Phishing is a method of attack that can catch even the most careful of people. Pronounced like the sport, phishing works much the same way — dropping a lure into typically an email or text and then hoping someone bites.
The lure may be an email claiming to be from LinkedIn, with a link asking someone to log in with a name and password — and then steal that information. Or it could be pretending to be from their bank, stating they need to restore their account — and taken to a fake page which steals their details.
You may even encounter a fake app that is also phishing for details, as one iOS app called Setup for Amazon Alexa tried to do back in 2018. After downloading the app, it tried to get people to enter the IP address of their device and its serial number.
Phishing can target one person, which is typically called spear phishing, or an entire network of people. It's also a reason that hacks of systems, like 500 million Facebook users for example, are an issue because then hackers can use email addresses and phone numbers to try and phish someone.
How common— and successful — is phishing? The FBI reports that people lost $57 million collectively to phishing in 2019. And while it's difficult to be completely protected from phishing, there are some rules to follow that can help keep you from handing over your personal details.
Before clicking on a link in an email, app or text do a bit of homeworkGetty Images/iStock
Rule 1: Do not click on any link
Say you get an email from a favorite cousin with a simple subject line that says, "Look at this!" And then in the email is really just a link. Do yourself a favor: Call your cousin or text them and ask if they sent you a link.
The same rule goes from any warning email from your bank, credit card company, the IRS, UPS — basically any link in an email from a company that typically sends you messages by regular postal mail, or sends messages without links — telling you your account is in danger, or your refund is available now, or anything message that immediately needs your attention.
Picking up the phone, looking up a number to call, and checking whether the email is correct takes a few minutes but is well worth the effort. If in fact your account is in danger, or you're due a refund, or whatever the concern is, someone can verify that on the phone.
Rule 2: Don't enter personal information on a strange link
Okay, you clicked on the link. Take a deep breath. Now, shut that window and certainly do not enter your user name, password, account details or more into any field.
Concerned that you in fact should check your account at your bank, credit card company, financial institution or whatever group has emailed you? Go to a new window — better even, a new browser — and type in the actual URL where you typically go to do your banking, or pay your credit card, or check your retirement balance.
Only there, at the site where you typically go, should you start to enter your credentials.
The URL can tip your off if the site you're sitting on is legitimate or notGetty Images/iStock
Rule 3: Look at the URL
While this isn't always an easy spot, often fake phishing links will take someone to web site that has the same spelling at the regular site — but ends in a ".net" or some other domain, while the normal site ends in a ".com." This is another reason, notes the National Cybersecurity Alliance, to go to type in the web site's URL yourself in a new window.
Rule 4: Look for generic greetings
The Federal Trade Commission (FTC) notes that often, phishing emails that claim to be from a place where you do business, will start an email with a generic greeting like, "Dear Sir" or "Hi Dear," even though you've been banking with them for eight years.
While this isn't always the case, if an email doesn't use your real name — and it isn't spelled correctly — that can be a clue the message is not from the company it purports to be from.
Rule 5: Don't enter passwords into Popup screens
Popup screens can be legitimate — but they're not going to be the way companies are going to ask you to enter your email or passcodes for any account, notes the Center for Internet Security.
If you do click on a link, and the web site features a pop up screen (think a screen that shows up over the main screen you're viewing) just close that tab or window.
Think about reporting any encounter where you feel your personal data may be at riskGetty Images/iStock
Rule 6: Use spam filters
A good spam filter can actually spot a number of phishing emails before they make it to your inbox. Some email accounts, like Gmail, include these automatically.
If you do see an email that looks problematic or just off, mark is as Junk. That way, future emails from the same source have a better chance of being filtered out of your inbox again.
Rule 7: Report the phish
If you followed all these rules, and still think you may have been caught accidentally giving up your personal details, it may be worth a trip to the FTC's Identity Theft site, where you can run through a series of steps depending on what piece of data you believe has been compromised.
The site can help you run through suggestions on how to handle issues around data from Social Security numbers to bank account information, and even a child's personal details.