Phishing refers to any attempt to trick someone into revealing sensitive information through the use of deceptive electronic messages.
Have you ever received an email that purported to be from a financial institution asking you to confirm your personal details? In most cases, what you have received is a scam email, masquerading as a legitimate message, in an attempt to trick you into entering sensitive account information into a form on a fake website. This attempt to trick you into handing over sensitive information is called phishing.
In most cases, phishing attempts are made over email and include a link that is designed to look like it leads to a legitimate website. When you visit the site, you will see a web page that looks a lot like the financial institution's website, and a form asking for personal details, such as your name, social security number, username, password, account number, date of birth, address, and more. If you enter your details they will be sent to the entity that put together that fake message and website, and in all likelihood you can expect to be a victim of identity theft in relatively short order.
While financial account information is often targeted by phishing attempts, phishing messages may also try to get you to reveal information related to social media accounts, auction websites, and any other site where your account holds potential value for a scammer. In addition, while most phishing messages are received by email, they may also be delivered over chat platforms or social media.
Also see: Learn About Phishing
Frequently Asked Questions
How can I identify phishing messages?
The ease with which phishing messages can be detected is directly related to the skill of the scammer who sends the message. While most phishing attempts are easy enough to identify, skilled scammers can craft phishing messages that are hard to pick out. However, a few tricks will help you ferret out the most obvious phishing attempts:
- Check the email address: Hover over the “From” email address. Does the email address makes sense? If you see that the email is not from the domain you expect, it's likely the email is a scam. However, just because the email address does look right, doesn't mean it's a legitimate message as the “From” part of an email address can also be faked – a practice known as spoofing.
- Check the URL: Most phishing message contain a link to a form where you are instructed to enter your information. Take a look at the URL. Does it look right? Quite often phishing URLs will be close to the domain of the financial institution, but not exactly the same.
- Read carefully: Does the tone and grammar used in the message match the supposed sender? Quote often phishing messages contain obvious grammatical flaws, stress extreme urgency, or employ an overly aggressive tone that feels out of character for the sender.
- Pay attention to the format: Is the message a plain text email or composed entirely of a single image? Few legitimate institutions send out plain text messages, or messages composed of a single large image – they generally combine rich (formatted) text, images, and graphics.
While skilled scam artists can craft messages that avoid all of these pitfalls, run-of-the-mill phishers often commit these sort of mistakes that make it easy to pick out most fake messages.
What's the difference between email spoofing and phishing?
Email spoofing is a technique used to falsify the “From” address associated with an email. Spoofing is often employed as part of a phishing scam. This is why it's important not to place complete trust in the “From” address listed on an email.
What should I do if I'm not sure whether or not a message is legitimate?
If you receive a message and aren't sure if it's legitimate, there are at least two ways to make sure you respond to legitimate messages while still staying safe online.
First, never click or copy and paste links embedded in an email. A good rule to follow on the web is to never click on a link in an email unless you are completely certain that the source and content of the message are both legitimate. It's always best to navigate directly to a known website rather than clicking on a link in an email. If you don't know the legitimate website address, use a search engine to find it. If the message is legitimate, then you should have no problem finding a comparable message when you log into the legitimate site.
Second, contact the sender using a different method. If you aren't sure if a message is legitimate, don't hit “reply”. Instead, open a new browser tab, navigate to the company's website, and locate the contact information provided on the website. Then reach out directly to the company to determine if the message you've received is legitimate.