Once a week I check my spam folder since the occasional legitimate email lands in there. This tends to happen with messages sent in a bulk mailing, like evites or save-the-date announcements.
When I looked the other day, I determined that 192 of the 466 spam messages might be “phishing” scams — schemes masterminded by cyber crooks who throw out bait in hopes that someone will bite and, voluntarily or otherwise, give them money. Sometimes lots of money.
One email in the spam folder gave me pause. At first blush, it appeared to be from the financial company that handles my investments. It was asking me to log in and update my email preferences. And it looked pretty legit.
Had I taken the bait and clicked on the link in the email, says Chuck Davis, a cyber security expert who teaches at Harrisburg University of Science and Technology, a screen that mimicked the one from the actual company would have opened in my browser.
There I would have been asked for my user name and password. Once I entered that, the bogus site would have redirected me to the real site, and I probably never would have suspected a thing. (This isn’t difficult for a tech-savvy thief to set up.) In the meantime, the crooks would have my name, email and password — and total access to my account.
(MORE: 7 Steps to Protect Your Online Security)
A New World of Cyber Scams
In the past few years, phishing schemes have proliferated. Though we all still get invitations from "Nigerian princes" to help them recover vast sums of money by first wiring them a few thousand of our own, we are now being hit with less obvious and more sophisticated ruses. In 2007, the latest year for which there are figures, some 3.6 million U.S. consumers lost about $3.2 billion to email phishers.
I wanted to get a handle on this, so I asked Chuck Davis and Rob Kraus, director of research for Solutionary, a security services company, to explain the most common email phishing schemes. I then went through my spam folder and found examples of every one of them. It’s only a matter of time, Kraus warned, before one of these emails makes it past my spam filter and into my inbox. Then it will be up to me not to fall for it.
7 Kinds of Phishing Scams
Here’s a guide to recognizing some of the newer types of email phishing scams, plus tips for outsmarting them.
1. Advance fee fraud Cyber experts call these “419 schemes” because they are illegal in Nigeria (where the scam originated) under penal code 419. Swindlers tantalize victims with an enormous payout. Before collecting, however, the “mark” must wire large amounts of money to the person sending the email. While annoying (and potentially dangerous), the good news is that these emails don’t compromise your email account.
How it works Experts like Daniel Simons, a professor at the Beckman Institute for Advanced Science and Technology at the University of Illinois, say these scammers intentionally use outlandish stories or poor English, knowing that most people will smell the rotten fish quickly and cut bait — yet anyone who responds to it is more likely to go the whole distance.
How to tell it’s a scam There’s no such thing as free money. Ever. (Especially if it’s coming from Nigeria.) This you can bank on.
(MORE: Phishing: How Scammers Trick You Into Sending Personal Information)
2. Direct pleas A few years back I received an email ostensibly from one of my daughter’s college roommates, saying she had been robbed in London and urgently requesting that I send her money. It seemed odd that Kerry would be asking me for help instead of her parents, so I called my daughter. She assured me that Kerry was not in London and informed me that her email had been hacked. (Important note: The other person’s email has been hacked, not yours.)
How it works The miscreants hope to alarm you enough that you’ll wire money. Hacking into someone’s account and spamming people in her address book is pretty easy for cyber crooks. But some email programs make it easier than others. Choose one that requires at least double verification, such as a password and a security question or two passwords at the login.
How to tell it’s a scam Common sense. How likely is it that someone you know has been robbed overseas (actually, it’s almost always London) — and needs your help specifically? And does that stiff, unfriendly voice really sound like her? When in doubt, call or text the person or her family.
3. Spear phishing Using what The New York Times calls “a rapidly proliferating form of fraud,” these con artists specifically target a particular “fish” instead of throwing out a wide net and seeing what they can catch (hence the name). They have scoured the Web to find your email. (Many business emails are pretty easy to find, or guess.)
How it works The mark, usually an executive or a wealthy person, will receive an email apparently from a friend, colleague or relative whose email has been hacked for this purpose. The recipient (whose email is generally not hacked) is asked to provide his Social Security number to someone claiming to be working on tax documents or other official papers. A business owner may get a request for the password for confidential information that could be sold to a competitor or held for ransom.
How to tell it’s a scam Again, use common sense. Doesn’t your dad usually email bad jokes, not requests for your Social Security number? Would a colleague really request a password via email? If you're unsure, call the person you think sent the request before responding.
4. Email login scams An authentic-looking email informs you that something is wrong with one of your online accounts — email, credit card, PayPal, eBay, bank — and that you need to change your password or “update” your information.
How it works In the body of the email, the scammers embed a link that will send you to a rogue page that may look exactly like a real log-in, as in my example above. This hands over your name, email address and other information that allows them to enter your account.
How to tell it’s a scam Hover your mouse over the link in the email and scrutinize the URL that appears below your cursor or at the bottom of the page. A fake URL might say “yohoo.com” (as opposed to yahoo) or include enough of a real URL to trick you — e.g., “password.yahoo.americanidol.com.”
Krauss says to carefully inspect every letter of the URL before the forward slash. The domain name you see there should be exactly the one you know. If you can’t tell, open a new tab and manually type in the proper URL. Most financial institutions have a section to report phishing, which you should do. Another indicator: Real URLs often begin with https:// — the “s” standing for “secure.” PayPal provides excellent advice for avoiding these scams.
(MORE: Top 10 Financial Scams Aimed at Older Adults)
5. Fake jobs Someone is offering you a lucrative position. But first you must fill out a form giving your Social Security and/or bank account numbers.
How it works These scammers are counting on people being intrigued by a great job prospect and flattered that they are being sought out.
How to tell it’s a scam No reputable company will ever ask you for sensitive information before hiring you. Just delete immediately.
6. The Russian girlfriend There are a few basic variations on this theme: Either the sender claims his Russian girlfriend needs money for her visa or someone says you can have a beautiful Russian woman if you send or wire cash or your credit card information.
How it works As with 419 scams, the crooks are hoping to hook people who are naïve (or in this case, lonely). The email address has been randomly generated, or the thug has hacked into a dating website and stolen the information.
How to tell it’s a scam Russian girlfriends or “penpals” by email are always bogus.
7. Cheap pharmaceuticals This legitimate-looking email promises big savings on prescription drugs.
How it works The scammers are after your credit card data, which they will use to get cash. They may actually send you counterfeit pills if they feel by doing that they can dupe you into releasing more credit-card or bank-account numbers. These pills could be dangerous or deadly.
How to tell it’s a scam Do some research. There are ways to buy medicines online at cut-rate prices, but you need to know you’re dealing with a bona fide outfit. Google the name of the company and see what shows up. Look for ratings from the Better Business Bureau or even Yelp.
General Good Advice
- Never click on a link unless you are 100 percent certain who sent it and where it will take you. Better to miss the latest funny meme than crash your system, be ripped off or have your identify stolen.
- Max out on protection. Email providers that come with an operating system (like Microsoft’s Outlook or Apple Mail) or free programs, like Gmail, AOL and Yahoo, have strong spam filters. Go to the program's website and search “help” or “spam filters” and set them to the strongest level. Internet service providers like Comcast, Verizon and Time Warner often provide extra spam protection as well. If they do, install it into your computer.
- Use anti-virus software. Download a reliable program like Norton or Avasti to add another layer of protection. These operate by sending a warning about suspect sites when you click on a link. You’ll get a message telling you the address may lead to malware, and you’ll have to click “go ahead” or “stop.”
Unfortunately, there’s no magic bullet that can block all the scammers. We have to be our own sheriffs. So polish your badge, load up on ammo, and stay vigilant against these 21st-century bad guys.