Phishing Scams:
How to Identify & Handle Them

Phishing (yes, that is how it's spelled) is when scammers attempt to trick you into giving them sensitive information such as passwords, credit card information, or your social security number while posing as a trusted entity. They will often claim to be a customer service representative for your bank or another company you have purchased products from to gain your trust. Sometimes, they will claim to be a security officer or even a government worker to scare you into doing what they say. However they present themselves, their ultimate goal is to obtain information that will grant them access to your emails, bank accounts, or your personal technology for their financial gain. 

• Type of Contact: QR code or URL/link

• What They Might Say: 

  • • Claim to be a login page to access your account/order information

    • Claim to be a password reset page

    • Ask you to fill out a form to confirm interest in a job/product/service/event

• Red Flags: 

  • • URL has "sites.google" instead of just the company's domain

    • URL does not have the company's domain name in it or is misspelled

    • The webpage's format is different from what the site usually looks like 

    • Login windows don't detach from the browser or move off the webpage

• What To Do:

  • • Don't enter any information, not even false information

    • Don't click on anything on the webpage, especially any "submit" or "confirm" buttons

    • Close out the page, ignoring or closing any messages that pop up on the page

    • Make sure that popups and automatic downloads are disabled on your computer/browser

As the saying goes, knowing is half the battle. Being aware of the type of scams that exist and what they might look or sound like is one of the best ways to learn how to identify scams. However, it can be difficult to memorize every type of phishing scheme -- especially when new techniques are being developed every day by attackers. Instead, you can learn how to root out legitimate communications from scams. 

When you next receive an email, text, or voicemail claiming there is an emergency situation that you must act on immediately, make sure you do the following things first:

1. Check the Sender

   • Text messages should be from phone numbers, not from emails with gibberish for a username

   • Emails from corporate entities should have their company name as the domain, not google.com, hotmail.com, or some other mainstream mailing provider

     • • To recap, the domain is everything after the @ symbol in the email address 

       • You can also reverse-search the email to see if it appears in job boards or online company rosters

   • If the caller's location is from a place you don't recognize, don't answer it

2. Ask Questions

   • If in a call, demand the person identify themself and where they are calling from

     • • If they refuse to give their name or company's name and instead try to steer you back to the "emergency," hang up

   • Ask them where they got your information from

     • • If they say they got your number from a database, hang up. It's a cold-caller trying to sell you something

3. Contact the Source

   • If you suspect the initial call, email, or text is a scam but want to confirm there is no issue, you can contact the place where the supposed "emergency" originated from

     • • If the person claimed there was fraudulent activity on your credit card, call your bank directly to confirm

       • If they claimed there was an issue with your account's password, log in to your account that they claim was locked or flagged, and change your password for that account for good measure

       • If a text tells you to click their link to pay an overdue bill or confirm information, go directly to the website they claim to be contacting you from instead of clicking the link

         1. • Example: If the text says they are from the Department of Transportation and want you to click a link to pay for or dispute a ticket, go directly to azdot.gov instead of clicking on the link

4. Do Some Research 

   • Look up the names of companies or the people who are contacting you if they gave you a name

     • • Most companies will have a publicly available employee roster

   • See if other people have reported receiving the same message(s) as you did and whether those messages were part of a scam

Spear phishing is a specific type of phishing that occurs when scammers do research on you before contacting you. They may look at your social medias or job board profiles to gather information about who you are, who your family and friends are, the places you visit, the things you buy, where you currently work or have worked, and even where you currently live and any places you used to live. This allows them to tailor a scenario that feels legitimate enough to trick you. The level of thoroughness and planning is what makes spear phishing one of the most difficult scams for victims to identify and protect themselves against. 

Messages from spear phishing attackers may take the form of calls, voice mails, text messages, or emails. They can address you by name and claim that someone from your workplace asked them to reach out regarding an issue or that someone from your social circle recommended you for a service or prize game. The amount of information that an attacker has obtained allows them to respond to anything you throw at them to make them trip up and reveal themselves as a scammer, which means they are more likely to get the information they want from you. 

Sounds scary, right? So what can you do to defend yourself against such a perfectly curated attack? The answer is as complicated as the problem itself. 

1. Get into good password practices

   • Use complicated passwords, not leetspeak phrases or words with certain vowels replaced with symbols

     • • Your school password is a good example of a complicated password 

   • Never reuse passwords for multiple online accounts

     • • If someone gets a hold of your Gmail password that you also used for your bank account, they will be able to access your bank account too. Using different passwords for every account prevents this

       • Take advantage of encrypted password savers instead of saving passwords on your unprotected notepad app

   • Keep tabs on data leak reports and change your passwords when they occur

2. Opt into Multi-Factor Authentication (MFA) for anything that offers it

   • It can be annoying, yes, but it can also be the last defense against an attacker who is trying to get into your accounts

3. Limit how much personal information you post online

   • Keep your social media profiles on Private and never post your locations, home addresses, or places of work

     • • As far as my social media knows, I have been working at Doofenshmirtz Evil Incorporated for the past 10+ years

   • Have a separate email address that you use strictly for work communication and job applications, and don't use that address to make social media accounts or post it on your social media

• Change your password(s)

  • • Change any and all passwords that you suspect are compromised

    • If you used a single password for different accounts, you should change the password for each account 

    • Make sure to select "sign out of all devices" when you change your password

• Reach out to the customer service of the company your compromised account belongs to

  • • If you lost access to an account, you may need to contact the customer service department of the company your account belonged to

• Contact your bank to let them know of the scam if your credit card information was involved

  • • They can help you freeze your card and accounts and issue you a new card with new information

    • Check your accounts for any unauthorized transactions and let the bank know about them as soon as possible

• Contact the Social Security Administration if your social security number was involved

  • • You can report scams and identity theft at the Social Security Administration reporting site

• Report the incident to the Federal Trade Commission

  • • Website: ReportFraud.ftc.gov 

    • Email: forward to reportphishing@apwg.org 

    • SMS/Text: forward to 7726

    • When reaching out, make sure you have:

      • • How and when you think phishers seized your information

        • Bank statements showing unauthorized transactions and/or credit reports with signs of fraud

        • The amount of fraudulent charges

        • The names, phone numbers, and/or email accounts of everyone involved in the scam

• Check your accounts for unfamiliar recovery emails/phone numbers

  • • Scammer can leave backdoors to your account to gain control over your account again

    • These can be checked under your account security settings

• Check your accounts regularly

  • • Keep a close eye on your email, bank, or other accounts for any funny business for the next few months at the very least