Fraudulent attempts at getting you to divulge private information via
messages sent to your computer, tablet or smartphone are called
phishing. It’s a play on the word fishing, and
pronounced the same.
Phishing has traditionally been associated with email, but the growth in
smartphone use has led to scammers also using text messages and services
like WhatsApp.
Examples
Phishing can take various forms. These are just some examples:
- You receive an email, apparently from Facebook, saying someone has
tagged you in a picture. When you click to see it, you’re shown a page
made specially to look like the Facebook login page, with a box to type
your password. What actually happens is that your password is sent to the
phisher, who works for the government of a country keen to spread harmful
misinformation. They adopt your identity – your friendly face; your
longstanding online reputation – to further their campaign.
- You receive a text message, apparently from the postal service, saying
a delivery is on its way but the sender didn’t put enough stamps on. To
get your parcel, you’re asked to tap a link to pay the difference. It’s a
small amount, so you don’t give it much thought. But there was no such
parcel. Your money has gone to a fraudster.
- You receive an email saying your subscription to a TV streaming service
has renewed automatically. This is a surprise, because you no longer watch
those channels — and thought you cancelled months ago. There’s a phone
number to call, and you give your payment card details for a refund. But
the email was bogus, and so is the call centre. Some scammers make so much
money that they can afford to operate a toll-free number, which victims
may be more likely to trust.
There are a few things you can check to help determine the authenticity of
an email, text or other electronic message.
Check the spelling and grammar
A scammer may not speak your language very well, and this can work in your
favour: bad spelling or unusual grammar are common signs that a message is
bogus. Sometimes you’ll see particularly complex or unusual phrases, which
are a sign that the message has been translated automatically.
In the heat of the moment it can be easy to miss, but the wording of a
message is often the most visible clue that it’s fraudulent. So, when in
doubt, take your time.
Of course, some scammers will write perfectly in your native language; and
conversely, a genuine sender might make a mistake! So, there’s no definitive
rule here.
Check the From address
This applies only to email. Consider that an email includes a To address,
From address, sender name, subject and body.
The From address is of particular interest, but
many email apps hide it to begin with, showing only the sender name. The
name is not helpful in determining the authenticity of an email, because it
can be anything the sender chooses. So, learn where to find the From address
in your email software — often by resting the mouse cursor over the sender
name, or clicking or tapping it.
An unusual From address is usually a clear giveaway of a fraudulent email.
For example, an email from eBay is almost certainly going to come from an
address ending in ebay.com or a local equivalent like ebay.co.uk. If the
From address shows otherwise, there’s a good chance the message is
bogus.
Sadly, the reverse is not true. Because ‘spoofing’ is possible, you cannot
be certain that (for example) an email showing a From address ending in
paypal.com really is from PayPal. That said, technological measures to
combat spoofing have made the practice unfavourable — good email providers
are now highly likely to filter such messages as junk.
Check where links take you
To complete the scam, phishing messages typically include a link to a web
page on which you are asked to enter the information the scammer desires. In
other words, being the victim of a phishing scam actually requires you to be
tricked twice: first into believing a fake message is genuine, and second
into giving away private information.
Consider, then, that it doesn’t matter if you ‘fall for’ a fake message if
you’re able to back out at the stage where you realise the resulting web
page is fake. The email might have been perfectly written, and you might
have missed the slight misspelling in the From address, but now that you’ve
clicked the link you can make arguably the most reliable check of all: the
address displayed in your browser.
Visit the website directly
If you’re still in doubt, a foolproof option is to ignore the link in the
suspect message and make your own way to the website in question. If you
really have been sent that money on PayPal or tagged in that Facebook photo,
you can find out directly — bypassing the possibility of a scammer leading
you astray.
As a bonus, bookmark important sites to ensure you never end up on fake
versions of the same.