Cybercrime is one of the pressing concerns of the digital age. As the world grows more connected and as people share more information online, the more opportunities there are for criminals to do their dirty work. One of the most common methods of cybercrime is called phishing. You’ve probably seen this term quite a few times recently. You might know someone who has fallen victim to such an attack, or perhaps have even read a social media post warning people against phishing.
Simply put, phishing is a cybercrime technique that tricks you into providing personal information. These details can then be used to access your bank accounts, steal sensitive data to use for fraud, or install harmful software on your phone or computer. Phishing has been around since the 1990s, and what’s worse is that hackers have only become more creative in their schemes since then. Indeed, there are still many Filipinos who still fall for these schemes precisely because cybercriminals have made their scams more difficult to identify.
Bank accounts and e-wallets are often targets of phishing in the Philippines, with attacks usually made through text or email. There are multiple safeguards in place, of course, such as two-factor authentication but it still pays to be extra vigilant. Pay extra attention to the details below so you can easily spot phishing texts or emails and avoid becoming a victim.
One of the tactics that phishing texts and emails use is to make you feel alarmed. The most common way that cybercriminals do this is to tell you that your credit card or bank account has been compromised in one way or another. For example, they will tell you that there was a recent transaction amounting to a large sum of money. Then, they will tell you that the account has been deactivated for your safety. You will then be asked to click a link or call someone to reactivate your account as soon as possible. After you contact them, you’ll be asked to provide passwords, OTPs, and other sensitive information.
The main thing to do here is to stay calm and ignore the text or email. Instead, call the customer support hotline of the account in question (a simple Google search can give you the right contact information). Verify for yourself if your account was indeed compromised for your peace of mind. You’ll usually receive your answer that your account is safe within a few minutes.
Another gimmick of phishing texts or emails is to ask you to click a URL where you will then be asked to log-in to your account. The common messaging here is that you need to sign in for verification purposes. Once you type your username and password, these details will be captured by hackers and can then be used for their own means.
Remember that companies will never send you links where you need to log in. Most of the time, verification emails only contain a URL that leads to a page that says your account has been authenticated. Moreover, as many public service announcements will tell you, companies will never ask for any personal or private information. This includes your passwords, credit card details, and ID numbers.
If there are any global emergencies or natural calamities that have happened or are currently happening, be on the alert for phishing and other types of scams. A signature tactic of phishing scams is scaremongering. They use your emotions, specifically fear, because people tend to panic when they’re afraid. This will trigger a sense of urgency and anxiety, making you want to act as fast as possible so you will stop feeling afraid. This, of course, leads you to fall for the phishing attacks.
One of the easiest ways to spot phishing texts and emails is through grammar and spelling. Indeed, if the message is from a legitimate organization, it should be free from grammatical and typographical errors. You should also check other language details, such as capitalization and punctuation, as well as sentence structure. If you have a text message or email from the same company, it’s a good idea to bring that up and compare it with the suspicious one. You’ll likely spot some glaring differences that should clue you in on the phishing scheme.
When it comes to web pages, you have to be a little more eagle-eyed. As earlier mentioned, cybercriminals have gotten more creative over time and their graphic design skills have seemingly improved as well. Nevertheless, there will still be discrepancies such as spacing between letters, the font type, and text alignment among other details.
If you’ve received an “official” text or email that starts with “Dear Customer” or no salutation at all, you should already be wary. Companies will usually send messages that call you by your full name, first name, or surname (e.g., Dear Mr. Dela Cruz). This doesn’t apply to all companies and all text messages or emails, obviously, but there are plenty of establishments that send personalized texts and emails. These include banks and utility companies.
Scammers and other cybercriminals usually don’t have access to the database of information that these legitimate companies do. (That’s why they’re phishing to steal the information!) Do note, however, that there are some scammers that somehow get a hold of your name and other personal information. They will give you a call and trick you into giving up the details they need. When this happens, stay calm and don’t give any details especially your OTP.
Have you ever received a text or email saying that you’ve won a new car, a million pesos, or a luxury trip to your dream destination? Then you’ve been targeted by raffle scams. What’s worse is that these scams have evolved from simply being a way to separate you from your hard-earned money. They’ve also become a way to phish your details by leading you to a website where you’re asked to sign up or sign in and share your information. The claim is that they need these details so that they can contact you easily about your “prize.”
Obviously, if you didn’t join any raffles or contests then it’s impossible for you to have suddenly won anything. In addition, be wary of any message that asks you for money and/or secure information in exchange for a prize.
If you’re receiving a text from telecommunications companies, the sender’s number should just be three or four digits. There are also times when the sender’s name is recorded as the name of the telco, bank, utility provider, and the like. If you receive a text message that comes from a regular mobile number, that’s an immediate red flag for a phishing scheme. Do note that there’s now a tactic called number masking, where the scammers “hide” or “mask” their numbers. In this case, pay attention to how the message is crafted. You likely have a message thread from the official numbers, anyway, so make it a point to compare.
Meanwhile, when it comes to emails, don’t stop at checking the name of the person or company who sent them. Check the actual email address, too. You can do this by pointing your mouse to the “From” address. (If you’re on mobile, you can long-press on the link to see the full address.) Look at the part after the “@”—it shouldn’t have any additional characters or other forms of alteration. For example, if the email is supposed to be from Meralco, the part after the @ should be “meralco.com.ph” only. Any variation to this is likely phishing.
Remember, however, that there are times when legitimate organizations use different domains to distinguish the senders. For example, a bank’s customer support department will have a different domain from the investment department. In this case, investigate both the email address and the contents of the email. If you can, get in touch with the company and ask if the domain is really from them.
For those who are a little more knowledgeable with a computer, another trick to reveal a phishing email is to convert it into plain text. The plain text version will show hidden URLs that shouldn’t be there. These are the links that you can “accidentally” click (and lead you to phishing sites) because they’re hidden in the image.
Usually, emails from various companies don’t come with attachments because everything is already included within the message. If there are any attachments, these usually come from banks or other billers. The PDF file will contain your bank statement, your current bill, or something similar. Some even encrypt attachments to make sure that only you can open them and view the contents.
If you ever receive an “official” email with an attachment, be wary. This is especially true if it’s the first time you’re receiving files from the company. You should also check the file extensions of the attachment. As mentioned previously, the most common file type is PDF. High-risk ones are .zip, .scr, and .exe. The last one is particularly risky, since this means that the attachment is an “executable” file. Once you click or download the attachment, it will run and “execute” the files that come with it which are usually malware and other harmful files.
Now that you know how to spot a phishing text or email, what do you do next? For texts, it’s as simple as ignoring and deleting the text. You should also report the number to the National Telecommunications Commission (NTC) as well as the telco provider. Be thorough in describing the scam, especially if you or someone you know fell for the scheme. For phishing emails, mark them as spam. Your email provider is likely already doing this, but there may be some stray ones that can slip through the cracks.
You should also make it a point to educate your friends and loved ones. In particular, inform your older relatives such as your parents and grandparents about these schemes. They may not be as informed as you are, and are thus more likely to be victimized. Teach them how to spot phishing texts and emails, scams, and other forms of cybersecurity attacks.
Make sure to also keep your devices updated with the latest antivirus software and security patches. They not only prevent viruses and malware from getting into your phones and computers, but they can also detect and block phishing attempts. Consider using ad blockers as well. Pop-up ads are often used in phishing, and ad blockers can prevent most of these malicious pop-ups from appearing in your devices. Finally, make it a habit to regularly change your passwords. This way, even if phishers and hackers get a hold of your details, they can’t do anything if your passwords are no longer valid. Use strong passwords and use a password manager to keep track of them.
The truth of the matter is that no matter how careful you are, you can’t be completely secure online. In fact, the more internet services you use and the more websites you visit, the higher the possibility that your personal information will be compromised. At the same time, internet access is increasingly necessary in these modern times. For one, remote work is slowly becoming the norm. The e-commerce industry is also booming, compounded by the increasing popularity of online banking and cashless transactions.
In short, it’s really hard to avoid using the internet nowadays but there are ways to protect yourself as much as possible. Stay updated and be vigilant. Remember that criminals keep up with the latest technologies so that they can victimize more people more effectively. If you’re always one step ahead, you’re less likely to fall for phishing schemes and other scams.
References
https://www.yugatech.com/feature/text-scams-we-still-receive-today/#sthash.ngYfH0bv.dpbs
https://simpletexting.com/how-to-identify-a-text-scam/
https://www.zdnet.com/article/scam-spam-and-phishing-texts-how-to-spot-sms-fraud-and-stay-safe/
These Stories on E-Commerce
Maya is powered by the country's only end-to-end digital payments company Maya Philippines, Inc. and Maya Bank, Inc. for digital banking services. Maya Philippines, Inc. and Maya Bank, Inc. are regulated by the Bangko Sentral ng Pilipinas.
www.bsp.gov.ph