This article is by Adam Baker, a new GRS Staff Writer. In addition to writing for Get Rich Slowly, Baker blogs over at Man Vs. Debt, where you can find his personal background story and read more of his writing.

Last week, I adjusted several preferences on my PayPal account. I added and verified a new e-mail address and swapped my linked bank account. Shortly after finalizing the changes, I received a brief e-mail from PayPal stating that I needed to log in order to verify my account.

Nothing seemed suspicious at first. But after closer examination, I noticed that the message was requesting that I log into a client provided within the e-mail itself. ”That’s weird,” I thought. Then it hit me: A well-timed phishing attack had just penetrated my e-mail account’s spam filter. I couldn’t believe how similar it was to the legitimate e-mails I’d received earlier that day confirming my account changes — or how perfect the timing of the attack was.

Fortunately, I had previously been exposed to the basics of this type of scam. I reported the attack by forwarding the message to PayPal and then immediately deleting it. Nevertheless, I realized how easy it would have been for me to fall for this phishing scam, especially given the luck of the timing.  Hopefully by increasing awareness of these scams, we can decrease the chance that others will fall victim.

What exactly is a phishing scam?
“Phishing” is the process by which a criminal disguises himself as a trusted entity in order to fraudulently obtain sensitive information. Although phishing can occur in many forms, the most common of these attacks involves the creation of an e-mail, one which prompts the recipient to enter specific personal information. This allows the criminal to “catch” the resulting data.

Phishing is relatively young. The first major cluster of phishing activity focused on obtaining information through America Online accounts only 15 years ago. As online banking becomes more popular, many of the new attacks have been targeting this segment of the industry. Over the last five years, the frequency and intensity of these scams have exploded. Sadly, as a recent article in Business Week pointed out, the current recession has only spurred this upward trend.

What information are thieves looking to catch?
Most attacks target very specific information. This is often a simple username/password for the particular online site being impersonated. (In my case, the scam was only targeting my PayPal username and password.) Because far too many people use only one standard password across many accounts, thieves are frequently able to compromise many other accounts for a single victim.

Although it’s more rare, some attacks attempt to steal broad personal information.  This may include your:

  • social security number
  • date of birth
  • driver’s license number
  • banking PIN numbers

This information is often compiled into a database, which can later be used to open fraudulent accounts or apply for new lines of credit.  The nickname for this highly-targeted process of creating a profile on a specific individual is often referred to as spear phishing.

How to spot a phishing scam
In the past, discerning between these scams and legitimate e-mails was much easier. They often contained obvious typos, short or broken sentences, and disjointed formatting. Unfortunately, it didn’t take long for the scammers to refine their skills.  Most of today’s attacks utilize meticulously detailed corporate replicas.

Tip: Take extreme caution with any e-mails that contain typos, have unusual formatting, or contain poor English.  However, it’s important to realize that you can no longer only consider these factors when determining authenticity.  The majority of attacks these days appear extremely genuine.

Of the attacks that target a specific online account, there are two primary methods used to capture your data. The majority of these will urgently prompt you to follow a hyperlink to log in to your account. These embedded links will either forward you to a basic login client, or go as far as to create elaborate rip-offs of the genuine brand’s homepage.

Rather than redirecting you to another site, a portion of phishing attacks will provide the login client embedded within the e-mail itself. This was the tactic that tipped me off to the fraudulent PayPal e-mail I received last week. The e-mail stated, “For your convenience, you can log into your account using the secure fields below.” How nice of them!

Tip: Major account providers and banking institutions will never ask you for your account information via e-mail. Instead of clicking suspicious links, visit the website directly and ensure that you are logging into a secure platform. Never log into an e-mail based application or client.

Another less common — but effective — tactic involves requesting that the recipient call a fraudulent customer service number for urgent account information. Once dialed, the automated system will ask the victim to enter information such as account numbers, security PINs, expiration dates, and even passwords. Many people are more susceptible to this form of phishing because they’re accustomed to automated phone systems when calling customer service.

Tip: Always verify customer service numbers by visiting the original site. Be extremely wary of automated systems that ask for more than your basic account number. Never enter your password or security PIN into an automated phone system. When in doubt, attempt to bypass the system and speak with a representative directly.

Phishing scams can also be identified through common trends in phrasing. The following examples should send up red flags:

  • Extreme Urgency: Phishing attacks often use some sort of urgent time-frame in order to increase the chance you respond. They might, for example, state that you need to login “within 24 hours” or “by Thursday at 12:00 a.m.”
  • Account Restrictions: Many attacks will claim that access to your account has been (or soon will be) closed. They use phrasing such as “to restore access to your account” or “to prevent your account from being closed.”
  • Security Issues: Ironically, attacks often refer to a security threat or breach. Some will explain that you need to log in to update your security settings. Others may urge you to download and install a “security update” that is really a keylogger or other form of malicious software.
  • Bonuses or Promotions: Some attacks will claim that you’ve won a bonus or special promotion. This may take the form of a cash bonus or a free upgrade to a premium account of some sort. Of course, you have to log in to claim your prize.

Phishing attacks can target a wide variety online accounts. Research has shown that brands like PayPal and eBay are consistently targeted by these attacks, as are large banking institutions. Around tax-time, you should be especially wary of fraudulent e-mails impersonating the IRS and various tax preparation companies. These days, even social media and internet gaming accounts are used as bait for phishers!

Additional resources
While I’ve attempted to outline the basics of the phishing scam, it’s impossible to cover every detail. For more information, here are some additional resources:

How often do you encounter phishing scams? Do you know anyone who has been a victim? Any additional tips for staying out of harm’s way? Join the discussion by adding your experience below!

Hook, line, and sinker photo by ToastyKen. Click through on the photo to read his own story of falling for a phishing scam.