The abuser can send a phishing email that appears to be from a legitimate company, such as the victim’s bank or credit card company. The email will ask the victim to verify their personal information, such as their account number or password. Once the victim provides this information, the abuser can use it to access the victim’s accounts and steal money or make unauthorized purchases.
• To track the victim’s movements: The abuser can send a phishing email that contains a malicious link. When the victim clicks on the link, the abuser can track the victim’s IP address and see where they are located. This information can be used to find the victim and harm them.
• To intimidate the victim: The abuser can send a phishing email that threatens the victim or their loved ones. This can be used to scare the victim and keep them from leaving the abuser.
• To isolate the victim: The abuser can send a phishing email that pretends to be from a friend or family member of the victim. The email will ask the victim to provide personal information, such as their address or phone number. Once the victim provides this information, the abuser can use it to track down the victim and isolate them from their support system.

It is important to be aware of the ways that phishing scams can be used in domestic abuse or stalking cases or to track down people at risk.

If you receive an email or text message that seems suspicious, do not click on any links or open any attachments.

Watch Out for Phishing Scams

Here are some tips for recognizing phishing scams:

• Be suspicious of emails or text messages that ask for personal information. Legitimate companies will never ask for your password, credit card number, or other sensitive information in an unsolicited email or text message.
• Check the sender’s email address carefully. Phishing emails often come from addresses that look like they are from legitimate companies, but they may have misspellings or typos.
• Don’t click on links in emails or text messages unless you are sure they are legitimate. Phishing emails often contain links that will take you to fake websites.
• Be wary of emails or text messages that are urgent or demanding. Phishing emails often try to create a sense of urgency by saying that your account has been compromised or that you need to take action immediately.
• If you are not sure if an email or text message is legitimate, contact the company directly by phone or through their website. Do not reply to the email or text message.

What To Do After It Happens

Here are steps on how to report information theft or identity theft:

1. Gather your information. This includes any documentation you have that may have been compromised, such as your Social Security number, credit card numbers, or bank account numbers. You should also write down the dates and times of any suspicious activity you have noticed.
2. File a police report. This is important to do even if you don’t think the police will be able to recover your money or property. A police report will give you documentation of the crime and can help you dispute any unauthorized charges on your accounts.
3. Place a fraud alert on your credit report. This will tell creditors to take extra steps to verify your identity before opening new accounts in your name. You can place a fraud alert by contacting each of the three major credit bureaus: Equifax, Experian, and TransUnion.
4. Monitor your credit report. You should check your credit report regularly for any signs of unauthorized activity. You can get a free copy of your credit report from each of the three major credit bureaus once per year at AnnualCreditReport.com.
5. Close any accounts that have been compromised. This includes any accounts that you think the thief may have accessed. You should also contact your bank or credit card company to report the fraud and request a new card or account number.
6. Place a credit freeze on your credit report. This will prevent anyone from opening new accounts in your name without your permission. You can place a credit freeze by contacting each of the three major credit bureaus.
7. Take steps to protect your identity. This includes changing your passwords, using strong passwords, and being careful about what information you share online. You should also consider using a credit monitoring service to help you keep track of your credit report and identify any unauthorized activity.

Here are some additional things you can do after reporting information theft or identity theft:

• Contact your insurance company. If you have identity theft insurance, you may be able to file a claim and receive reimbursement for some of your losses.
• Be patient. It can take time to recover from identity theft. Be patient and persistent, and don’t give up.

If you have been the victim of information theft or identity theft, it is important to take action immediately.

Remember

Just remember that you are not an expert in cybercrime, the scammers or cybercriminals are!

You will not know all the ways that these criminals can come after you or try to obtain your information. Follow the tips above for your own safety and talk to your family and friends about this too – especially trusting children, teens, and the elderly – they are in the most danger!