Financial scams are a dime in a dozen. Meaning there’s tonnes of them out there waiting to land on some unsuspecting victim. These could be love scams, Nigerian prince scams and credit card skimming; and that’s just naming a few! As we take our lives online through social media and online shopping, it’s natural that criminals would want a slice of that digital pie. Especially if it’s linked to our digital wallets! Thus, a trick known as a phishing scam was born!

This post was sparked by not one but TWO emails I received recently from “PayPal”. Now most of us know what PayPal is; although we can’t receive payments in Brunei through them. :/ Regardless, many Bruneians use PayPal because of the added level of security in online shopping. Their service allows us to be able to dispute fraudulent sellers and our purchases are logged when paying through them too. This adds an extra “paper trail” in which you can use to prove to your bank when and where a certain transaction came from.

What is a Phishing Scam?

Phishing scams are also known simply as “Phishing”. Pronounced “fishing”, it’s as the word suggests: scammers are fishing for something. And that something is your sensitive information. The scammers are after as much information as possible in order to access certain things. And depending on the depth of deception, it could be something as simple as getting access to your account on a website, email or even bank accounts and your identity!

So what damage can this phishing scam do?

It really depends on the amount of information the scammers get. It could simply be an email account hijack and sending out spam. Or maybe they could be impersonating you to trick people who know you. Or it could be getting your credit card details and leading to racking up bills for purchases you didn’t make!

Regardless, having personal or sensitive information leaked to an outside party is never good news! So we have to take initiative to learn to spot any attempts.

How to spot a phishing scam?

First of all, you need to know that phishing scams can occur in many ways. The most common, however, are:

1. Through email,
2. By phone.

The way to spot a phishing scam is similar for both although the delivery is different. It’s simply spotting what’s called “red flags” which are things or conditions that trigger some sort of suspicion. For this purpose I’ll use the emails I received as examples.

Case 1:

Does this look suspicious to you?

Thank goodness spam-busting technology has advanced quite a bit since the days of old where users are left on their own when it comes to security. I’ll list out the things that came out as strange to me in this email:

1. You can immediately see a “Be Careful” alert from my email provider. Usually they’re a pretty good indicator of scams or spam in general. That is unless you’re 100% certain that the email was initiated by yourself, e.g. creating accounts.
2. The domain “e.paypal.co.uk” is a bit wonky. I didn’t trust it when I saw it but on Googling a bit, it seems to be a legitimate website. However, unknown addresses are a huge red flag for me. And nowadays, scammers are able to spoof addresses to look more legitimate!
   Note: Spoofing is when the scammer masks themselves to make it seem that a message is coming from a legitimate source. E.g. the email address may say “Paypal” but in actual fact the email comes from Scampal.
3. Weirdly written and bad punctuation is another flag. “Regret to inform you of this bad news”? What is this bad news? All it says is my account was “limited” and not what for.
4. Asking for “additional information” is usually a red flag in phishing. Paypal has most of your information already; what more do they need?

Case 2:

What about this?

This one is pretty easy to catch but it has elements that make it look even more legitimate than the first one. So what did I find weird about this email?

1. It’s obvious that the address is dodgy. I mean, look at it! It screams “It’s a trap!”
2. Upon looking more closely, I think the subject line is a bit weird too. I have no idea what it’s trying to say really.
3. Spelling and grammar mistakes are also present here.
4. The “What to do” part looks legitimate but you can imagine what info they could have gotten from it. Likely your personal details, password, email and your secret answer (first pet goldfish, perhaps?).

OK… But you mentioned phone calls too?

Yes, I did. While emails sit in your inbox (or junk folder) and wait for you to read it at your leisure, phone calls are more in-your-face. Developed countries like Singapore are having constant battles with scammers who have even been able to spoof law enforcement telephone numbers. They will call you and usually:

1. Present you with a problem. This could be a transaction couldn’t go through, your card being blocked, your relative is in trouble, claim to be a law enforcement officer; something to hook you in.
2. Ask for sensitive details to resolve it. They might ask for your credit card number, full name, government issued ID number or so on. This is what they’re after!
3. Be quite persistent. They’ll try their best to convince you to divulge your information. This is a huge red flag. They wouldn’t take “no” for an answer and are generally quite pushy.

Past experience

Funny enough, I experienced legitimate calls that were false positive red flags on both sides of the phone. And before you say it: No, I was not employed as a scammer.

1. As a caller

In one of my past employment, I was tasked to make calls to customers to see if they were happy with the services. One particular lady I called was suspicious immediately. She asked “How do I know you’re really from company ABC?” I was quite green back then and got stunned by this. She’s right! I am making a random call and asking her questions. Why wouldn’t she be alarmed? But I had her details on file so I simply asked her to confirm if the info were correct and we went our separate ways.

2. As a receiver

On the receiving end, there was one time I tried to buy plane tickets online and for some reason the ticket couldn’t be issued. I made a call to complain about it and gave my phone number. Not long after, I got a call back and was told the issue was rectified and I just had to make payment. She asked for my card details to confirm it and I was about to give the details to her when it clicked. I remember saying “Uh, I don’t think that’s a good idea.” And she simply replied, “OK, no problem. You can just make the payment on the website since the booking is already made.” From then on, I made a mental note to never give card details over the phone even if it was legitimate.

So what should I do if I think it’s a phishing scam?

Whenever you have any doubt of whether a call or email is legitimate, never follow their instructions and disengage quickly. There are many ways to crosscheck the information they gave you so don’t be pressured by the phishing scam attempt. As a rule of thumb, remember:

1. Never click links in sensitive emails

This I refer to any email that may seem to be from financial services or banks especially. This way you can just read the alert and check your account manually. I usually practice this even if the email is legit.

2. Visit the site and log in manually

It may be a bit of a hassle, but you should make sure the site you visit is correct before logging in. Simply type the address manually e.g. paypal.com or your bank website and proceed from there. This protects you from dodgy links that might otherwise be well masked.

3. Never divulge sensitive information over the phone

Unless you are the one making the call to your bank or whatever party, never give up your info to any suspicious calls from numbers you don’t know.

4. Get their number and call back

Like the example I shared about Singapore, spoofing is a serious issue because people may trust the number. So if called about any issue, get their phone number, check if the number is legit online or in the phone book and then call them back.

Because the number is simply mirrored by the scammers, any legitimate numbers will connect to the right line (and not back to the scammers).

5. Always be vigilant

As time passes, criminals and scammers get better at tricking people. We have to be careful with any unsolicited calls or emails we get. Salespeople are the least of our worries.

What should I do if I was a victim of phishing?

If for whatever reason you got tricked by scammers, you have to act fast!

1. If your account is jeopardised

If your password was phished, quickly change your password as well as any other accounts that use the same password. Unfortunately, there are times where email accounts get taken over and scammers start sending spam to your contact list. These spam may contain malware and viruses too.

2. If credit card information was revealed

Contact your bank to block the card in question immediately. This might minimise more damage especially fraudulent charges to your card.

3. If personal information was revealed

Unfortunately, in this case, we don’t know what the scammers want to do with the information. Monitor your bills, mail and bank account more closely for the foreseeable future.

Conclusion

A phishing scam is usually disguised as some sort of problem that needs your input to rectify. The thing they are after is your sensitive information relating to your identity or finances. These scams are relatively easy to avoid through taking precautions to spot red flags. Overall, if you think it’s suspicious, don’t follow through. Take a step back, assess and then move forward. Good luck, y’all!

A healthy dose of scepticism makes it easier to see red flags.
– The Savey Fox