How to Protect Yourself from Phishing (pronounced: fishing) Scams

By Bryan Bardwell, Oxford’s Security and Privacy Officer

Don’t get hooked by crooks! Our latest blog post outlines several ways to avoid online scams.

Even in the relative safety of our homes, the world can be a dangerous place. Scammers will attempt to trick you and steal your personal information through various means, such as deceptive phone calls, going through your trash, or with fake emails, just to name a few.

In the digital age, one of the most dubious online scams is known a “Phishing”. Thieves send an email to target victims, often to thousands of people at a time. On the surface, the email appears to be a legitimate contact attempt, but is really a fraudulent message. When links within the e-mail are clicked or an attachment is opened, it triggers computer scripts that automatically download a virus or malware onto your computer. These viruses can capture personal information, such as your User ID and Password logins, bank details, Social Security numbers and credit card account information.

Phishing is a huge threat to homes and businesses because of the vast amount of important information most users store on their computer(s). They may have different messages, but ALL Phishing scams will have some sort of urgency involved in the message, such as: If you do not confirm your User ID and Password by 4pm, we will be forced to lock you out of your computer.

How To Avoid Phishing Scams 

  1. Scan your e-mails carefully and look for grammar mistakes and other inconsistencies.
  2. Verify the email sender’s address to confirm it was sent from a legitimate source. Most phishing scams will try to fool you with similar email addresses, but the email domain name (e.g. Bob@xyzbank.com) should match the web address of a real company.
  3. In addition, secure websites that require a login will all begin with https:// – That “s” indicates the site is Secure. (For example, Gmail’s email server is https://mail.google.com/mail).  Always look for https:// if you’re asked to enter a User ID and Password to access a website.  Legitimate secure sites will include all banks, credit card companies, and other email providers (such as Outlook, Yahoo, and Hotmail), as well as shopping websites like Amazon, Target, Walmart, EBay etc.
  4. Email fraud can be the easiest of all thefts – by simply adding Click Here somewhere in the email text, many victims are enticed to click on the link, and are then directed to a website that is not legitimate. The fake website may have similar graphics or logos to a real company, and will ask for your User ID, Password or to verify personal details. If you comply, it could compromise your computer. But there is an easy way to see through this type of click-through scam: To view the web address behind a “Click Here” link, hover over the link with your mouse without clicking it. A small window will pop up with a URL, such as https://www.xyzbank.com, as shown below.
  5. If you suspect that an email is a phishing attempt, play it safe – DO NOT open any attachments or click any links.

Hover your pointer over a link to see the destination website address.

What to Look For

Here is an example of a Phishing email:

Example of a Phishing email

What are the RED flags in this Phishing email?

  • Look for inconsistencies in the From: – is it a legitimate email address?
  • Check for an attachment. It will appear under the Subject: DO NOT open if you are unsure of who is sending you this information. Be very careful of .zip file attachments in any email.
  • Hover over Click Here to see the website where the link will take you. If you see a number or “http:” instead of “https:”, DO NOT click links or go to the site.
  • Note that there is no personal sender information (name, address, phone, email) signature in the email.

Failure to notice these telltale signs could result in “Phishers” gaining access to your private account information or other personal data.

Other Resources

To help combat Identity Theft, the Internal Revenue Service offers “Seven Steps for Making Identity Protection Part of Your Routine”.

  1. Review your credit card and baking statements carefully and often. Neither your credit card, bank or the IRS will send you emails asking for sensitive personal and financial information, such as asking you for updates to your account.
  2. Review and respond to all notices and correspondence from the Internal Revenue Service.
  3. Review each of your three credit reports at least once a year. Visit annualcreditreport.com to get your free reports.
  4. Review your annual Social Security income statement for excessive income reported. You can sign up for an electronic account at SSA.gov
  5. Shred any documents with personal and financial information.
  6. Review your health insurance statements; look for claims you never filed or care you never received.
  7. If you receive any routine federal deposits such as Social Security of VA benefits, you probably receive those electronically. You can use the same direct deposit for your federal and state tax refund which is safe and secure.