Early one Sunday morning, my editor, Yahoo Finance’s Erin Fuchs, checked her personal email and was surprised to find a message from PayPal (PYPL). The missive said she had recently changed her password, and asked her to call a phone number if that wasn’t the case.
It wasn’t, so Fuchs called. The email had come from a “firstname.lastname@example.org” address and included a link to the PayPaypal website. However, she became suspicious when the person on the other end of the line asked for her credit card information to “verify her account.”
It doesn’t matter who you are or what email service you use. If you have an email account, you’ve received some kind of scam, or phishing email, just like my editor.
Most of the time, these emails are relatively easy to spot. Some African prince or other wealthy individual wants to send you money until he can make it to the US. You just need to send your bank account information and Social Security number.
But criminals are quickly changing their tactics, firing off more sophisticated emails in an attempt to trick you into giving away your personal information. According to Gary Davis, chief consumer security evangelist at Intel (INTC) Security, in a recent study, more than 19,000 people were asked to look at 10 emails and identify which ones were scams. Only three percent of them were able to find all of the phony messages.
Worse still, some phishing messages contain ransomware, which locks down your entire computer until you pay the culprits a ransom.
Yes, it’s a scary world out there. But there’s hope. If you follow some of these quick tips, you’ll be able to stay one step ahead of the bad guys.
Read the subject line and sender’s address
Phishing emails are designed to sucker as many victims as possible. They cast a wide net by covering topics like banking and package deliveries—two things most people generally receive emails for.
You should be on high alert if you get a message from an unknown sender with a subject line mentioning changes to your bank account—or that you need to pick up a package that can’t be delivered—and you aren’t expecting either of those things. It’s probably a phishing attempt.
Just delete the message and move on with your life.
Hover over links
Okay, so you can’t remember if you changed your bank account info or aren’t sure if you have a package in the mail, so you open the email. That’s cool. As Intel Security’s Gary Davis explains, it’s rare that just opening a message executes any kind of code on your computer.
The message, however, tells you to click a link to check out the changes to your account or the status of your package. What do you do? Simple: Hover your mouse over the URL. When you point to a link without clicking, most web browsers and email programs automatically display the web address that link will open. If the email says it’s from your bank or delivery service, but the link points to a different site, don’t click it.
Urgency is suspect
A good number of phishing emails try to get you to act before you think—by adding a sense of urgency to their messages. An email telling you to log into or verify information for your bank or other account labeled “Final Warning” or “Urgent Notification” should set off warning bells right away.
Kevin Haley, director of product management for Symantec’s (SYMC) Security Response, explains that you should be suspicious if you receive an email with a URL or attachment that is trying to get you to click on something right away.
Russian agents are widely considered to have used this exact method to break into the Democratic National Committee’s server’s via a phishing email.
So if you get a message telling you to do something instantly, ignore it. If you think it’s legitimately from your bank, skip the link and just go directly to your company’s website.
Hooked on phonics
The easiest way to identify a phishing email is if it’s loaded with grammatical or spelling errors. As Microsoft points out in its phishing email primer, legitimate businesses hire professionals to ensure that communications with customers are mistake-free. Criminals? Not so much. So if you get an email that’s strangely formatted, and is loaded with enough grammar issues to drive your fifht-grade English teacher insane, delete it.
Patience is a virtue
A lot of people fall victim to phishing emails because they’re simply in a rush. They’re in the middle of cooking dinner and taking care of two toddlers, see an email from their bank and BAM, that’s that. So how do you fix this? Just take a few minutes, breathe, and read your emails carefully. That’s pretty much it.
What to do when you’re hooked
So you’ve clicked a link or downloaded an attachment in a phishing email. You’re done for, right? Not exactly.
Both Davis and Haley suggest that if you realize you’ve been the victim of a phishing scheme and you’re fast enough, you can change your passwords on any affected websites before the criminals get access to your accounts. If you can’t do that, your best bet is to disconnect your computer from the internet and run an antivirus program.
Disconnecting your computer (like turning off WiFi) ensures that any malware you downloaded can’t communicate with its home server and steal your information; meanwhile, the antivirus program takes care of anything on your machine. You should also enable two-factor authentication on your accounts, which requires that you enter both your password and a second string of characters usually sent to your smartphone via text or an app, to keep people from accessing your information.
If, however, you’ve given your private information to someone via email, well, your best bet is to use a credit-monitoring service to make sure that no one is opening credit-card accounts in your name.
More from Dan:
Email Daniel at email@example.com; follow him on Twitter at @DanielHowley.