So, you’re checking your email as you usually do, and you see an email from what looks to be a usual email contact - your phone or internet provider, Spotify or Apple Music, Amazon, or any other service with billing information attached to it. “Payment declined” reads the email heading, and you anxiously open the email, click on the appropriate link, update your billing information in what looks to be the usual web-portal for the service, and you close the page, relieved that it seemed to just be an error in processing that triggered the email.
You may have just fallen victim to a phishing attack.
A phishing attack, or scam, is defined as “the fraudulent attempt to obtain sensitive information...by disguising as a trustworthy entity in an electronic communication” (Wikipedia). Essentially, it’s a malicious contact disguised as one from a usually trustworthy source. If you read our blog post on how to be safe during tax time here, the given example of someone impersonating a CRA representative is a type of phishing scam. Phishing scams can take more than a few different forms: one might disguise itself as an email from Netflix stating that you need to reset your password, with a link provided for your convenience. This would most likely take you to a form, similar to the Netflix website in colour and branding, asking you to enter your current password, and then choose a new one. In this example, this would result in someone else having access to your Netflix account, and all the details it holds. While that might not seem like the most serious situation, a phishing scam can have serious implications if you fall victim to it.
Assuming the scam in the Netflix example was successful, and you ‘reset’ your Netflix password using the fraudulent link provided, this would give the scammer your existing password to Netflix, as well as the replacement password you entered. If like most people you reuse passwords, this gives the scammer access to more than just your Netflix account. If one of the two passwords was attached to a social media account, such as Facebook, the scammer can now access another website that holds even more of your personal information - friends, the names of pets, and old conversations with friends and family. This information could give them the answers to security questions with other services, such as your email and online banking - that is assuming that one of the passwords given was not already for one of those services. More serious scams will ask for credit or debit card information, or even a Social Insurance Number - the results of which can be exceptionally damaging to your credit rating, your bank account, and your mental health.
Now for the important question: how do you protect yourself? The short answer is to call the service provider in question - from a phone number on their publicly available website - and ask to speak to a representative. They should be able to confirm whether or not the email is authentic. Another solution is to pay attention to the details of the email you’ve received: are there spelling errors, odd phrasing of words, or missing images? As an example, we have a real phishing scam email attempting to steal information for a Telus account:
If you look closely at this email, a few things jump out: first, there is a lack of the usual images included in a Telus email, and it looks like the formatting in the email’s footer is off in some way. Second, the button reads “Click here to My Account”, which should read “Click here to go to MyTelus”. The incorrectly-phrased English is usually a dead-giveaway. Additionally, when hovering the cursor over the button, we can see what it links to:
This is clearly not a link to an authentic Telus service. If we look at the email address, it reads similarly, if not quite as obvious:
The @telus.net email address is a consumer email that anyone can sign up for. If we examine a previous email that is actually from Telus, the email it is sent from read as:
As we can see, this email is sent by ‘firstname.lastname@example.org’, not 'INFO@telus.net'. If you compare a previous email from your service provider to one you think might be a phishing scam, and if the emails differ at all, you have reason to be suspicious.
That, in short, is how to spot a phishing scam. A lot if this relies on using your intuition - for example, would Netflix need your Social Insurance Number? Why do you need to enter your credit card information to reset your password? Don’t be afraid to pick up the phone and call someone from the company that you think might be being impersonated. If you get an email from a service provider and the language used seems like it was written by someone without a firm grasp of the English language, or there are spelling errors, or the formatting seems off, be skeptical! And lastly, never reuse passwords. One of the absolute best ways to protect yourself from scams like this is to use a password manager, such as LastPass. These services generate encrypted passwords that are different for every account you use, meaning you only have to remember one password: the password to the password manager. To be truly secure online, it can be a good idea to have three passwords: one for your email, one for the password manager, and one for your online banking. This means that in the event that you forget the password to the password manager, you are still able to access your email - and banking - and regain access to the manager by contacting support, and if your email is compromised your banking information is safe, as are all your other passwords.