How Not to Get Taken by a Phishing Scam

I got a text the other day that read something like this:

USPS - Adrian, your shipment was supposed to be delivered before Christmas. Track here and claim compensation.

This scam was easy for me to spot because my name is Rachael, not Adrian. It’s an example of a phishing scam; so-called because the hackers are like fishermen casting a wide net, in hopes of snagging as many of us as they can dupe for profit.

In a world where we’re more likely than not waiting for a late package or bank deposit, it’s quite easy for scam artists to prey on our anxiety and distraction — especially when most of us are sheltering at home during this pandemic as new COVID-19-related scams multiply.

The FBI and Federal Trade Commission have both warned of an increasing number of scams related to fake text messages and even videoconferencing calls from "public health officials," according to the University of Colorado Boulder.

"I’m by myself, I don’t have anybody nearby I can say, ‘Hey, what do you think of this?’" said 81 year-old Thomas Kennedy, a retired journalist in Pinole. He got scammed last November into buying $1,700 worth of CVS gift cards, by people claiming to help him get a refund on — get this — a fake update of Norton antivirus software.

"There was an email that said that I was being renewed, and if I wanted to stop it, I'd get a refund. Well, I called the number and then they said, 'We'll give you somebody to help you,' " Kennedy said. That somebody in "tech support" explained to him that before he got the refund, he'd need to buy gift cards at CVS and call back to give them the serial numbers. "It should have rang a bell with me. I've heard of it happening, he just sounded so reassuring that I just went along with it."

The same man shamelessly asked Kennedy to head next to Best Buy and procure more gift cards, but this time, the driver of the car he hired to get back home overhead a conversation with the con man and said something. " 'You know, that sounds like a scam. Don't give the serial numbers.' "

Even after the embarrassment of knowing he'd been had, Kennedy was almost scammed again a few weeks later. "I got an email that said that my drivers needed updating and it sounded pretty good."

Older people less familiar with the digital landscape — and home alone during the pandemic — are commonly the victims of phishing scams, but even those who consider themselves tech savvy can be fooled by a text or email that looks like it comes from a legitimate company, a practice known as "spoofing."

How to spot a scam

"Even if they send a million of these messages and only 38 people click on them, it’s still profitable for them," said Brian Linder of the cybersecurity software company Check Point.

He added people of all ages are tricked by messages that generate a false sense of urgency. " 'You have two hours to click on this link, or it expires. Click now! Click here!' People distracted in corona-time are more likely to follow an order that they are given, blindly," Linder said.

That false urgency is designed to make you forget to closely inspect the message for indications it's not actually coming from who or what it purports to be coming from. "Put your mouse over the URL in that email and if it’s Amazon.co or Amazon with a misspelling or the o is a 0. Look for stuff like that," said Linder.

There’s an even simpler rule of thumb that will protect you and your loved ones from grief: Bypass the link to what is probably a fake website. Instead, go directly to the company website or app. If your bank is really trying to reach you to update your contact info, you’ll see a message there.

Clicking on a link to a fraudulent web site invites the thieves in. Maybe the hackers download malware to glean passwords without you ever knowing. Maybe, as happened to Kennedy, you get stuck on the phone with a faker who asks for — or demands — payment in gift cards or bitcoin. As he realized belatedly, any request for gift cards or bitcoin is probably a red alert sign of a scam.

Scam artists are also especially adept at following what's trending in the news. If that text or email refers to something currently top of mind, like holiday shopping or COVID-19 vaccines, there's a temptation to click on the link without thinking.

"We've seen phishing emails being sent out from, supposedly, the CDC, saying, 'Click on this link for infection prevention measures.' You know, 'If you want your vaccine, you have to download this attachment and fill out this form,'" said Tim Bandos of the cybersecurity software firm Digital Guardian.

The FBI does run a complaint center for online scams, but after your money is gone, it’s unlikely law enforcement can help you get it back. "Ultimately, what it comes down to is attribution," explained Bandos. "Identifying who the threat was behind the attack, and that is almost impossible with today’s technology. They can hop through a bunch of different virtual network points and hide behind firewalls and obscure who they are."

Nonetheless, many companies whose online profiles are regularly abused by scam artists do want to know if you spot something dubious. Shipping companies, in particular, all state unequivocally they do not send unsolicited text messages or emails to customers requesting money or personal information for any package.

"If you believe you have fallen victim to or been exposed to a scam, contact us to connect with a member of our Customer Protection Review team," Amazon wrote publicly here.

Experts say your family, or your company, is only as secure as its weakest link — meaning the person who clicks without a second thought. Don't be shy about reminding everyone you know: don't click.