While phishing occurs when the user is tricked into clicking on a link, “pharming” can be more brutal.  In this case, pharming manipulates the Internet to guide users to a malicious site automatically.  This can be done by manipulating the DNS server (the server which interprets the domain name into an IP address), redirecting users to the fraudulent website even if they type the correct address into the browser.  Or it can be accomplished by malware which alters the DNS settings, forcing the user’s computer to go to the fake one.   This type of phishing is designed to extract your personal and financial information and other sensitive data.  It can be avoided by using secure connections (HTTPS), up to date antivirus software and regularly updating your browser and operating system.

We all have our favorite websites, whether they be your bank, your social network, or a business that you visit often.  Some skilled scammers might be able to use this information to set up a website that resembles this true site.  They might then send you an email to the site which you are familiar with, only to find that this site is now compromised.  This type of phishing is known as “watering hole phishing”.

Phones are not immune to phishing.  In a version known as “vishing”, the scammer will send a short message.  It may be a message which appears to be meant for someone else, or it may be a short message with a link (maybe to a picture from the past).  It can also be in the form of an account closing, a delivery which could not be completed, or many other possibilities.  Another type of phishing for phones is called “smishing” and is a blend of texting and phishing.  In this case, text messages are sent which are disguised as communications from businesses like Amazon or FedEx.  Because they are text, they appear more personal, and we are more apt to click on them.  Again, always go to the company instead of clicking on the link.

We will be seeing an influx of creative phishing in the future, due to Artificial Intelligence.  One of those new forms is known as "quishing", which exploits QR codes. In these scams, attackers embed malicious links in QR codes, which, when scanned, lead victims to fraudulent websites. These websites often mimic legitimate services, prompting users to enter sensitive information like login credentials or financial data.   

Grammatical errors and odd phrases:  Scams are often created in other countries and translated into many languages.  As a result, you may find errors in grammar or odd ways to put together a sentence.  You should read it aloud to see if it makes sense. 

Fake Logos:  When setting up a fake website, the scammer wants to make it look as real as possible.  So they will want to include the logos of the official site.  It is very easy to reproduce a logo, often as easy as copying and pasting it into the site, which can result in a low-resolution logo.  (Unfortunately, with AI, this may not be a tell-tale sign in the future.). 

An odd URL:  We have spent several classes discussing URLS (the web address of a site).  By now, you should be skilled at recognizing the domain where the email or website is from.  Scammers may alter it by a single character.  For example, usbank.com may become usbank.co.  Or usbanc.com.  It is important to look closely at the URL and make sure that it is exactly where you want to go.  A good rule of thumb is to go to the site directly from your device instead of clicking on a link in the email. 

Unsolicited mail:  You may receive an email from a company which you think is legitimate.  It may ask you to complete a survey and say that you will receive a gift card if you do.  These can be especially alluring to users looking for a quick reward.  Another example is an email from a company describing the purchase that you made.  You will then promptly respond by saying you did not order this item, in which case, you will be targeted for more information.

Tech support:  You may receive an email from Best Buy, Apple or Microsoft saying that there is a problem with your device, but they are here to help!  Just contact them via this link and they will assist you online.  This is particularly harmful because you may end up providing them with access to your device and compromising your own privacy.  Just consider this:  How would this company (Microsoft , Apple, Best Buy) know that you are having problems?  They don’t! 

Taxes:  We all file taxes and we all would love to receive a refund.  You may receive an email providing instructions on how to get this refund.  The email will send you to the IRS site.  Only it will be an imposter site.  There is only one website for the IRS, which is irs.gov.  Any other domain is not legitimate! 

Unusual activity:  You may receive an Email warning you about unusual activity from a supposed legitimate company (Microsoft or Wells Fargo), including a link or asking you to call a number.  The scammer will appear to be legitimate and may include things like recording the call, caller ID with the proposed company, or even requesting that you do a 2-factor authentication or answer the special question to gain access to a site (known as CAPTCHA, or Completely Automated Public Turing Test to tell Computers and Humans Apart). 

Suspended accounts:  You may receive a note from a company saying that your account will be suspended if you don’t update your billing information.  It will then ask you to click on a link.  Never access your account via this  method!  Instead, go to the account via your web browser, sign in and update your account via their company portal. 

Social media:  Can you trust those links on Facebook or Instagram?  Likely you cannot.  Often scammers will provide links to products, services or other things which are important to you.  How do they know what you like?  They use social engineering.  So they can target you via your political leanings, your friends, your likes, your personal information on the site and much more. 

Check the Sender: Is it from someone you know?  Is the email address unusual?  Also remember that a scammer can name an email account anything they want.  So, a scammer might gain access to a list of your contacts, and then create an email with your name showing but their email address.  Always double check the email address to see if it is legitimate.  If it does not match what you have, contact them directly.  Do not respond if you do not recognize the email.

File Extension: If the email comes with an attachment, look at the attachment.  You can tell a lot about the file from the name.  The name will include a “file extension” which provides information about the type of file.  Common file extensions for documents are .doc, .pdf, .xls, etc. Be cautious of unusual or double extensions like .pdf.exe. Malicious attachments often use .exe, .scr, .bat, .com, or .vbs extensions.  IF you hover over the attachment, you may be able to find more details.  But in the long run, do not open any file that is not expected.  Instead, contact the sender using another way (call them, visit the website, etc.).  Also, when receiving an attachment, you might be asked to enable macros.  Macros are a set of instructions to perform a task.  They can be used to automate repetitive tasks or to customize a program.  But they can also be used to provide malicious codes to your device.  Avoid enabling macros unless you are certain that the document is legitimate and safe

Grandparent Scams: 

Scammers pretend to be a grandchild in distress, asking for money to resolve an urgent situation.  This contact begins with a question such as “Hi Grandma. Do you know who this is?”  Once the grandparent confirms with a name, the scam begins.  The scammer will tell of an emergency, an arrest, being stuck in a foreign country or other reasons to need immediate financial assistance.

This scam will come with a sense of urgency and a need for quick action.  They will also ask that you not tell family members to avoid embarrassment or legal complications.  They will request money immediately, in the form of non-traceable sources (wire transfers, prepaid gift cards or mobile payment apps).  They will include how to send the funds.

These scams are often followed by further requests due to changes in the circumstances.  It will probably go on until the victim begins to ask questions and then disappear.

Be aware that this exists.  You might want to set up a code word or phrase that can be used to identify family members in emergencies.  Also, remember to pause and verify these calls. Do not share any personal information with the scammer (or anyone that you are not sure of the identity of) and report the scam if you are a victim.

Artificial intelligence has created ways to clone voices, which can make this type of scam even more difficult to determine.  Realize that this exists, and contact someone directly who can confirm that it is legitimate.

Romance Scams: 

Online dating sites have become a fountain of opportunity for scammers.  In this example, scammers create fake profiles, build relationships over time with their victims, and then ultimately exploit them financially using the emotional connection they have established. 

Romance scams start with their profile, using attractive photos and interesting narratives to lure victims.  They then establish a relationship which can last for weeks or months.  They may transition the communicating form the dating site to personal sites like email, text and phone calls.  Once that relationship has been established, they will share a story about a medical emergency, travel costs to visit the victim, legal troubles or business financial issues and will request money to help.  Payment will be a form that is hard to trace or recover, such as wiring money, using prepaid gift cards, or cryptocurrency.  After exploiting the victim, they may either continue or simply vanish.

There are red flags for potential scammers with a romance scam.  They include:

• Profiles that seem too good to be true, or a romance that quickly escalates to love or deep affection before meeting the person

• Typically, scammers will avoid face-to-face contact.  They may also avoid video calls or provide excuses on why they cannot meet in person or by video.

• Any time where a relationship shifts to assistance financially is a red flag!

• Scammers may include a sense of urgency to the request, pressuring their victim to act quickly

• Sometimes, scammers will move to the private channel (email, phone call).  Although this may seem OK, it is being done to avoid detection.

How can you protect yourself from a romance scam?

If you have experienced any of the red flags, and this person is asking you for financial help, you can first verify their identity.  Use online searches, submit their image via a reverse image search and confirm that they are who they are.  Stick to the dating service platform.  Never send money to someone you have met online.  Talk with your family and friends, who might offer a more objective view of the situation.  And, if you suspect that you are a victim, report it.

Home Improvement Scams: 

These contractors often target homeowners who are looking to make improvements.  They may comb a neighborhood door-to-door, offering services (roof repairs, driveway sealing, landscaping) at significantly reduced rates, or simply saying that they are in the neighborhood and have leftover materials.  After natural disasters (fire, flood) they may target affected homeowners offering quick repairs.  In this case, they are taking advantage of the urgency to fix the property.  They might also advertise through flyers, newspapers or online platforms, promising low prices for their services.  Some might entice older adults by promising a senior discount.

Some red flags can be seen in their pitch.  They may offer a too-good-to-be-true offer, claiming that you must act now to get this price.  They may include pressure to act immediately and avoid other quotes.  They will typically ask for a substantial upfront payment.’

The scam can be a failure to start of complete the work.  Or, if the work is done, it can be substandard (poor quality, subpar materials, unskilled labor).  They might even just disappear after receiving payment.

Protect yourself from home improvement scams by researching the contractor.  Ask for references and check online reviews.  Verify that they have the necessary licenses and permits.  Insist on a detailed contract that includes the scope of work, materials that will be used, timelines and payment schedules.  Avoid contractors requesting significant upfront payments.  It is standard practice to pay a deposit or to pay in stages.  And obtain quotes from several contractors to make sure that everything is reasonable and expected.

Investment Scams:

 Investment scams involve tricking victims into putting their money into fraudulent schemes with promises of high returns with little risk.  Although they vary, a typical scam will include common features. 

It begins with the scammer contacting potential victims via phone, email, social media or websites, promising an exclusive or once-in-a-lifetime investment opportunity.  They will often have professional looking websites, brochures or documents and may claim to be part of a legitimate company.

The pitch will promise high returns with low risk, often claiming insider information or a foolproof strategy.  It will include a sense of urgency (time-sensitive) and that it needs to be acted on immediately.  It may also include testimonies, reviews and endorsements (all of them fake), presented to make the investment appear safe. 

This scam may begin small and gradually get larger, asking you to invest more money, suggesting that you take out loans or use your savings. The scammers may show fake reports or accounts showing significant profits and encourage you to invest more.

The scam begins to unfold as the victim tries to withdraw their money.  They may encounter delays, additional fees or simply be unable to get to their funds.  Eventually, the scammer disappears along with the money.

There are different types of these scams. 

• Ponzi scams pay returns to earlier investors with the capital of newer investors.

• Pyramid schemes show profits based on new recruits instead of real investment or sale of goods

• High-Yield investment programs will include unregistered investments with unsustainably high return on the investment

• Advanced fee frauds ask for money up front in exchange for a promise of high returns

You can avoid these scams by researching the investment and the company.  Considering consulting with someone you trust before investing.  Be skeptical of anything which seems too good to be true.  And realize that legitimate investors will not pressure you to make a quick decision. 

You are contacted by a scammer:

• Research the person, business or government agency to see if they are a scam

• Hang up if it is a computer issue

• Don’t trust caller ID

• Don’t send money to someone you do not know

• If someone claims to be a friend or relative, validate before giving money.

You are a victim of a tech support scam::

• • • Disconnect your computer from the Internet immediately

    • Use another PC to change passwords

    • Check browser for unfamiliar extensions or add-ons and remove them

    • Run your anti-virus and ant-malware programs

You are hacked

If your computer is acting differently (can’t turn it off, running slowly, opening pages you didn’t select, popups) then you may have been hacked.  Steps to take:

• Stop:  Stop shopping, banking and entering passwords until the problem is resolved

•  Update:  Update your security software.  Install a new version. 

• Find and Delete:  Using security software, scan your system.  It will flag malware, which you can delete (or archive).  Restart your computer.  Contact a professional if problems persist.

• After cleaning:  Change critical passwords to long and strong passwords

• Final notes:  Keep your operating system and web browsers up to date

You are the victim of a data breach

A breach typically exposes personal information and not passwords, but if there is a concern, change your password.  If you have used the password in other places change them.  If your account has been hacked as well, you will need to confirm or repair all recovery information.  Consider two-factor authentication.  Additionally, if your accounts are breached, you can:

• Freeze your credit.  Make sure to include all three credit bureaus

•  If it was your phone account, change your cell phone account password and PIN numbers.

•  Consider multifactor authentication

•  Follow the advice of data breach letters and take advantage of free monitoring if offered

• Be on the lookout for phishing.  They may want to exploit what they know already.

•  Monitor your financial accounts (credit cards, banking, utilities)

• Contact the DMV is your license has been exposed

Resources when your identity is breached:

• Website:  Have I been pawned?  This website will check if your email or phone is in a data breach. https://haveibeenpwned.com/

• Consider contacting the Identity Theft Center .  You can call (888.400.5530) or live-chat on the company website www.idtheftcenter.org.  You can also check their website for information on latest breaches and additional resources.

• Norton (as in anti-virus) provides information on 5 different types of breaches and what to do in each one.

• Were you affected by the T-Mobile breach?  Here are some suggestions from Consumer Reports

• Want to cut down on data collection and hackers?  Consumer Reports offers a free personalized plan to help you organize your digital life.  Here were the suggestions made when I completed the form.

Phishing

Phishing is an attempt to get information from you.  It is intentionally designed to trick you into believing.  What does phishing look like?

• Malicious attachments (like invoice, software or another file that seem urgent).  They can infect your device with malware, or send you to a website where you enter sensitive data

• Malicious links:  They take you to an imposter website like the real one.  They want to fool you into entering credentials.  The links can be imbedded in email or as links in a website

• Requests for sensitive data designed to seem legitimate. 

There are ways to spot possible phishing attempts.  They include:

• Unknown sender, sender you recognize with a suspicious looking email, or incorrect address 

• The sender doesn’t seem to know you. ( “Dear Customer”)

• Embedded links: Hover over to see if it is from a trusted source

• Language, spelling and grammar:  Many of these are created in other countries and translated into English. Content is bizarre or unbelievable:  Think of the Nigerian Prince. 

• There is a “call to action” button.  This is encouraging you to click there, which can trick you into downloading a malicious code.