A recent WatchGuard Technologies survey showed that 86% of UK companies expect an increase in cyberattacks in the next 12 months. One big threat in particular is phishing attacks linked to COVID-19, which have recently been gaining popularity among scammers once again. Find out how to discern scam attempts using these tips from Dmytro Volkov, CTO of the international crypto exchange CEX.IO.
Even though payment systems and banks do everything they can to protect their clients, fraud flourishes on the global network. And most financial losses are attributable not to direct break-ins to online banking systems or to hacking, but to phishing. Fortunately, there are some simple rules that can help recognize a scam site and avoid losing money.
What Is Phishing?
Phishing is a method of deceiving someone into willingly sending a scammer money or valuable information. That’s exactly why it’s so hard to get your money back after a phishing attack—you took the action yourself and made the transfer. One widespread phishing method is to create a similar (ideally identical) website. Social engineering is used to lure people to the fake site. Cybercriminals carefully think through the user’s interaction with their portal to push them toward making the payment as fast as possible, without a second thought.
All sorts of sites can turn out to be phishing sites: from fake online marketplaces to financial services, such as crypto exchanges or even credit companies. But with a cool head and an attentive eye you can recognize scams without fail.
5 Signs of Phishing
Phishing sites and messages are typically jam-packed with super-sweet deals. Very often, you will magically find yourself on the site in the last 5 minutes of an amazing sale, or you’re offered one of the last discount subscriptions. Lately, one popular offer has been an “exclusive investment opportunity” with doubled returns. And while these sorts of marketing ploys don’t always point to a scam, scammers use them very often, because an exclusive offer, presumably from a famous company, makes us less vigilant.
Unexpected emails or messages
Agents inviting you to a phishing site will often appear in your email or messengers unexpectedly. They may be people you know writing messages in an unusual tone (rather, someone is writing in their name after hacking their account), or strangers purporting to be company support staff or managers. For example, at CEX.IO we make sure to stress to users that our exchange’s staff will never provide support over Telegram and do not send messages first. If someone sends you a personal message uninvited, they’re definitely trying to deceive you.
Criminal groups very frequently use relatively unknown payment systems, small banks, and other methods of withdrawing funds. If the payment method is unfamiliar or seems suspicious, check whether you have an encrypted connection and whether the site’s certificate is valid. Your browser will typically display this information on its own and warn you of insecure connections. You can also search up the payment service and verify that it exists and is licensed. Pay attention to the recipient’s name, too: it should match the name of the store or service where you’re making the purchase. For example, if you are buying rail tickets, the recipient should be National Rail or your travel agent.
Suspicious calls or texts
You can get real texts from a company, but with phishing, they come from unfamiliar addresses and suspicious numbers. The spoofed site will also have the wrong numbers. By verifying the number through search, you can detect scammers trying to get you to transfer funds to their account.
If you receive a call and are being asked to provide some information, such as your name, date of birth, password, or texted code, don’t give them anything in response, because you can’t be sure you’re talking to a company representative, not a scammer. Instead, ask for the employee’s internal extension and call back. Scammers will do everything they can to dissuade you, citing urgency or the threat of losing all your money if you don’t answer right away.
Differences in site design
It’s very difficult to make a complete clone of the website for a major payment system, bank, exchange, or online store. That is why scammers typically copy only a few pages that will lead their victim to the payment part. There are often no sections at all on these sites, or they don’t open or turn out to be blank.
How to Avoid Scams
The recommendations for combating phishing are universal. They include five simple steps you need to take if something seems suspicious.
Step 1. If you are looking to make a purchase or payment, rather than just browsing or reading, don’t follow links from emails or messages. It’s better to find the site yourself through search. Verified and real sites will be in the first few search results, and the search engine (say, Google or Bing) puts a special symbol to mark verified sites.
Step 2. Before heading to payment, check the URL in the browser’s address bar. If, for example, instead of CEX.IO you see something like CEEX.IO or CEX.RO, someone’s trying to trick you. Go to the site you need directly by fixing the URL. Also check the site’s certificate by clicking to the left of the address bar. An unexpired, high-level certificate guarantees that you are on the real site.
Step 3. Carefully read through the payment form before inputting your card information. Check not only whether the amount is correct, but also the name of the bank and the recipient. If instead of the seller company’s name the recipient field shows some questionable company or even a private individual, do not proceed with payment.
Step 4. Click into various tabs on the site. Make sure they actually work and have real information, not just the payment form. In addition, browsers typically warn users of insecure connections, suspicious sites, and other threats. Don’t ignore these warnings.
Step 5. If you receive a sudden call or message from employees of a service, payment system, exchange, or bank, don’t provide personal information over the phone. Call the company back, using the numbers they list on their official site, and get it taken care of yourself. And if you realize that you’ve already shared personal data without verifying the person on the other end, change your username and password for the site, just in case.