Avoid Fraud

Phishing Scams: Stay Clear of the Bait
Image of a fish hook to depict a phishing scam

Fraudsters are versatile when it comes to creating new pitches to separate targets from their money. Virtually any news item, positive or negative, can become a "hook" for a new scam—whether a natural disaster or the launch of a new product or company.

But sometimes the hook can seem more mundane and might come in the form of a seemingly authentic email, text or encrypted message from a well-known company or financial institution or even a government agency. For instance, the Internal Revenue Service (IRS) regularly warns of phishing schemes that use references to tax refunds, filing issues or investigations to lure recipients into opening a bogus email or clicking on an embedded link.

Knowing how to recognize and avoid these scams can help you protect both your identity and your assets.

How to Recognize Phishing Attempts

Phishing scams often start with an email, text or encrypted message that falsely claims to be from a financial institution, credit card company, electronic payment service, mail delivery company or another familiar organization or service. Sometimes, the message purports to be from a government or regulatory agency.

To appear genuine, these pitches typically use:

  • the names of real people or organizations;
  • legitimate-looking addresses, such as support@[name of your financial institution].com;
  • authentic-looking logos and graphics;
  • links to pages of a seemingly credible website; and
  • official-looking fine print and references to laws.

Most phishing campaigns attempt to lure you into providing sensitive personal information by requesting that you reply to the sender or click on a link that mimics a legitimate website and asks you to provide the information.

Phishing scams might also encourage you to click on a link or download software that will then secretly install malicious software on your computer or other device. Malware can take many forms. Some programs log your keystrokes and allow scammers to find your usernames and passwords, giving them access to your online accounts. Others, referred to as ransomware, encrypt or otherwise block access to the files on your computer, after which the bad actor demands payment (often in cryptocurrency) for removal of the malware.

Phishing messages often apply "urgency" to incite you to act, such as claiming that your account has been or will be shut down unless you click the link, or that you need to verify your identity (and provide sensitive information) due to fraudulent or illegal activity using your information.

In targeted or “spear” phishing, scammers send messages that appear to be from an individual you know. These “friend” or “colleague” emails seem plausible—for instance, an email that looks like it’s from your company’s human resources department asking for updated personal information, or a video that appears to be recommended by someone you know.

Protect Yourself From Phishing Attempts

It’s important to stay vigilant online and to be skeptical of unexpected messages, as cybercrime changes at a rapid pace. For example, misspelled company names and jumbled website URLs were a clear tipoff to phishing ploys in the past. But scammers have evolved their tactics, and now seemingly legitimate links can hijack users to a fraudulent site through technical code buried behind the message.

This makes it especially critical that you don't reply to or click on a link in an unsolicited message—via email, text, encrypted message or any other electronic message platform—even if it seems to come from someone you know or an institution with which you do business.

Taking these additional steps can also help you protect your information:

  • Verify the claim by independently logging on to the company’s main website or calling using a telephone number obtained from a separate source. For instance, type the URL found on a legitimate account statement directly into your browser, check the account using the associated app on your mobile device or call the phone number found on the back of your credit card.
  • Check whether an email address or text might be mimicking a legitimate sender in a phishing attempt. For instance, does the visible sender name match the underlying email address? Did the message come from a public email server, such as Gmail, but purport to come from a business or government agency? Did the text come from an email address or an unusual number, such as an international number? If you suspect a scam, block the sender, and report the message as junk.
  • Use only secure networks to access your financial accounts, consider enabling multi-factor authentication (MFA), if available, and be sure to create strong passwords for your accounts and any financial apps you use. Check out these tips.
  • Use FINRA BrokerCheck to ensure the firm and financial professional are properly registered and to verify the phone and address information you receive before you open an account with a brokerage firm or give an individual access to your money. This can help you avoid broker imposter scams.
  • Regularly review your account statements and activity for any unrecognized transactions, and immediately report any suspicious activity to your financial institution. Check your credit report annually as well, looking for accounts you didn’t open and any unexplained activity.

If you believe your identity has been stolen, the Federal Trade Commission's Identity Theft resource can help. If you're the victim of a cybercrime, report it to the FBI’s Internet Crime Complaint Center.