Photo of young woman looking pensive while looking at her smartphone.
Blog Home Saving & Budgeting

How to Avoid Phishing

Written by Elizabeth Whalen

Published Mar 06 | 6 minute read

Money 101 Your Home
TABLE OF CONTENTS(SHOW)

    Every year the unsuspecting public loses millions of its hard-earned dollars to phishing. The FBI estimates that phishing cost Americans nearly $30 million in 2017 alone. By taking a few simple steps to protect yourself, however, you’ll be less likely to become a victim of this scam.  

    Synchrony Bank will never ask for personal information by email. If you receive email from us offering links that is not from customer.service@mail.synchronybank.com, consumerbanking@e.synchronybank.com, consumerbanking@e.synchronybank.com, it may also be related to a phishing scam using our name.  If you believe you’ve been targeted by a phishing scam using our name, call 1-866-226-5638.
     

    What Is Phishing?

    Phishing is using false communications in an attempt to trick someone into revealing personal or account information that can be used for identity theft. Although commonly seen as an email attempt, phishing isn’t confined to email. Scammers might use text messages, a technique known as “smishing,” or phone calls and voicemails, known as “vishing.”

    • Deceptive phishing attempts often arrive in your email inbox as a message from what may appear to be a legitimate company—perhaps your own bank or a site you regularly use, or file-sharing services such as Dropbox or Google Docs. The email may ask you to visit the company’s website and enter your user name and password. In reality, the link takes you to a site run by cybercriminals in order to steal your login credentials. The links might also take you to a site that installs “malware” on your computer. This hidden software allows cyber attackers to collect your personal information.
    • Spear phishing is a highly targeted form of phishing that includes personal details, such as your name or job title, in order to appear more legitimate. Spear phishing may have the same goal as deceptive phishing: to steal your personal information. But it can also be the first step in a more widespread attack on your employer or business, and it can happen on social media sites, including LinkedIn.
    • Fraud happens after a phishing attempt succeeds. For example, cybercriminals may use your bank account login credentials to steal from your account. Or, if the attack is targeting a company, they might impersonate the owner, CEO or other top executive of a business, and send requests by email to the accounting department to wire money to their bank account.  
    • Pharming doesn’t bait people with fraudulent messages, but it’s still used to steal personal information and commit fraud. Attackers hack the websites of legitimate businesses and redirect visitors to another site that they control. Unfortunately, this means you can fall victim to a pharming attack even if you’re never contacted directly by a scammer.

    How Common Is Phishing? 

    The FBI ranks phishing as the third most-common type of cyber attack. Every month, the Anti-Phishing Working Group receives more than 80,000 consumer reports of unique phishing campaigns—and each of those campaigns targeted multiple people. On the business side, 76% of organizations reported experiencing a phishing attack, according to a survey by Wombat Security. 

    How Can I Protect Myself from Phishing?

    • Email essentials: First and foremost, be vigilant—even with links in email from sources that appear to be from a person or company you know or trust. Scammers are now sophisticated enough to send emails that look very much like they are from your friend, your bank or your favorite online store. Cybercriminals can even hack an acquaintance’s email account and use it to send you malicious links. Before you click on a link, hover over it, so you can see the URL where you’ll be sent. Don’t click if it doesn’t look legitimate. Be wary of attachments, poorly written email or any requests for your personal information. Banks and credit card companies generally have policies to never ask for this information by email. And remember, if the email seems to be designed to make you nervous or feel rushed, that’s suspicious.
    • Be skeptical: Check the address and security of every website you visit. Be cautious when shopping online or anytime you’re entering personal information or a password. Check the site address carefully to be sure you’re exactly where you want to be. If, for example, you’re trying to log into “dropbox.com” but the URL reads “dropdox.com,” don’t enter your information. Most browsers today offer a symbol that you can use to easily check a site’s security: It’s a locked padlock icon next to the URL.
    • Protect your information: To further reduce your chances of getting phished, avoid posting information on social networks that could be used for a spear phishing attack, use multi-factor authentication whenever possible and use a password-generation and management service. 
    • Educate your employees: If you own a business, train your employees to follow all these steps. Additionally, set up internal processes that prevent fraud. For example, you might require at least two people to approve all wire transfer requests.

    I Think I’ve Been Phished. What Do I Do Now?

    Nothing can completely prevent phishing, but if it happens to you, you have options. Start with these four steps.

    Stop using the device

    In fact, don't even use the affected device (laptop, phone) to change your passwords. It may be infected with malware that will collect your new passwords, leaving you no better off than before.

    Change all access info

    Once you’re on a clean device, change your passwords.

    Disconnect and see a specialist

    Then, disconnect the potentially infected device completely from the internet and cell service, which will help isolate any issues. Contact your device manufacturer, service provider or another expert to help you find and remove any viruses or malware.

    Target the virus

    Next, run anti-virus software before restoring your most recent backup.

    After you take these initial steps, contact others to make sure your information isn’t being used by hackers. To isolate potential financial damage, contact Equifax, Experian or TransUnion, the three credit reporting agencies, and have a fraud alert placed on your account. Contact your bank and credit card company and follow their instructions. You may need to freeze or cancel your cards. Then continue to monitor your accounts frequently so you can catch any unauthorized transactions.

    This chart is a decision tree that helps you decide if you should open a suspicious email. The title and first question is "Is this email from someone you know?" If it's not, you should delete it or mark it as spam. If it is, you should remain cautious and ask yourself if the email address is "EXACTLY right". If it isn't, delete it or mark it as spam. If it is, ask yourself if the email is something you'd expect from the sender. If not, double check with the sender and delete it if they say they didn't send it or open it if they say they did. If you would expect this email from the sender, just double check that nothing else feels off before opening it. If you are still concerned, open the email but remain cautious by: 1. Use a browser to search links, don't click on them, and 2. Don't send any info.

    Learn more about keeping yourself safe while banking online.

    Back to top

    You may also like

    See more related articles

    Elizabeth Whalen

    Elizabeth Whalen is a freelance writer based in Seattle. She loves writing about business, financial services and sustainability.
     

    1. https://pdf.ic3.gov/2017_IC3Report.pdf
    2. https://www.fbi.gov/news/stories/2017-internet-crime-report-released-050718
    3. https://www.tripwire.com/state-of-security/security-awareness/6-common-phishing-attacks-and-how-to-protect-against-them/
    4. https://www.cisco.com/c/en/us/products/security/email-security/what-is-phishing.html
    5. https://www.tripwire.com/state-of-security/security-awareness/a-guide-on-5-common-linkedin-scams/
    6. https://docs.apwg.org/reports/apwg_trends_report_q1_2018.pdf
    7. https://www.tripwire.com/state-of-security/security-data-protection/three-quarters-organizations-experienced-phishing-attacks-2017-report-uncovers/
    8. https://www.wired.com/2017/03/phishing-scams-fool-even-tech-nerds-heres-avoid/
    9. https://www.pcmag.com/article/364947/how-to-avoid-phishing-scams
    10. https://www.forbes.com/sites/ygrauer/2017/01/30/so-youve-been-phished/#3c3cc7b33a61
    11. https://us.norton.com/internetsecurity-online-scams-what-to-do-when-you-fall-for-an-email-scam.html
    12. https://www.antiphishing.org/resources/overview/avoid-phishing-scams
    13. https://staysafeonline.org/blog/5-ways-spot-phishing-emails/
       
    *The information, opinions and recommendations expressed in the article are for informational purposes only. Information has been obtained from sources generally believed to be reliable. However, because of the possibility of human or mechanical error by our sources, or any other, Synchrony does not provide any warranty as to the accuracy, adequacy or completeness of any information for its intended purpose or any results obtained from the use of such information. The data presented in the article was current as of the time of writing. Please consult with your individual advisors with respect to any information presented.
    Return to Table of contents