Doug Kinsey, CFP®, CIMA®
As financial professionals, we understand how vital it is to safeguard your personal and financial information. Unfortunately, in our increasingly digital world, cybersecurity risks, such as phishing attacks, have become a prevalent issue that can compromise your financial health and personal identity.
Phishing is a deceptive practice employed by hackers to trick you into divulging sensitive personal or account data, often via email or texting. As cybercriminals refine their tactics, distinguishing between phishing and legitimate communication is becoming more challenging. However, the good news is that there are strategies you can adopt to help defend yourself from these attacks by recognizing the most common tactics.
In this blog, I’ll provide a comprehensive overview to help you spot a fraudulent email or text message.
SecurityMetrics.com, 2023
If you receive an email asking for sensitive information and are unsure if it’s legitimate, the best approach is to call the company directly to ask if the request is authentic. For example, DO NOT CLICK if the email appears to be from a credit card company saying your card is frozen due to unusual activity and asking you to click a link to reactivate it or provide your password. Instead, call the number on the back of your card to verify the request. Chances are, if it asks for your personal information, it’s a phishing attempt.
The IRS Will Never Email Demanding Immediate Payment
UTRGV.edu,The University of Texas Rio Grande Valley, 2023
This is a great way to identify potential phishing emails! Phishing emails typically use generic salutations, such as “Dear Valued Member,” “Dear Account Holder,” “Dear Customer,” or, as in the example below, “Dear User.” Most companies you work with know your name. They will address you by name, especially if they need you to respond to a request for information or ask you to click on a link. If you receive an email requesting an action without a personalized salutation, be alert!
Generic Greetings Are a Clue
TN.gov, 2023
The best ways to check for phishing are to take your time to closely examine the sender’s email and to look for spelling errors and incorrect domain names.
Let’s take a look at a few examples:
Spotlight on Fake Email Address
CheapSSLSecurity.com, 2023
Many phishing attempts include grammatical and spelling errors. This is a big red flag, of course. When reading emails requesting information or asking you to click on a link, take your time. If you notice spelling or grammatical errors in the email, you can be confident that they are fraudulent.
Watch Spelling & Grammar
GulfShoreInsurance.com, 2023
Take the time to hover over links within an email. Before clicking on anything that is hyperlinked (is underlined and will take you to a web page), move your mouse over the link to see the URL. Do you recognize a legitimate company website? Pay attention to spelling errors in the company’s name, dashes, periods, and numbers.
Check Out the Hyperlinks
Law.UPenn.edu, 2023
Unsolicited emails that contain attachments reek of hackers. Typically, authentic institutions don’t randomly send you emails with attachments, but instead direct you to download documents or files on their website. Look for high-risk attachment file types, including .exe, .scr, and .zip. (When in doubt, contact the company using contact information from their website.)
Watch Out for Unsolicited Attachments
SecurityMetrics.com, 2023
Just because a link says it will send you to one place doesn’t mean it will. Double check URLs. If a hyperlink’s URL doesn’t seem correct or doesn’t match the context of the email, don’t trust it. Always hover your mouse over embedded links (without clicking!) and ensure the link begins with https://.
Paypal Example:
A) https://www.paypal.com/za/webapps/merchant
B) https://www.196.14.342.paypal.com/us
C) https://www.paypal.com/signin?country
D) https://www.paypal.com/za/webapps/mpp/personal
Amazon Example:
A) https://www.ammazon.com/homepage.html
B) https://www.amazone.com/
C) https://www.amazon.com
D) https://www.amazon.us-com/webapps
(Answers at the end of the Blog)
Attackers employ specific strategies in both emails and texts to deceive victims. These strategies often leverage fear, urgency, authority, curiosity, and trust. By understanding these, you can better recognize potential threats.
Attackers may create a sense of urgency, compelling victims to act without thinking.
Examples:
Remember: Always question why immediate action is required. Banks typically recommend calling the number on the back of your credit card for any issues, not a non-official number.
Phishers may impersonate authority figures to manipulate victims into complying.
Examples:
Remember: Always verify out-of-the-ordinary requests from authority figures. Government entities don’t typically initiate contact via text.
Other tactics include instilling fear, provoking curiosity or intrigue, and abusing trust.
Examples:
Remember: Be skeptical of threats, unexpected rewards, and unusual requests for sensitive information. Always verify these kinds of messages independently.
In today’s increasingly digital world, phishers are advancing their techniques, including employing AI tools like ChatGPT to craft convincing messages. Here are some final tips to protect yourself:
In wrapping up, the most effective safeguard against phishing attacks is a blend of vigilance and healthy skepticism. I encourage you to thoroughly scrutinize suspicious communication before clicking links, providing personal or financial information, or downloading attachments. As a financial professional, I work to grow and protect clients’ privacy and equip them with the necessary knowledge to ensure that they stay safe in this digital age. Securing your digital world is as crucial as securing your financial future.
PayPal example: B is a phishing link, the rest are authentic
Amazon example: C is an authentic link, the rest are phishing attempts