Fixing your bad credit is hard work. Falling victim to a phishing scam could send you back to square one.
When you think about the phrase “cyber warfare”, you’re probably picturing something from the movies: sexy, leather-clad tech geniuses furiously typing away on five computers at once or a sexy, leather-clad black-ops master daringly sneaking into a high-tech compound or a sexy, leather-clad—you get the idea.
But the reality of most cyber warfare is that most of it relies on much simpler methods.
Two weeks ago, a massive cyber attack struck hundreds of thousands of computers across the globe. Details are still emerging but it’s known that the “ransomware” used to perpetrate the attack was delivered primarily by an email.
That’s right: an email.
Hackers can literally just send an email to their targets. If you open the email and click a link inside, then you’ve just welcomed hackers into your not-so-carefully-guarded system.
This is a “phishing” attack. It’s been around for a long time and it can be notoriously damaging. Unlike other financial scammers, these hackers don’t have their victims permission. In a phishing attack, hackers steal a person’s identity—including all their financial data. While the victim is sitting quietly at home, the hacker can max out their credit cards, drain their bank accounts, and generally ruin the victim’s financial well-being.
If you’re someone who’s working hard to fix their bad credit, falling for phishing scam could undo all that good work—or even make your credit worse than it was to begin with.
How does a phishing scam work?
“It’s called a phishing attack, and yes, it’s a play on words,” says identity theft expert and CEO of IDTheftSecurity.com Robert Siciliano. “When you fish, you throw a hook and worm into the water and hope you catch something. Hackers do the same when they phish.”
“Except, their hook and worm, in this case, is an interesting looking email that they hope you are going to click on… it’s then, that they can reel you in.”
According to Siciliano, there are a couple different ways that phishing scammers can get your information:
- Spoofed websites: “Hackers phish by using social engineering. Basically, they will send a scam email that leads to a website that looks very familiar. However, it’s actually a spoof, or imitation, that is designed to collect credit card data, usernames, and passwords.”
- Phishing “in the middle”: “With this type of phishing, a cybercriminal will create a place on the internet that will essentially collect, or capture, the information you are sending to a legitimate website.”
- Phishing by Pharming: “With phishing by pharming, the bad guys set up a spoof website, and redirect traffic from other legitimate sites to the spoof site.”
- Phishing leading to a virus: “This is probably the worst phish as it can give a criminal full control over your device. The socially engineered phish is designed to get you to click a link to infect your device.”
The website for the National Cyber Security Alliance, StaySafeOnline.org, has tons of resources to help consumers maintain their digital privacy and, well, stay safe online! In their article titled “Spam and Phishing,” they identify “spear phishing” as another common tactic:
“Spear phishing is highly specialized attacks against a specific target or small group of targets to collect information or gain access to systems.
For example, a cybercriminal may launch a spear phishing attack against a business to gain credentials to access a list of customers. From that attack, they may launch a phishing attack against the customers of the business. Since they have gained access to the network, the email they send may look even more authentic and because the recipient is already customer of the business, the email may more easily make it through filters and the recipient maybe more likely to open the email.“
How can you identify a phishing scam?
The key to phishing scams is the emails look like they’re legitimate. The email might appear to be from Amazon asking you to “update your credit card information” or it could be from your best friend telling you to “click this link and check out this cool new site.”
However, there are always going to be signs that something “phishy” is up.
Amit Bareket is the CEO & Co-Founder of SaverVPN, a leading VPN and security provider. Here are some of his tips for how to spot the “irregularities” that identify a phishing email.
Spelling & Grammar Errors: “Cybercriminals are not known for their grammar and spelling. Professional organizations usually have a staff of editors that wouldn’t allow a mass email to have any mistakes. So, if you see a suspicious email with incorrect spelling and/or grammar, be attentive that this could be a scam.”
Multiple Links: “If you see a link in a suspicious email message, be sure not to click on it. You can rest your mouse over the link and see if the address matches the hyperlink in the email.”
Threats: “Cybercriminals will often use expressions or threats that your security has been compromised in the hopes the links they’ve included will be clicked on. For example, it could say something like: ‘If you don’t fill out this application your account will be blocked.’”
Spoof of popular websites: “Scammers will often use images or graphics that appear on popular websites, that when clicked on will bring you to a phony site.”
Can You Protect Yourself from Phishing?
“Yes” says Siciliano. “The standard rule is ‘don’t click links in the body of email.’
“That being said, there are emails you can click the link and others you shouldn’t. For example, if I’ve just signed up for a new website and a confirmation email is then sent to me, I’ll click that link. Or if I’m in ongoing dialog with a trusted colleague who needs me to click a link, I will.”
“Otherwise, I don’t click links in email promotions, ads or even e-statements. I’ll go directly to the website via my password manager or a Google search,” he says.
Likewise, Bareket’s advice for what you should do in the face of a phishing emails is to “delete, delete, delete, as well as report and block the sender’s address.”
On StaySafeOnline.org, The National Cyber Security Alliance makes the following recommendations:
“When in doubt, throw it out: Links in email, tweets, posts and online advertising are often how cybercriminals try to compromise your information. If it looks suspicious, even if you know the source, it’s best to delete or, if appropriate, mark it as junk.
“Think before you act: Be wary of communications that implore you to act immediately, offers something that sounds too good to be true or asks for personal information.
“Make your password a sentence: A strong password is a sentence that is at least 12 characters long. Focus on positive sentences or phrases that you like to think about and are easy to remember (for example, “I love country music”). On many sites, you can even use spaces!
“Unique account, unique password: Having separate passwords for every account helps to thwart cybercriminals. At a minimum, separate your work and personal accounts and make sure that your critical accounts have the strongest passwords.
“Lock down your login: Fortify your online accounts by enabling the strongest authentication tools available, such as biometrics, security keys or a unique one-time code through an app on your mobile device. Your usernames and passwords are not enough to protect key accounts like email, banking, and social media.”
If you fall for a phishing scam, here’s what to do:
First of all, don’t beat yourself up. These scams are designed to trick people. There’s no shame in being taken advantage of by a con artist.
Besides, if you’re feeling dumb, just remember the esteemed psychotherapist who fell for the old “Nigerian Prince” email scam. If someone like that can fall for it, anyone can.
Next, follow these tips provided by Bareket:
- Change your passwords.
- Notify the credit agencies.
- Contact your Credit Card companies to explain the situation and freeze or cancel them.
- Update your software and run a comprehensive virus scan. Additionally, you should use encryption and ensure you have a firewall enabled.
- Check and monitor your accounts regularly.
- Report the email scam in places such as the National Fraud Information Center.
Businesses need to watch out too!
If you’re small business owner, or just worried about what a phishing/ransomware scam could do to the place that signs your paychecks, then here’s some advice from Adnan Raja, Vice President of Marketing at Atlantic.Net, a trusted web hosting provider:
“There are many steps these organizations can take to protect themselves from ransomware attacks. On many occasions these attacks succeed because employees haven’t been properly trained to recognize (and avoid) suspicious links or email attachments. Proper email security training, as well as establishing better rules for email attachments and which users are allowed to run executable files and install software can go a long way toward bolstering your defenses against a ransomware attack.
“Other better and more thoughtful security practices can protect your organization against these ransomware attack vectors. Multi-factor authentication helps ensure that only your authorized employees can access your network. Two-factor authentication should be applied not only to your VPN but to your organization’s LinkedIn and Google accounts and other online accounts as well.
“Better password management (including using password management tools such as KeePass) will also prove helpful in locking down your infrastructure. Autonomous offsite backup is a must, and network monitoring solutions to throw up an alarm if thousands of files suddenly start modifying themselves in the middle of the night can alert you soon enough to head off the worst of the damages if a ransomware attack hits you.”
Repairing the credit damage from a phishing scam could take years. While the chances of getting hit with one might feel remote—it’s still wise to take the precautions we’ve laid out. You only have one identity, after all. Take care of it.
Amit Bareket is the CEO & Co-Founder of SaverVPN (@SaferVPN). Amit is a cyber expert with extensive experience in system architecture and software development. He is the author of seven patents issued by the USPTO for storage, mobile applications and user interface. Prior to SaferVPN, Amit served in the Israel Defense Force’s elite intelligence unit and then went on to work as a Software Engineer for major enterprises including IBM XIV Storage and BigBand Networks. He graduated Cum Laude with a B.Sc. in Computer Science and Economics from Tel Aviv University.
The National Cyber Security Alliance (NCSA) (@StaySafeOnline) is the nation’s leading non-profit organization in promoting cyber safety and digital privacy. NCSA’s core efforts include National Cyber Security Awareness Month (October); Data Privacy Day (January 28) and STOP. THINK. CONNECT.™, the global online safety awareness and education campaign cofounded by NCSA and the Anti Phishing Working Group, with federal government leadership from DHS. You can visit their site at staysafeonline.org
Robert Siciliano (@RobertSiciliano) is a #1 Best-Selling Author and CEO of IDTheftSecurity.com. IDTheftSecurity.com is funny, but serious about teaching you and your audience fraud prevention and personal security. Robert is a United States Coast Guard Auxiliary Flotilla Staff Officer of the U.S. Department of Homeland Security whose motto is Semper Paratus (Always Ready). His programs are cutting edge, easily digestible and provide best practices to keep you, your clients and employees safe and secure. Your audience will walk away as experts in identity theft prevention, online reputation management, online privacy and data security.
Subscribe to our newsletter for more marketing news & industry trends
The information contained herein is provided for free and is to be used for educational and informational purposes only. We are not a credit repair organization as defined under federal or state law and we do not provide "credit repair" services or advice or assistance regarding "rebuilding" or "improving" your credit. Articles provided in connection with this blog are general in nature, provided for informational purposes only and are not a substitute for individualized professional advice. We make no representation that we will improve or attempt to improve your credit record, history, or rating through the use of the resources provided through the OppLoans blog.