“I got a message...” That's how stories about hijacked accounts or stolen bank card details often start.
So let’s say you did indeed get a message. From a friend asking you to vote for them in some contest or saying that a photo of yours is being talked about somewhere, or something like that. The message contains a link to a post about the contest or photo. You follow it, enter your account credentials, and then see a message about a technical error. After a while, you find out that you can’t log into your account anymore. It’s been hijacked!
In fact, your friend did not write to you. The message was from a cybercriminal who had already hijacked your friend’s account and used it to lure his or her friends to a malicious website and steal their accounts too.
Instead of a friend, the message might appear to come from some bank security service or tech support team, say, of an entertainment portal you use. The link to the fake page can come via email, a social network inbox, or an instant messenger. In any case, the result will be the same: if you fail to spot the scam, the cybercriminals will get your data.
This type of fraud – an attempt to extract monetizable information from victims – is called phishing.
The most common phishing techniques are in written form – via email, social networks, instant messengers, and SMS. But fraudsters may also try to finagle something over the phone. For example, someone calls you pretending to be from the tax office, and inquires as to why large sums are being paid onto your card on a regular basis. You are dumbfounded. They suggest verifying the details of the card in question. If you give the number and security code on the back, then it’s goodbye to your cash.
How can you spot a scam before it’s too late? The main thing is to be attentive. Remember that a scammer can fake a company logo and portal design, but cannot use the same address as the official site for a phoney phishing page. It may be very similar, but a close look will reveal some differences.
For example, instead of the usual "online.thebestbank.com", you might see "online-bankthebestbank.com". Or a lowercase L might be changed to an uppercase I, b to d, or k to the same letter but with a dot underneath.
As a general rule, before entering any important data, always look very carefully at the site address in the URL. And since fraudsters try to make it as similar as possible to the original, it’s a good idea to enter it yourself manually and not click on any link in a message. It takes longer, but is safer.
Another important point: if you see a red crossed-out padlock or the words “Not Secure” in the URL, do not even think about entering any information on the site. It doesn’t necessarily mean that the site is malicious, but the data you transmit will not be encrypted. And bona fide companies stopped this practice ages ago.
Lastly, it goes without saying that no passwords, security codes, or the like should be given out over the phone, regardless of who the caller purports to be. Only a fraudster will ever ask for secret information!
A friend you've not talked to in a long time writes you on Facebook. She asks you to click on a link so she can pick up some freebies in an online store. You follow the link and are asked to enter your Facebook credentials. What do you do?