More than 14 million Americans were victims of identity fraud in 2019, and 20 percent of all victims have experienced identity fraud at least once. Beyond the fact that those affected lost nearly $2 billion combined this past year, more than three-quarters of victims reported emotional distress as a result of identity theft.
There are several ways in which criminals can obtain personal information and steal one's identity, one of the most common of which is phishing. Phishing is a tactic in which the scammer pretends to be a legitimate business and asks an individual to confirm personal details. While phishing can be conducted via phone calls, text messages, or social media platforms, it is generally perpetrated via email.
Below are six warning signs that suggest an email might be a phishing scam:
1. The Email Was Sent from a Public Domain
With the exception of small businesses, most companies, especially those that send out automated emails to customers, have their own email domains. For instance, a legitimate email from a utilities company will have the name of that company following the "@" symbol in the email address.
For example, you should be concerned about the authenticity of an email from a sender alleging to be Dominion Energy, which is one of the largest utilities companies in the US, if the sender's address ends in @gmail.com. The name of the sender might even be displayed as Dominion Energy in the account inbox, which is why it's vital to examine the actual email address.
2. The Email Has a Misspelled Domain Name
Further stressing the importance of examining the sender's domain name is the fact that scammers often purchase domain names that are similar to the company they are trying to impersonate. These domain names might have a different letter or two than the original, but can be indistinguishable at first glance. Phia Bennin, the producer of the Reply All podcast, highlighted the ease in which individuals can be victims of these attacks in the episode "What Kind of Idiot Gets Phished?"
As part of an experiment for the episode, Bennin hired ethical hacker Daniel Boteanu, who purchased the domain gimletrnedia.com (as opposed to gimletmedia.com, the podcasting company under which Reply All is produced) and used it to impersonate the producer. The hacker sent out an email that tricked the hosts of the podcast as well as both the president and CEO of Gimlet Media.
3. The Email Contains a Poorly-Written Message
Generally speaking, legitimate companies have teams or professionals responsible for crafting emails with proper syntax and grammar. Emails claiming to be from these companies, then, should raise flags if there are typos or grammatical errors.
Many scammers are from non-English speaking countries. Although they can ensure proper spelling with spell check applications, they may still make errors a native English speaker wouldn't, such as using words in the wrong context.
4. The Email Message Instills Panic
One of the primary qualities of a successful phishing email is its ability to instill fear or panic in the recipient. This sense of panic can cause the recipient to ignore other warning signs and click the malicious link or provide personal information.
Emails of this nature might state that the recipient's account has been compromised and that they need to enter their login details to secure the account. The scammer might also threaten that the recipient's account will be closed if they do not act immediately.
It's best to contact the company via an official email address on its website before responding to these emails.
5. The Email Contains Suspicious Attachments and Links
While some companies do send attachments in emails, most will instead direct the email recipient to download necessary files or documents from its website. However, unsolicited emails containing attachments should be concerning. These are likely phishing attacks designed to install malware on the recipient's personal computer or device. Attachment files that end in .zip, .scr, or .exe are particularly high-risk.
In addition to opening attachments, phishing emails will often prompt the email recipient to click a link that leads to a malicious website or downloads malware. An easy way to protect against this is by hovering the mouse over the link to check out the actual destination address.
An email from Spotify, for instance, should direct the recipient to an address that starts with "spotify.com." Scammers can also code the entire message body of an email as a hyperlink, meaning a deliberate or accidental click anywhere in the email can result in malicious activity. Consider all of the aforementioned tips before clicking one of these hyperlinks.
6. Legitimate Companies Won't Request Sensitive Information via Email
Legitimate companies do not use email to collect or confirm personal information such as passwords or credit card information. If they do use email to confirm such information, they would at least include the recipient's name and encourage follow-up contact by phone. Phishing emails, meanwhile, will often use generic greetings such as "Dear customer" or "Dear valued member."
The Best Defense….
As I point out repeatedly in my book, “What’s The Deal With Identity Theft?”, since there are so many different types of identity theft (including phishing attempts), the best defense is to purchase a comprehensive protection plan that includes RESTORATION services. These plans are inexpensive, and offer trained, licensed professional investigators who will do the heavy lifting for you in terms of restoring your identity to pre-breach status, if you become a victim, or fighting off the effects of an attack, and preventing further fall out or losses.