Protect yourself from phishing and smishing

By Michael Lloyd

Fraudulent email and text messages, known respectively as phishing and smishing attacks, have become increasingly sophisticated in recent years. Gone are the days of poorly worded emails offering a share of Nigerian lottery wins. Cyber scammers now regularly target consumers with convincing messages purporting to be from businesses and organisations they know and trust, such as banks, tax authorities and retailers.

"Both [phishing and smishing messages] can contain malicious links designed to download malware to your device or direct you to a fake site to enter confidential details," said Mike Haley, deputy chief executive of the nonprofit security organization Cifas, in an emailed response to questions. "These can be used to steal money, but also your personal details -- leading to identity theft."phishing-smishing-messages

Message fraud has evolved
Traditionally, the scammers who carry out these types of attacks have
relied on a scattergun approach, sending out thousands of messages in the hope that a handful of people take the bait.  These days, their attacks are often much more targeted.

For instance, now there is "spear phishing", a form of social engineering fraud.

"Social engineering is an extremely targeted type of scam where fraudsters use data about someone that has been pieced together from sources such as social media [or major corporate hacks] and intercepted correspondence to manipulate people into sharing confidential information," Haley said.

These messages might include an intended victim's name and address, and information relating to an account they hold with the organisation the phisher is imitating. "Worryingly, fraudsters are increasingly attempting to convince potential victims to transfer money," Haley said.

Steps to protect yourself
Phishers and smishers depend on the naiveté of their victims. As such, you can protect yourself from falling for their scams by knowing what to look out for:

  • Be wary of messages with errors. One major warning sign is numerous spelling or grammar errors. Companies hire professionals to put their consumer communications together, and they are unlikely to let such mistakes slip through.

  • Check email addresses and SMS numbers. Phishing emails are often sent from addresses that are created to look like the web address of the company they claim to be from, but are subtly different. Criminals can create phone numbers that are very similar to those of the legitimate companies they're imitating, so always double check the phone number against the company's official contact information.

  • Never respond to a message that doesn't address you by name. A legitimate message from a company you do business with will always use your title and correct name. While spear phishing attacks will contain personal information, many scammers still send out fake messages with greetings such as "Dear sir/madam".

  • Be wary of messages that ask you to act urgently. "Often, the messages will attempt to alarm people, claiming that they need to act urgently or face serious consequences," a spokesperson from Financial Fraud Action UK said in response to emailed questions.

  • Never click on any links in a message you suspect to be fake. Most of the time, these will simply lead you to a spoofed website designed to collect your personal information. However, the link could download malware onto your phone or computer. If you do click on any links on a message that turns out to be fraudulent, run a virus check on your device to be sure the link did not infect your device.

  • Be wary of requests for sensitive information. Reputable companies will never ask you to provide your date of birth, passwords or PINs in an email or SMS message.

If you receive a message that you think is fraudulent, contact the supposed sender using contact information from the company's official website or other verified source, such as a credit card statement or the back of your credit card. You should also keep a close eye on your bank statements for signs of suspicious activity, and change your online account password with the company being spoofed. Finally, always report any suspicious messages to the company they claim to come from, or with an organization such as Action Fraud UK

You won't always get your money back if you suffer losses as a result of handing over personal information in response to a phishing or smishing message, so it's important to be on guard.

See related: Beware fake social media customer service accounts, 4 places your stolen information may be going, Protect yourself from card-not-present fraud

Published: 21 January 2016