There are several ways a scam artist will try to steal your identity or fraudulently obtain personal information such as your social security number, driver’s license, credit card information or bank account information.
Phishing refers to emails sent to you by scammers, which are designed to trick you into providing your personal and banking information. Sometimes, a scammer will first send you a benign email (think of it as the bait) to lure you into conversation and then follow up with a phishing email. At other times, the scam artist will just send one phishing email.
Typically, the email appears to be from your bank, a government agency, or a company urging you to click on a link to update your personal profile or “validate” or “confirm” your personal details. By clicking on the link, you will be taken to a fake website designed to look like the real thing and prompted to enter your password, PIN or other personal information. Any details you enter are recorded by the scammer.
Some phishing emails contain odd-looking type fonts, spelling mistakes or other errors that may alert you to the scam; however, other messages look so genuine that you could be fooled, if you are not careful. Scammers are creative and manipulative. They can easily copy a financial institution’s logo and message format to make their email look genuine, and they often set up a fake website.
“Vishing” is a combination of the words voice and phishing. Vishing is similar to phishing. The difference is the technology. While phishing involves the use of emails to trick you into providing your personal details, vishing involves voice or telephone services, including voice mail and phone recordings, to persuade you to respond to a phone call or to dial a phone number and provide personal and financial information. Vishing exploits the public’s trust in landline telephone services. If you use a Voice over Internet Protocol (VolP) phone service, you are particularly vulnerable to a vishing scam.
Scammers give those they call different reasons why they need personal information: for example, to verify an account or to authorize a purchase. Most often, the vishing call involves a scammer posing as an employee from a bank or another organization claiming to need your personal details. Many times, the call is positioned as an emergency and that your account may be cancelled or suspended unless you act. The scammer will be aiming to convince you to divulge confidential personal and banking information, such as your password, bank account and credit card numbers, and debit card and ATM PINs. Even if you use your telephone keypad to type in your information, if you are on the line to a scammer, the scammer can record your keystrokes.
A vishing telephone call can be automated. If a call is not answered, a message will be left on the phone asking you to call back and provide the information through an automated system. Entering a bank account or credit card number on your keypad when you return the call gives the scammer the information necessary to make fraudulent use of the card or to access your account. These calls are often used to harvest additional details such as a card’s expiration date and three-digit security code and your date of birth.
Just like phishing, smishing uses cell phone text messages to lure consumers in. Often, the text will contain an URL or phone number. The phone number often has an automated voice response system. And, like phishing, the smishing message usually asks for your immediate attention.
In some cases, the smishing message can come from a “5000” number instead of displaying an actual phone number. This usually indicates the message was sent via email to the cell phone and not sent from another cell phone. Never respond to smishing messages.
How to Protect Against Phishing, Vishing, Smishing
- Know the sender or the caller.
- Do you know the sender of an email or the telephone caller? If no, do not click any links in the email and delete the email. If yes, still be cautious before clicking an email link.
- If an email is from a business you do not recognize or if you are suspicious, go directly to the website address of the business that you independently know or have used. Do not click links within the email.
- If you suspect a call might be a scammer or contain a fraudulent request, independently look up the organization’s customer service number and call that number rather than a number provided in a solicitation email or phone call. Forward the solicitation email to the customer service or security address of the organization, asking whether the email is legitimate. Don’t activate any links until the authenticity of the email is verified.
- Be careful with attachments. If an email has an attachment, is the attachment an executable (a file with the extension .exe, .bat, .com, .vbs, .reg, .msi, .pif, .pl, .php)? If yes, do not click the attachment. Even if the file does not contain one of these extensions, be cautious about opening the file. It is best to contact the sender first to verify the contents of the email. Your first contact to the sender should be by phone to a trusted or verified phone number.
- Never provide personal information or your password in response to an unsolicited request whether it is in an email, over the phone, in a text message or in response to an Internet request.
- Watch grammar and spelling. Grammar, context and spelling errors can be a clue to a malicious email. Be suspicious.
- Check for a relationship. Do you have a relationship with the company or the sender? Are you being addressed by name? What is the content of the sender’s email signature? If the relationship appears generic or you are suspicious, do not respond.
- Don’t click links from unverified senders. Hover over a link and check the URL. Does it look legitimate or does it look like it will take you to a different website? Shortened links on a mobile device can be hard to verify and may link to malicious content. Without seeing a full address, it is difficult to tell if the website or sender is legitimate. Often, you cannot hover over a mobile device link like you can from your computer to get a preview of a linked word or graphic.
- Be wary of incoming calls. If you receive an incoming call from a person you do not know or cannot identify or an automated system requests personal information, hang up. Caller ID creates a false sense of security, so do not trust it either. Before you give out any information to someone claiming to be from the bank or a company you trust, call the bank or company directly to verify there is a need for the information. Locate the phone number through the official bank or company website, on a business card or on your bank card, not by Googling.
- Verify a number left in a voice mail or text message. Before calling a number in a voice mail or text message, authenticate the number. Remember, American Federal will never ask for client information through an automated voice response system or text message.
- Report suspicious activity immediately. Document as much information as you can and then contact your American Federal Banker right away, if you question being contacted by an unsolicited request.
Protect your Identity
The following websites offer information and guidance on protecting against identity theft:
- Bankrate.com – http://www.bankrate.com/brm/news/cc/20020612a.asp
- Federal Trade Commission – http://www.consumer.ftc.gov/articles/0272-how-keep-your-personal-information-secure
- Social Security Administration – http://www.ssa.gov/pubs/EN-05-10064.pdf
- IRS – http://www.irs.gov/uac/Identity-Protection-Tips
- Department of Homeland Security’s United States Computer Emergency Readiness Team – http://www.us-cert.gov/ncas/tips/ST05-019
- United States Department of Justice – http://www.justice.gov/criminal/fraud/websites/idtheft.html
- United States Chamber of Commerce – https://www.uschambersmallbusinessnation.com/toolkits/guide/P14_2260