Don’t Take the Bait When It Comes to Phishing Scams

Phishing scams get a lot of attention these days — rightly so, as that Nigerian prince is STILL hoping you’ll click the link to wire him that money. 

But have you ever wondered why the term is spelled with a “ph” instead of just traditional “fishing”?

The term is a nod to “phreaking” — short for “phone freaking,” which was a fraudulent way to avoid paying for long-distance calls back in the day (like way, way back before smartphones were common). 

Therefore, it’s essentially “fishing” + “phreaking” — and generally known as a way for threat actors to fraudulently use electronic means like e-mail and texts as lures, attempting to hook the "fish" (that’s you) for passwords and financial data.

And that means phishing is very, very bad. 

Here we are in the final week of National Cybersecurity Awareness Month, and we’re tackling one of the most common cybersecurity threats to individuals and small businesses: phishing. 

Here’s the general outline of what you can expect from this (not exaggerated) phishing tale: 

1. What exactly is phishing, and what are some common elements of a scam?
2. What are the steps to avoid being caught by phishing?
3. What should I do if I feel I may have been lured in? 

Ready to learn how to leave that bait behind when it comes to phishing? Read on…

Phishing, Defined 

When it comes to phishing, the goal is to get you to take some sort of action in response to outreach. According to the National Cybersecurity Alliance: 

“Phishing is when criminals use fake emails, social media posts or direct messages with the goal of luring you to click on a bad link or download a malicious attachment. If you click on a phishing link or file, you can hand over your personal information to the cybercriminals. A phishing scheme can also install malware onto your device.”  

This means that the common element of all phishing attempts: a communication attempt of some kind, either through email or some other electronic means — even through text/phone messages. 

And according to Aaron Boigon, Plumas Bank EVP and Chief Information Officer, there are other commonalities present in a phishing scam. 

“People need to be especially wary of messages or emails that do one of the following: 

• Create a false sense of urgency — they’re often asking you to do something right away.
• Request sensitive information, like your logon credentials, a password, PIN, or account number.
• Include unexpected links or attachments.”

He adds that a big phishing giveaway is the call to action, as these emails and messages usually ask you to do something — like open an attachment or click a link — often accompanied by a doom-and-gloom message about what happens if you don’t do so immediately. 

So how can people avoid common phishing lures? Boigon says we need to adopt a paradigm shift in how we view communication in the first place. 

“Sadly, you must start from a mindset of ZERO TRUST,” he emphasizes. “Assume messages or emails that request you to click a link, open an attachment, or provide sensitive information are a phishing attempt. Then Do NOT open an attachment or click a link unless you are 100 percent sure it’s legit.” 

Verify Emails to Avoid Phishing Schemes

Another key to avoiding phishing traps: Before clicking anything, verify that the email is legitimate. 

“I recommend that you have each message prove to you it’s valid, rather than assuming it’s safe from the start,” Boigon says. “If in doubt, delete it and contact the sender to verify — using the contact info you already have, and NOT what’s in the email. 

“In short, we all have certain spidey senses about the legitimacy of an email,” he continues. “We need to trust our gut and assume the worst before performing any actions.”

If there are links in the suspicious email, you can hover over them before clicking through to see if they re-direct to an appropriate or verifiable site. And beware of sites that may look very similar to a real website, but where information is in a different order, is often misspelled, or you must supply secure information like an account number. Look for other signs that you are on the correct site, like an “https” in the address bar. 

And here’s a more passive way to stay safe from phishing, which was discussed in full during our last cybersecurity advice post: Make sure your software and browsers are up to date, as security patches are constantly released in response to the loopholes that phishers and other threat actors inevitably discover and exploit.

What Should I Do If I Click Something That May Be a Phishing Scam? 

But mistakes happen, and occasionally, the trap is set and the bait taken. First and foremost, Boigon advises, don’t feel embarrassed. Threat actors are getting increasingly sophisticated in their approaches, so it can be easy to fall prey to a phishing lure. 

“If you accidentally click a link or supply some information that you now feel suspicious about, notify someone — specifically your IT department or the source where the email was allegedly from,” he recommends. “Don’t delay, as that could be time the threat actors will use to their advantage.” 

Bottom Line: Don’t Give Out Your Credentials

When it comes to calls or emails you may receive from Plumas Bank, here’s one key reminder: We will never call out of the blue and ask for your logon credentials.  

“Actually, no vendor or service provider needs your logon credentials — not ever. Not even one time because of an ‘error’ or whatever the fraudsters claim,” Boigon assures. “The companies you do business with can manage your account without your logon info. Same goes for account numbers and social security numbers. The only time you’re ever asked for that is when YOU call, using the phone number you know is valid — and they’re verifying your identity. So do not supply your information unless you’ve called them. It’s really that simple.” 

And if you run a small business: Plan an annual training session about phishing, during which you can talk about all of the tips above. 

Appropriately concerned about phishing expeditions? We hear you, and we hope these tips will help calm some of those nerves. Below, find other ways to stay safe during National Cybersecurity Awareness Month — and beyond! 

 

MORE WAYS TO #BECYBERSMART