If you’ve never received an email from an uncle who died and left you a million dollars, or one that informed you of lottery winnings from a draw you never entered, I’d be willing to guess that you probably don’t have an email address. What started in the 90’s as bulk emails from companies willing to lengthen your member is now a daily barrage of emails of different subjects, offering you gold, francinsence and myrrh.
Spam is one thing, phishing is another. Spam is when companies/people send you unwanted emails without your permission, often from buying email lists from random companies just on the off chance that someone might buy their product. Phishing is when a company sends targeted emails in order to try to steal your personal information.
These lottery winnings and passed relatives are two-fold. There tends to be an “admin fee” that you have to pay in order to receive these funds. Obviously if you do send the money onward, you’ll never see it again. But what’s more important, they generally ask you to fill in some information “for their paperwork”, involving items that would generally be asked in a credit application; name, address, address history for the last five years, etc. If you have only lost a bit of money, you can count yourself lucky because the bigger scam is that they’ll steal your personal details and use them to apply for credit in your name, stealing your identity and destroying your credit rating.
But we’re all smarter than that right? We can easily identify these scams, right?
What about when your bank emails you to update your details on their records? You’ll dutifully do so, happily clickity-clicking the link on the email, filling in your most up to date information and then you sit down with a cup of tea and a biscuit, watching Criminal Minds. All’s good in the hood.
What about when Paypal/iTunes/Netflix/etc sends you an email saying that they have detected fraudulent activity on your account and you need to login to confirm/deny it was you. They’ll oh-so-politely provide a link in the email which you follow, shocked that someone dared to try to abuse your account and glad that the provider has been so proactive in catching these awful criminals. Another cup of tea, another biscuit, this time RuPaul’s Drag Race. It’s all good.
Is it though?
The thing is, as we as consumers become more aware, scammers and fraudsters (for the lack of a better word) become more clever and more advanced in their attempts.
No reputable bank will just email you (or phone you) asking your details. You will never need to reveal passwords, PIN codes, security questions or personal details over any medium you don’t want to.
“But it came from iTunes” – did it though? You know how – if I send you an email address, it’ll show as coming from ‘Susanna | Ordinality’. But you can’t see my email address (firstname.lastname@example.org). That ‘Susanna |’ part can be amended. I could put in ‘iTunes customer service’ or ‘email@example.com’ with just a few clicks and it would on the surface look like it came from iTunes. But if you click ‘show more’ (or something similar), you’ll see the actual email address the email came from. Actual iTunes emails come from @apple.com email addresses. Scams often come from ‘firstname.lastname@example.org’ or something completely related. Sometimes they can come from @apqle.com or @diddles.apple.com addresses which almost look genuine, but definitely not. Now, look at the link they sent you. Does it look genuine? Well, hover over (don’t click!) the link. Look on the bottom left of your browser and what shows up there? Like, if you look at this link right here, what does it say there? It should show up as http://www.snopes.com/ – what shows up on there is the actual link where your click will lead you to. Check that that ties in with what you know to be the real address: https://www.netflix.com, https://www.paypal.com and so forth. (note that the s at the end of the http bit is important; this means that their domain provider considers them a secure website.)
“But I didn’t buy that thing via Paypal! I need to let them know!/my bank really needs my new details NOW!” So much nope.
Banks, Paypal, Netflix, ANY reputable company or person will never be insulted by you wanting to be certain who they are and declining to give information over the phone/email to phone back through a number you recognise/know.
For an example, I got a phone call from “my bank” from an unknown number when I was abroad. Before they’d tell me what their call was about, I’d need to go through a few security questions. I politely declined and stated that I will not give out personal details over the phone when the call is from an unknown number/number I do not recognise. I then ended the call, logged onto my banking app and phoned them through there. There was no call logged on their system.
On another occasion, I received an email from Netflix, stating that there had been a suspicious login and they had blocked my account. I’d need to update my password with them. With a link attached. I didn’t click on the link but deleted the email, opened netflix in a new tab and updated my password details there. The email was real, but I did it anyway.
“but we should be able to trust our emails/calls!” yes, we should. But the reality is that we can’t. Because it’s everywhere. There’s criminals around the globe, targeting regular people like you or me. Vulnerable people are especially, well, vulnerable. My gran & granddad didn’t grow up with the internet. They don’t necessarily fully understand the kind of people who send out emails. They don’t necessarily see that these fraud/phishing emails are sent to thousands of unsuspecting people.
You can keep yourself safe online. There are simple steps you can take.
*Never click on links on emails to update your details. If you need to check your account, open update bank information etc, open a new tab and navigate through the main site through there (see Netflix above).
*Never give out personal details on incoming calls. Tell the caller you’ll phone back on a number you know is correct. If they get angry, hang up – they’re a scammer.
*Don’t reply to emails offering loans etc – forward them on to 7726 (that’s SPAM for you oldies!), generally works on every carrier
*Do not send money via Western Union. This payment method is widely used in Africa, but is incredibly unsecure. Anyone who has your name or reference number can go an intercept your transfer to get to your money.
If you have been a victim of fraud, do not let it lie. It can be embarassing, but it happens. Contact Action Fraud as soon as possible, report the crime and then share your experience. Only by spreading the word can these scams be stopped.
Do you have any tips on how to avoid cyber crime?