Security Corner Blog

Share:

How to Recognize and Avoid Phishing Scams

Published: November 23, 2020

How to Recognize and Avoid Phishing Scams

Scammers use email or text messages to trick you into giving them your personal information. There are several things you can do to protect yourself from these attempts.

What Is Phishing?

Fraudsters send fake emails or set up fake web sites that mimic the sign-in pages of other trusted companies or organizations to trick you into disclosing your username, password or other personally identifiable information. This practice is sometimes referred to as "phishing" — a play on the word "fishing" — because the fraudster is fishing for your private account information.

If you receive an email (or instant message) from someone you don't know directing you to sign in to a website, be careful! You may have received a phishing email with links to a phishing website. A phishing website (sometimes called a "spoofed" site) tries to steal your account password or other confidential information by tricking you into believing you are on a legitimate website. You could even land on a phishing site by mistyping a URL (web address).

Is that website legitimate? Do not be fooled by a site that looks real. It is easy for phishers to create websites that look like the genuine article, complete with the logo and other graphics of a trusted website.

Once these fraudsters gain access, they can use your personal information to commit identity theft, charge your credit cards, empty your bank accounts, read your email, and lock you out of your online account by changing your password.

Important: If you are at all unsure about a website, do not sign in. The safest thing to do is to close and then reopen your browser, and then type the URL into your browser's URL bar. Typing the correct URL is the best way to be sure you are not redirected to a spoofed site.

Tips to Avoid Phishing Scams:

If you receive an email from a website or company urging you to provide confidential information, such as a password or Social Security number, you might be the target of a phishing scam. The tips below can help you avoid being taken in by phishers.

Unofficial "From" address

Look out for a sender's email address that is similar to, but not the same as, a company's official email address. Fraudsters often sign up for free email accounts with company names in them (such as [email protected] or “[email protected]”). These email addresses are meant to fool you.

Urgent action required

Fraudsters often include urgent "calls to action" to try to get you to react immediately. Be wary of emails containing phrases like "your account will be closed," "your account has been compromised," or "urgent action required." The fraudster is taking advantage of your concern to trick you into providing confidential information.

Generic greeting

Fraudsters often send thousands of phishing emails at one time. They may have your email address, but they seldom have your name. Be skeptical of an email sent with a generic greeting such as "Dear Customer" or "Dear Member".

Link to a fake website

To trick you into disclosing your user name and password, fraudsters often include a link to a fake website that looks similar to or exactly like the sign-in page of a legitimate website. Just because a site includes a company's logo or looks like the real page does not mean it is! Logos and the appearance of legitimate websites are easy to copy.

Check the web address

Just because the address looks OK, do not assume you are on a legitimate site. Look in your browser's URL bar for these signs that you may be on a phishing site: 

  • Incorrect company name. Often the web address of a phishing site looks correct but actually contains a common misspelling of the company name or a character or symbol before or after the company name.
  • Tricks in the web address. Fraudsters will sometimes add an extra letter where you would not expect. For example, www.usssfcu.org instead of ussfcu.org. They may also replace letters with numbers that might not be immediately identifiable on first glance. For example, www.paypa1.com instead of www.paypal.com.
  • Unsecure sign-in pages. "http://" at the start of the address on sign-in pages is a potential red flag. Almost all legitimate sign-in pages starts with "https://" ? the letter "s" must be included. So, check the website address of any sign-in page.

Legitimate links mixed with fake links

Fraudsters sometimes include authentic links in their spoof pages, such as to the genuine privacy policy and terms of service pages for the site they are mimicking. These authentic links are mixed in with links to a fake phishing website in order to make the spoof site appear more realistic.

Be leery of pop-ups

Be careful if you are sent to a website that immediately displays a pop-up window asking you to enter your username and password. Phishing scams may direct you to a legitimate website and then use a pop-up to gain your account information.

Give a fake password

If you are not sure if a site is authentic, do not use your real password to sign in. If you enter a fake password and appear to be signed in, you are likely on a phishing site. Do not enter any more information; close your browser.

Important: Some phishing sites automatically display an error message regardless of the password you enter. So, just because your fake password is rejected, do not assume the site is legitimate.

Use a web browser with anti-phishing detection

Internet Explorer, Mozilla Firefox, web browsers have free add-ons (or "plug-ins") that can help you detect phishing sites.

Be wary of other methods to identify a legitimate site

Some methods used to indicate if a site is safe cannot always be trusted. A small, unbroken key icon or locked padlock icon at the left of the URL bar of your browser is not a reliable indicator of a legitimate website. Just because there is a key or lock icon and the security certificate looks authentic, do not assume the site is legitimate.

Lastly, look for these other indicators that an email might not be trustworthy:

  • Spelling errors, poor grammar, or inferior graphics.
  • Requests for personal information such as your password, Social Security number, or bank account or credit card number. Legitimate companies will never ask you to verify or provide confidential information in an unsolicited email.
  • Attachments (which might contain viruses or keystroke loggers, which record what you type).

How to Protect Yourself from Phishing Attacks

Your email spam filters may keep many phishing emails out of your inbox. But scammers are always trying to outsmart spam filters, so it’s a good idea to add extra layers of protection. Here are four steps you can take today to protect yourself from phishing attacks.

Four Steps to Protect Yourself from Phishing:

  1. Protect your computer by using security software. Set the software to update automatically so it can deal with any new security threats.
  2. Protect your mobile phone by setting software to update automatically. These updates could give you critical protection against security threats.
  3. Protect your accounts by using multi-factor authentication. Some accounts offer extra security by requiring two or more credentials to log in to your account. This is called multi-factor authentication. The additional credentials you need to log in to your account fall into two categories:
    • Something you have — like a passcode you get via text message or an authentication app.
    • Something you are — like a scan of your fingerprint, your retina, or your face.

Multi-factor authentication makes it harder for scammers to log in to your accounts if they do get your username and password.

  1. Protect your data by backing it up. Back up your data and make sure those backups aren’t connected to your home network. You can copy your computer files to an external hard drive or cloud storage. Back up the data on your phone, too.

What to Do If You Suspect a Phishing Attack

If you get an email or a text message that asks you to click on a link or open an attachment, answer this question:

Do I have an account with the company or know the person that contacted me?

If the answer is “No,” it could be a phishing scam. Go back and review the Tips to Avoid Phishing Scams section and look for signs of a phishing scam. If you see them, report the message and then delete it.

If the answer is “Yes,” contact the company using a phone number or website you know is real. Not the information in the email. Attachments and links can install harmful malware.

What to Do If You Responded to a Phishing Email

If you think a scammer has your information, like your Social Security, credit card, or bank account number, go to IdentityTheft.gov. There you will see the specific steps to take based on the information that you lost.

If you think you clicked on a link or opened an attachment that downloaded harmful software, update your computer’s security software. Then run a scan.

How to Report Phishing

If you recieve a phishing email or text message, report it. The information you give can help fight the scammers.

  • Step 1. If you get a phishing email, forward it to the Anti-Phishing Working Group at [email protected]. If you get a phishing text message, forward it to SPAM (7726).
  • Step 2. Report the phishing attack to the FTC at ftc.gov/complaint.

Learn more about protecting yourself against fraud and identity theft >>

Sources for information above: https://www.consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams, https://safety.yahoo.com/Security/PHISHING-SITE.html.

View all posts

Members' Voice Testimonials

This credit union is the best, I love the customer service and you can't beat the interest rates. I'm happy to be a member of this great credit union.

- James · Locust Grove, GA

The branch manager introduced herself and was extremely helpful. She stated that if there is anything we ever need to please let her know. Very positive experience!

- Larry · Cumberland, MD

Greta was absolutely amazing - as always. She makes me and my parents feel valued and supported. We are forever grateful. [The Credit Union] has been hugely supportive over many years. And we feel known and cared for.

- Eliza · Washington, DC

Long as I have been with the credit union, I haven't had any problems. I also like the protection on my account.

- Charles · Upper Marlboro, MD

My overall experience at the credit union was exceptional. The staff was hospitable offering water, my service was timely and professional and the office was well lit and clean.

- Denise · Washington, DC

As a member for more than 40 years, i have always had great service from the USSFCU and know that they stand behind their great reputation.

- David · Silver Spring, MD

A top rate Credit Union, [I'm] privileged to be part of! Thank you for all you do for our family! USSFCU Credit Union was able to resolve our financial situation - vehicle, personal loans, customer service/recommendations, within 6 months. We belonged to another credit union for over 20 years, with results not even close to comparison. We switched ...

- Manuel · Bowie, MD

Your people and products are amazing. The recent [online banking] overhaul is phenomenal. [I've] been electronic banking since Tele action phone banking - paying bills with my push button landline decades ago. USSFCU is light years ahead of everyone else in terms of ease of use and client experience!

- Misty · Brookings, OR

I have been a member for more than 30 years. I no longer reside in the DC area but continue to bank with USSFCU because of the ease and the customer service.

- Tamra · Denver, CO

I have been a member for over 50 years, and I have always gotten good service with loans, when I had to have service at a branch, and when I needed to have money sent to me from my savings account. The personnel have always been friendly and treated me with respect.

- John · Fort Washington, MD

I especially appreciate being able to quickly speak with someone (not a robot) and that person has always been knowledgeable and helpful.

- Bernard · Richmond, VA

Excellent customer service streamlined and transparent process. The representatives are efficient, knowledgeable, and understanding of the type of loans offered by Credit Union.

- Erwin · Ellicott City, MD

The USSFCU behaves as a credit union ought to behave. The staff works with and for the members, not for a corporate board. Interest rates for a car loan, a home improvement loan, and a mortgage are low and terms are transparent.

- Ruth · Takoma Park, MD

Staff are courteous and friendly to work with. Very knowledgeable about services and products offered or available. Excellent follow-up with customers.

- Jacquelyn · Sanford, FL

I have appreciated USSFCU services for many years since I left my work on Capitol Hill. I have appreciated the occasional webinars on purchasing a home or retirement planning.

- Jamie · Washington, DC

I have been a member since 2006, and have always appreciated the customer service response to any concern or query. In addition, as I have traveled extensively, USSFCU has provided support and access.

- Kathleen · Ukiah, CA

I've had a credit union account for decades, even though I no longer work on Capitol Hill. I now have two accounts. I've been able to do all of our banking remotely, by app or by phone.

- Richard · Washington, DC

I have been a USSFCU member for almost 20 years. There is nowhere else I want my money to be. I always receive excellent service.

- Nicole · Alexandria, VA

I deeply appreciate the stellar service, the proficiency, the professionalism, and the kindness. I am truly honored and grateful to bank with a financial institution that treats customers like family.

- Angela · Alexandria, VA

Read More testimonials.