Phishing

Some scammers hack accounts and gather personal details on victims to launch highly targeted attacks, a practice called spear-phishing. Global crime gangs use phishing emails to penetrate companies’ computer networks or convince employees to pay phony invoices. ​​

Wherever their apparent source, phishing messages feign urgency (act now or you’ll risk arrest/have your account frozen/miss out on this special offer). You’ll be asked to quickly provide or “confirm” key pieces of personal or business information or be directed to click on a link, which might launch malware that harvests data from your computer or ransomware that takes over the machine and locks you out.​​

Take these precautions to help spot phishers and avoid their scams.​​

Warning signs​

Emails that contain one or more of the following:​

• Offers of free products or services, supercheap travel deals, or a sweepstakes prize or other financial windfall​
• Vague or generic language, such as “payment issue,” to describe a problem with an account or purchase​ 
• Threats of dire consequences, such as legal action or an account being frozen, if you don’t act immediately​ 
• Requests that you click a link, open an attachment, or reply with personal or financial information to take advantage of an offer or to resolve a problem
• Multiple spelling and grammar errors — many phishing scams originate abroad​
• Pop-ups on your computer or mobile device that warn of viruses, promise a prize or redirect you automatically to another site
• Unsolicited messages that claim to be from a government agency, public utility, bank or major company ​​​

How to protect yourself from this scam​

• Check the “From” address. If an email says it’s from Apple or Bank of America but comes from, say, a Gmail account or an address with a foreign domain, it’s phony.​
• Hover your mouse over links in suspicious emails to reveal the true destination. Pasting the URL into a safety checker such as VirusTotal or Google Safe Browsing can tell you if it presents a phishing or malware risk.​
• Use antivirus software and keep it up to date. Activate firewalls and other settings that block malicious files.​ 
• Vary the passwords on your online accounts, which can minimize the damage if you are phished or hacked. Change passwords immediately if you suspect a breach.​
• Don’t give out personal or financial data such as your Social Security number or account numbers in response to an email or an unsolicited call. A company or government office contacting you on legitimate business will not ask you for such information.​ 
• Never click on a link or open an attachment unless you are certain the email comes from a trusted source. To check whether a business or government agency is really trying to contact you, use its legitimate customer-service email or hotline, which you can find online or on account statements.​​​

More resources

• Forward phishing emails to the FTC at reportphishing@apwg.org and to the business or organization the sender claims to represent. Many companies have dedicated email addresses to report phishing, which you can find online.​ 
• If you are the victim of a phishing scam, file a complaint with the FTC (online or at 877-382-4357) and visit the agency’s identitytheft.gov site for tips on how to limit and repair the damage.​
• You can also report phishing emails to the FBI’s Internet Crime Complaint Center at www.ic3.gov.