I’ve written about how to avoid falling for a phishing scam, but it turns out I need to pay closer attention to my own advice. I’m placing partial blame on being half awake and not yet caffeinated, but a few weeks ago I opened and almost responded to what I later discovered to be an email phishing scam.
Here’s the embarrassing, yet eye-opening story and what I’ve taken away from it.
1. They’re good… alarmingly good.
The email appeared to be from PayPal, and let me tell you — it looked very legit. The PayPal brand symbol was there; the language was business like; and the request seemed plausible.
The email stated that PayPal had detected suspicious log-in activity on my account and had locked it down until I could verify and re-instate it. Ironically, the “suspicious activity” was the email I was reading — what an ingenious way to divert my attention! While PayPal has always been very secure and never sent any emails like this before (first warning sign), I’ve experienced security breaches with bank account debit/ATM cards in the past, so it seemed possible.
I clicked on the link provided in the email and started to enter my account information. Then I stopped. But not because I caught it — I just thought it would be easier to fill it out on my laptop (after that cup of coffee).
2. If you don’t have antivirus protection on your smartphone, open official emails from a protected device.
When I later logged into my email account from my MacBook Air and clicked on the link, my AVG anti-virus immediately blocked and identified the source as a phishing threat. Sure enough, when I went to the (real) PayPal site to investigate, I found that my account was just fine — nothing to be concerned about.
If I had entered my personal information on the fake PayPal site from my phone, I wouldn’t have known I was falling for a phishing trap until it was too late. Does that mean I should get antivirus protection for my iPhone? Some say yes; some say it’s not necessary. iOS is a more closed operating system than Android, so it’s more resistant to viruses and malware, by design. That’s not to say having extra protection is a bad idea though. If you have an Android phone, experts strongly suggest antivirus/anti-malware protection (top recommendations appear to be Avast, AVG, and Micro Mobile Security).
For now, I’m only opening and responding to sensitive emails from my protected laptop.
These scammers aren’t haphazard in their attempts to steal our personal information. They’re deliberate, calculated, and their ability to mimic high-profile businesses on everything from brand symbols to tone is incredibly advanced. This means you can’t. trust. anything. Except your instincts — and that leads to the next point.
3. There’s usually something that’s a little off if you take a second look.
After I knew the email was fraudulent, I took a closer look at it and noticed a few things. First, the wording seemed a little forced — a little too formal. Then I noticed an extra period in the title. I’m guessing phishing scam artists don’t always have strong editing skills. They spend more of their time writing malicious code.
These things were so minor that it’s understandable I didn’t notice them the first time. Going forward, I plan to do at least two careful previews before opening communication from financial institutions and other service provides. I will also verify it through another channel (such as the phone). Even if it’s something that does need attention, it can wait a few hours.
4. It’s important to routinely clear your trail.
One of the preventative things I did after this incident was to clear my browser history, which also cleared all cookies and caches (depending on the browser you have, you may need to delete each category separately). Browser history and cookies from websites and third-party advertisers make it more convenient to browse and shop online, but they can also be used against us. Attackers can “steal” cookies and use them to access our personal accounts. Clearing browser history routinely can add another level of safety to online activity.
5. Two-level authentication isn’t a bad idea.
After changing my PayPal password (of course), I also decided to beef up the security options on my account. One of the free options is two-level authentication — entering a unique code sent to your smartphone every time you log in. I already use this on a few other important personal accounts, and so far, it seems like an easy, yet effective way to deter hackers and ensure the security of online transactions.
Bottom line: use all the security measures available to you.
Bonus lesson: Never attempt to answer emails until you’ve had a cup of coffee.
Avoiding online scams boils down to being alert and aware of what you’re doing. While there may not be thieves and con artists roaming the streets where you live, they’re always roaming the internet — and knocking, ever-so-politely, at all your digital doors.
{ read the comments below or add one }
Yea it’s scary how good some scams can be. They can even make the email address look like it was sent from Paypal. That’s why you always have to check the URL of the link you click on.