Fight the Phish

Phishing (pronounced “fishing”) is a social engineering attack meant to steal your personal information, including online banking credentials and credit card numbers. In a phishing attack, a criminal masquerades as a trusted source to trick people into responding, clicking on a link, opening an attachment or taking some other action that will enable criminals to get your personal information and money. Typically the alleged sender is an organization with whom you have a relationship; occasionally the organization they are trying to impersonate may be Oregon State Credit Union.

Phishing examples

The following are examples of actual phishing attacks. Each example includes one of the telltale signs of phishing: it’s unexpected, they’re asking for personal information over an unsecure connection, or there is pressure to act fast.

• “We suspect an unauthorized transaction on your account. To ensure your account is not compromised, click the link below to confirm your identity.” (Don’t click the link. Oregon State Credit Union will never send an email asking you to click a link to confirm your identity.)

• “During our regular verification of accounts, we couldn’t verify your information. Please click here to update and verify your information.” (Don’t click the link, and don’t enter your personal information.)

• “Our records indicate your account was overcharged. You must call us within 7 days to receive your refund.” (That’s not how refunds work. Don’t fall for it.)

Phishing is big business. To get started, criminals can purchase a “phishing kit” on the dark web. Then they just need a list of email addresses and telephone numbers–which are also for sale on the dark web. Once credentials have been stolen, criminals loot the accounts or sell the data. There is a thriving underground market for stolen online banking credentials, which can be sold for hundreds of dollars or more per account.

Criminals who send phishing emails and text messages usually have a story to trick you into clicking on a link or opening an attachment. They may:

• Say they’ve noticed some suspicious activity or log-in attempts

• Claim there’s a problem with your account or your payment information

• Say you must confirm some personal information

• Include a fake invoice

• Want you to click on a link to make a payment

• Say you’re eligible to register for a government refund

• Offer a coupon for free stuff

These are not the only stories criminals tell when trying to convince you to fall for a scam. The bottom line is: if it doesn’t feel right, if it is unexpected, if you didn’t initiate it, or if there is pressure to act fast, STOP. Think about the story and verify the details before you act.

Protect yourself from phishing

The best protection against phishing is awareness and education. Learn what you can do to protect yourself, your information and your money.

Be stingy with your credentials. Limit what personal information you post online, don’t volunteer any personal information that isn’t required, and challenge any requirement for personal information that seems unnecessary. No reputable organization will ask for your personal information over email or text. And don’t give your information over the phone unless you’ve initiated the call and are certain you know who you are dealing with.

Beware of surprises. If you receive an unexpected request to verify an account or personal information, an announcement that you’ve won a prize, or even an attached photo of your friend’s new puppy, be suspicious. If you can, verify with the sender that the request is legitimate. If you can’t verify, don’t click the link or open the attachment.

Trust your instincts. Does the message contain misspelled words or grammar errors? Does it seem odd—not like the usual tone your friend or co-worker would normally use? Is the request unusual? If it feels wrong, it probably is. If the message is legitimate, there’s no harm to be done in verifying it before you act on any request.

Check the links. If you hover your cursor over the links in an email, you can see where the URL is pointing. If it doesn’t match up with what you expect, don’t click it. In fact, even if it appears to be going to the correct location, type it into your browser manually. Better safe than sorry.

Think before you click. Be wary of communications that urge you to act now, offer something that looks too good to be true, or ask for personal information in exchange for something desirable.

Check the sender. Visually check the sender’s email address before replying or clicking on links, then go one step further. Because email addresses can be spoofed, float your cursor over the address. If it is from a company, it will most likely have the company’s name in the address. If it doesn’t, call the company to verify.

Use multifactor authentication. Some accounts offer extra security by requiring multifactor authentication. In addition to entering your password, you may receive a code via text or email that you must also enter, or you may be asked to use biometric data, like your fingerprint or face. Whenever possible, opt in to multifactor authentication. It’s an extra step, but it could be just the thing to stop a thief in their tracks.

Types of phishing

There are too many types of phishing attacks to list them all, but the table below lists some of the most common types.

Read another fraud article | Fraud protection