Phishing Scams (part 2)
Why you can’t trust a website just because it looks like a legitimate one you’ve used before!
As a continuation to our recent blog looking at how fraudsters try to trick us with phishing scams, we now explain how they make phishing websites look almost identical to the real thing!
Once a link has been clicked and you visit a website, it is unbelievable just how convincing the scammers make them look, but they are a clone. They use the same logo, the same fonts and the same buttons. If visitors are not suspicious then they are likely to not worry when asked for sensitive details and data such as a PIN or email password. Cloning websites sounds very technical but, if you are reading this blog on a laptop or desktop then you’re using a super powerful website cloning software right now!
When you click ‘File – Save As’ your web’s browser will download a complete copy of this page. You might then use this feature to save things to read later. But unfortunately, it’s also very easy for fraudsters to use this file to create a phishing site too.
So remember, you can’t trust a website just because it looks like a legitimate one you’ve used before.
A fraudster running a phishing scam wants to get as much information about you as possible, so they can make money off you.
They’ll be interested in getting information such as:
- Your card details: your card number, expiry date, PIN, and CVC
- Your home address
- Your email address and password
- Your National Insurance number
- Your bank account details: your account number and sort code
- Answers to classic security questions like the name of your first pet or your mother’s maiden name
The most obvious thing on this list is your card details. With your card number, expiry date, and CVC in hand, fraudsters can go on an online shopping spree and buy anything they want with your money! The rest of the list is a little less obvious – why would a fraudster want your email address and password? Would they really want to read all of your unread emails?!
Yes they would! Fraudsters could steal your money, even if they don’t get your card details!
If someone else has access to your emails, then they can potentially reset your passwords for your other online accounts and log in there as well! In particular they would want to target your online banking and transfer your money to their account and may even apply for a loan in your name!
The scary thing is that even if the fraudsters didn’t get all of the information that they need straight away, they still will have learnt a lot about you and even if you stopped halfway through. With this information they can craft an even more convincing phishing attack that is customised just for you!
Some fraudsters use the information to try and trick you into sending them your own money!
With some information about you they may call and pretend to be your bank or even the police! They’ll use everything they know to convince you that they are legitimate. Because they know so much about you, they can seem very credible.
This type of scam (where you’re tricked into giving away your own money) is known as –authorised push payment (APP) fraud.
Getting your money back can be very difficult if you’ve been scammed into sending it to another account. Bank transfers are instant, meaning they’re almost impossible to cancel. And the fraudster can quickly move the stolen money elsewhere before they’re caught.
Once a phishing site is found, it can take a while for it to be taken down. And this process often takes a few hours, or sometimes even days or at worst weeks.
But the good news is that there are 4 easy steps you can take to keep your accounts secure, even if you do fall for a phishing scam.
1. Never give out your email password
There’s no reason for any website to ask for your email password, except for your actual email provider.
2. Set up “Two-Factor Authentication” (2FA) on your email account
If you set up 2FA, even if you fall for a phishing scam and tell a fraudster your password, they still won’t be able to log into your account!
Most email providers offer this feature. If you turn on 2FA, whenever you log in to your email account, you’ll need to give two pieces of information to log in.
Here are some guides on how to turn on 2FA with common email providers:
3. Follow warnings from your web browser
If you click on a link and see a warning, listen to it! It’s extremely unlikely that the site you’re visiting is real. Just remember, if you don’t see a warning, that doesn’t mean the site’s real.
4. Take your time. And, if in doubt, double-check!
Fraudsters make their messages sound very urgent and alarming, to try and panic you into believing them before you realise it’s a scam.
Real companies won’t try to rush or panic you. So if you suspect a message might be phishing, it’s always better to reach out to the company that supposedly sent it to double-check if it’s real.
Keep vigilant! Keep safe!