eFraud Prevention.com - Creating security minded people

E-Learning Fraud Safety Courses

Card Safety College Students Home Network & Office Identity Theft Investing Mobile Phone / Text Online Shopping Phishing Scams & Hoaxes Senior Citizens Small Business Fraud Social Media Travel

How to avoid phishing emails Email safety Text Phishing "SMiShing" Direct deposit phishing Social media "Angler Phishing" At work - spear phishing

Here are some qualities that identify an attack through an email:

They duplicate the image of a real company.
Copy the name of a company or an actual employee of the company.
Include sites that are visually similar to a real business.
Promote gifts, or the loss of an existing account.

Phishing doesn't only pertain to online banking
Most phishing attacks are against banks, but can also use any popular website to steal personal data such as eBay, Facebook, PayPal, etc.

Phishing knows all languages
Phishing knows no boundaries, and can reach you in any language. In general, they're poorly written or translated, so this may be another indicator that something is wrong.

Have the slightest doubt, don't risk it
The best way to prevent phishing is to consistently reject any email or news that asks you to provide confidential data. Delete these emails and call your bank or credit union to clarify any doubts.

Social media sites can have infected links. For example, you receive an Instagram picture from a friend. It's a great picture so you decide to share it by clicking the Facebook "like" button underneath the image. This can be dangerous even if the picture came from a trusted source, it's a real Facebook button and you are not downloading anything. If you can see the picture, you could have downloaded Malware. If the Facebook "like" link was fake, you also could have inadvertently download Malware. Malicious software (Malware) can be disguised as a Facebook "Like" button, picture or audio clip. When you click a link or open an attachment, malware installs on your device. Unlike early PC malware, it doesn't ask your permission, and your device is figuratively in the hands of a criminal.

Free wireless can be dangerous. While at local coffee shop, airport, or public gathering place DO NOT connect to the "free wireless" network if you are asked to create a temporary LOGIN to get access to the free wi-fi. Don't Assume a Wi-Fi Hotspot is Secure. Most Wi-Fi hotspots do not encrypt the information you send over the internet and are not secure. When using a Wi-Fi hotspot, only log in or send personal information to websites that you know are fully encrypted. If you use an unsecured network to log in to an unencrypted site - or a site that uses encryption only on the sign-in page - other users on the network can see what you see and what you send.

Free public wi-fi network can be dangerous. Whenever you have access to a free public wi-fi network, you should NOT use that free wi-fi connection instead use your mobile wireless connection. Be smart on open Wi-Fi networks. When you access a Wi-Fi network that is open to the public, your phone can be an easy target of cybercriminals. You should limit your use of public hotspots and instead use protected Wi-Fi from a network operator you trust or mobile wireless connection to reduce your risk of exposure, especially when accessing personal or sensitive information. Always be aware when clicking web links and be particularly cautious if you are asked to enter account or log-in information.

Do not include this information on your social networking profile:

Your date of birth, including the year
Your phone number
Your physical address
The name of your high school
Your pets name

Users of social media sites were at greater risk of physical and identity theft because of the information they were sharing. If you participate in social networking, you should safeguard your information. Posting your full birthdate and place of birth, phone number, physical address, and any information that could be used to guess your password - such as your mother's maiden name - could provide fraudsters with information to help them gain access to your financial accounts. So be sure to keep this information safe and update the privacy settings for your profile.

Be careful when you click on a Pinterest "pin" to enter a any type of promotion. Pay close attention to the URL these pins lead to before clicking on them. If the URL doesn't seem like anything official to you, don't click it and don't re-pin it. licking the pin can redirect you to a third party website, have you rep-in the pin or fill in a survey providing personal details. These tricks can install malware or gain access to information about you in order to steal your identity.

Be wary of social network invites. If you receive a message from a friend on Facebook inviting you to join a new social network, you should suspect that the message is fraudulent and contact your friend to verify. Don't trust that a message is really from who it says it's from. Hackers can break into accounts and send messages that look like they're from your friends, but aren't.

Do not allow access about your contacts. If you join a new social network and receive an offer to enter your email address and password to find out if your contacts are on the network, you should decline the offer and DO NOT allow the social network site access to your email address book. To avoid giving away email addresses of your friends, do not allow social networking services to scan your email address book. The site might use this information to send email messages to everyone in your contact list or even everyone you've ever sent an email message to with that email address. Social networking sites should explain that they're going to do this, but some do not.

DO NOT accept a social media connection request from a stranger of the opposite sex as long as the person looks honest and knows other people you know. Be selective about who you accept as a friend on a social network. Identity thieves might create fake profiles in order to get information from you. That lack of caution can be extremely costly. Most networking sites contain personal information. When you friend someone, you give them access to that information and that can be used by fraudsters.

Deleting pictures or videos from your social networking sites will NOT permanently remove them from the Internet. You need to contact the support department at the social networking site to make sure they are removed. Assume that everything you put on a social networking site is permanent. Even if you can delete your account, anyone on the Internet can easily print photos or text or save images and videos to a computer.

You can be at risk even if you download Apps on social networking sites that look official and the App install link is within the social networking site. Be careful about installing extras on your site. Many social networking sites allow you to download third-party applications that let you do more with your personal page. Criminals sometimes use these applications to steal your personal information. To download and use third-party applications safely, take the same safety precautions that you take with any other program or file you download from the web. Modify your settings to limit the amount of information apps can access.

Do not respond to social media requests. If you receive an e-mail requesting you to update your Facebook, Twitter, LinkedIn, eBay, or PayPal accounts, do NOT click on the link in the email and DO NOT LOGIN and update your account as requested. Before writing your username and password look at the web address in the browser. The fake ones look similar to this: http://k2nxw.com/cgi-bin/login/ or www.paypal5281.com. If you are not sure, log into your real account just like you usually do, by typing the web address in the browser by yourself and not using the links provided.

More tips

Use multiple passwords everywhere. It is NOT okay to use the same passwords for social networking sites as long as you use different passwords for home banking type sites. It is correct to use a different password for home banking type sites. However, social networking sites may not have the security your online financial institution but using the same password on those sites is like trusting the weakest link in a chain to carry the same weight. Every site has vulnerabilities, plan for them to be exploited.

If you do receive offers of pre-approved credit, you should shred the offer before putting them in the trash. First you should purchase a cross-cut shredder and shred all your pre-approved credit card offers. Next you should remove your name and opt-out of receiving these offers by visiting the web site https://www.optoutprescreen.com

Understand how your financial institution communicates with you. If you receive an e-mail with your bank's name and e-mail address, explaining that, for security reasons, you had to click on a particular Internet link and log in to your account to update your settings. You should delete the email without taking any action, call or otherwise contact your bank to ensure credibility and report it to your bank as SPAM. Financial institutions DO NOT ask for personal or account information via email.

Always be skeptical of attachments. If you receive a message to view a file or video on a social networking site and from someone within your network (a trusted source), it is still NOT safe to open the attachment. Criminals are avid fans of social networking sites. They hijack user accounts to send phishing invites to an account holder's entire contact list, post poisoned links to a variety of malicious sites, and send credible emails with malicious links - abusing the trust that friends normally share. Some creative criminals have tailored messages to appear to come from the social networking site itself, designed so that users will divulge their login credentials or download a Trojan.

Technology-based security measures such as firewalls, encryption, anti-virus, spam filters, and strong authentication will NOT prevent social engineering fraud. No matter how much security technology you implement, you can never get rid of the weakest link - the human factor. A social engineer is someone who uses deception, persuasion and influence to get information that would otherwise be unavailable.

If you receive an email from a friend or trusted source, it is NOT always safe to click on a link or attachment within that email. The email account of your friend or trusted source could have been compromised and is being sent to you by a criminal with the intent of getting information or to have you click a link or open an attachment.

Feedback when incorrect: The email account of your friend or trusted source could have been compromised and is being sent to you by a criminal with the intent of getting information or to have you click a link or open an attachment.

It is NOT always safe to click a link as long as the link is through a popular search site like Yahoo, Google or Bing. Search engine poisoning makes up 40% of malware delivery on the Web. The practice is when malware and spam attackers inundate search results with links to bait pages that will take users to malicious websites that will download malware to a computer. People want to be able to trust that what they search for in Google, Bing or Yahoo is safe to click on.

Access web sites through your web browser. Typing the address of a web site directly into your Web browser will ensure that you are going to the legitimate Web site and not a phishing site that was designed to mimic the look of the real thing. Unless the site was hijacked or your computer has a virus, typing the web address yourself is the best way to guarantee the authenticity of a web site.

Tech support scams are very popular. If you receive an e-mail from a Microsoft support person saying that your computer is infected by a virus and suggests that you install a tool available on their Internet site to eliminate the virus from your computer. You should NOT click on the link even though the email looks official and has the legitimate support@microsoft.com email address. Email spoofing is e-mail activity in which the sender's address and other parts of the e-mail header are altered to appear as though the e-mail originated from a different source.

Be skeptical when there are big news events happening. If you hear on the news that your insurance company has recently been breached and soon after you receive an email from your insurance company that explains the breach and provides the necessary steps for you to take. These steps include clicking on a link to update your personal information and change your user name and password. You should NOT follow all instructions to keep your information protected. Now that the criminals have information about you, they may try to trick you into giving up more information through fraudulent emails. Be suspicious of urgent emails requesting information and never open attachments you aren't expecting even if it's from someone you know.

If you are unsure about a link in your email, do NOT copy and paste the link in your web browser. You could still end up at the malicious site and potentially load malware on your computer or network. If you are unsure whether a link you received in an email is safe, it is not safe to copy and paste the link in the URL section of your web browser.

If you are unsure about a link in your email, it is NOT safe to forward the link to have it tested by someone else. By forwarding an email, all you've done is forward a potentially dangerous and malicious email that could infect someone else's computer or network.

Criminals could strike very quickly. For example, within hours of hurricane, you receive an email from the Red Cross asking for a donation to help the victims. This email is most likely a high-profile phishing scam that receives media attention and is on the forefront of peoples minds. These scams are effective because they rely on your emotions and compassion.

Be aware of web site extensions. For example, out of these six web addresses, the "whitehouse.com" is phony because any official U.S. government web site will end in .gov and not .com.

https://www.usa.gov
https://cio.gov
http://www.ssa.gov
https://www.ssa.gov
http://www.fdic.gov
https://www.whitehouse.com

Clues that an email is fake can include: poor spelling, grammatical errors, offer of a reward, typos, information request, threatening tone.

You might have been hacked if:

Friends and family are getting emails or messages you didn't send.
Your Sent messages folder has messages you didn't send, or it has been emptied.
Your social media accounts have posts you didn't make.
You can't log into your email or social media account.

What to do if email is hacked:

Update your system and delete any malware. The first thing you should do if your account gets hacked is to run an end-to-end antivirus scan. This means skipping the "quick scan" setting in favor of a deep scan to identify and eliminate not only all forms of malware (including Trojans and spyware to keyloggers that could be tracking your keystrokes even after the hack has been identified) and potentially unwanted applications. It's important to make sure you're clean before you change any of your other sensitive information to avoid restarting the cycle. Also, set your security software, internet browser, and operating system to update automatically.
Review Social Media Accounts. Look for changes your social networking sites, look for changes to the account since you last logged in. Look at your personal details, review any third-party apps connected to your account, and check your security questions and answers and your backup email addresses and/or phone numbers. If you think your hacker had a chance to scan your security questions and backup accounts, try to change these on the compromised account and on any other account that relies on the same information. This will prevent the bad actor from using your personal details to breach other accounts in the future.
Change Your Passwords. Once your computer is free of malware, it's time to change your password. If you've lost access to your account, you may need to contact the email provider directly, prove who you are and ask for a password reset. Choose a new password that is very different from your old one and make sure it doesn't contain strings of repeated characters or numbers. Your password should be unique for each account, complex (i.e., a mix of letters, numbers and special characters) and at least 15 characters long.
Contact Other Online Services. It's critical to change your passwords with other payment-based accounts such as Amazon, Netflix, LinkedIn, credit card companies, etc. Make sure you use different passwords for every online account.
Notify People You Know. Tell your friends, family and anyone else on your email contact list that they might have gotten a malicious link.. During the period when attackers had control of your account, they could have sent dozens or even hundreds of fraudulent emails to everyone you know, in turn giving them access to a new set of victims.
Change Your Security Questions. While your password was the most likely attack route, it's also possible that hackers broke into your account after answering your security questions. Many users choose the same answer to common security questions. In order to further protect your email, be sure to employ the multi-factor authentication that many providers allow to gain access to your password, including using secondary email addresses or text messages, since security questions alone are not enough.
Report the Hack. If you haven't already, contact your email provider and report the hack. This is important even if your hacked email didn't cause you to lose access since it helps providers track scam-based behavior. In addition, your email provider may be able to offer details about the origin or nature of the attack.
Contact Credit Agencies. Contact the three credit reporting agencies TransUnion, Experian and Equifax to monitor your accounts in the months after you've been hacked.
Consider Your ID Protection Options. If you've been hacked, another idea worth considering is an ID protection service. These services typically offer real-time email and online retail account monitoring, in addition to credit score reporting, and personal assistance in the event of an identity theft. Your financial institution will offer this program for a small monthly fee.
Review All Email Accounts. If the breach affected a service that includes email, such as your Google account, check the email account for sent messages or for new filters. For example, clever hackers can set up filters that forward all incoming mail to an address you don't recognize. Delete such filters to prevent people from worming their way back into your account in the future. This is particularly important because you can reset many other accounts' passwords, and receive notifications about suspicious activity, over email. You don't want an eavesdropper to nab those recovery messages. Also, check that your email signature and "away" message don't contain unfamiliar links or forwards.
Create a New Email Account. Sometimes it's not worth picking up where you left off. If this isn't the first time hacked email has been a problem, or if your provider doesn't seem to be taking steps to mitigate the amount of spam you receive, it may be time for a switch. Look for a service that offers default encryption of your emails and solid customer service in the event of an issue.

Properly Managing Your Email

Keep a minimum of three email accounts. Your first email account should be used for personal conversations and contacts, and your third email account should be used as a general catch-all for all hazardous behavior.
Your second email account should be your work account that is used exclusively for work-related conversations. Don't risk your company's security by using a personal computer or email address at work.
Your third 'catch-all' account should be used to sign up for newsletters and contests. You should plan on having to dump and change out this account every six months.
When you are checking your email at a public computer, you need to log out of your email and close the browser window completely.
Delete browser cache, history and passwords.
Do not use un-secure email accounts to send and receive sensitive corporate information.
Unless you need a written record of something or are communicating across the globe, consider whether a simple phone call rather than an email is a better option. Compared with accessing email through a public computer, a phone call is more secure option.

Emailing the Right People

Don't use the Blind Carbon Copy (BCC) option.
Don't use the "Reply All" button.
Be careful forwarding email. Forwarding emails can create a significant security threat for yourself and the earlier recipients of the email. As an email is forwarded, the recipients of the mail (until that point in time) are automatically listed in the body of the email. As the chain keeps moving forward, more and more recipient ids are placed on the list.

Avoiding Phishing Email

Phishing is a type of online fraud wherein the sender of the email tries to trick you into giving out personal information or clicking on a link as a method to try to steal your identity or your money.

Don't send personal and financial information via email. Banks and online stores provide, almost without exception, a secured section on their website where you can input your personal and financial information.
Avoid writing any company that requests that you send them private financial or personal information via email.
Be careful when unsubscribing to newsletters you never subscribed to. If you don't specifically remember subscribing to a newsletter, you are better off just blacklisting the email address.
If you accidentally open a phishing email, do not reply or click on the link in the email. If you want to verify the message, manually type in the URL into your browser.

Signs of phishing include:

A logo that looks distorted or stretched.
Email that refers to you as "Dear Customer" or "Dear User" rather than including your actual name.
Email that warns you that an account of yours will be shut down.
An email threatening legal action.
Email which comes from an account similar, but different from, the one the company usually uses.
An email that claims 'Security Compromises' or 'Security Threats' and requires immediate action.
Review the signature. Legitimate businesses always provide contact details.
The hyperlinked address is different from the address that is displayed
The email asks you to make a donation.
You didn't initiate the action of the email subject.

Avoiding Email Malware

Don't always trust an email from someone you know. Malware and viruses can be circulated by people who have no idea they are sending it, because hackers are using their computer as a zombie.
Blacklist spam instead of deleting it. When you 'blacklist' an email sender, you tell your email client to assume that they are spam.
Don't disable the email spam filter.
Scan all email attachments. Many free email clients provide an email attachment scanner built-in. You can first forward your attachments to that account before opening them.

Keeping Hackers at Bay

Don't share your account access information with others.
Don't use simple and easy-to-guess passwords.
Encrypt your important emails.
Encrypt your wireless connection.
Use a digital signature whenever you sign an important email.

Red flags you're about to get scammed

Links that are the only content in the body of an email.
Bit.ly or otherwise shortened links.
Hyperlinked text.
Inordinate number of recipients.
Vague, generic or nonexistent subject lines.
Intense enthusiasm.
Grammar and spelling errors.
Strange requests.
Urgent message.
Sensitive information requests.
Surefire guarantees promise.

Here are a few steps to prevent text message spam:

Delete text messages that ask you to confirm or provide personal information: Legitimate companies don't ask for information like your account numbers or passwords by email or text.
Don't reply, and don't click on links provided in the message: Links can install malware on your computer and take you to spoof sites that look real but whose purpose is to steal your information.
Treat your personal information like cash: Your Social Security number, credit card numbers, and bank and utility account numbers can be used to steal your money or open new accounts in your name. Don't give them out in response to a text.
If you are an AT&T, T-Mobile, Verizon, Sprint or Bell subscriber, you can report spam texts to your carrier by copying the original message and forwarding it to the number 7726 (SPAM), free of charge.
Review your cell phone bill for unauthorized charges, and report them to your carrier.
To block spam messages -- but not all incoming texts from friends and family -- call your carrier's customer service number (usually 611) and instruct them to "Block all text messages sent to you as email" and "Block all multimedia messages sent to you as email." You also might be able to log into your account online and activate these blocks there.
If dialing 611 or going into your phone settings online does not slow down spam, check with your mobile provider about other options to block future spam messages.
Set up and use a free email account that's only for things like promotions, contests, and the like. This way, you can easily segregate those messages from your personal and work correspondence.

More prevention tips:

Attacks using verification codes to bypass 2 Factor Authentication. Be suspicious of SMS messages asking about verification codes. Legitimate messages from password recovery services will simply tell you the verification code and will not ask you to respond in any way.
Don't fall for texts from your network which ask for details. Your phone network will often text you – if you're abroad, for instance, to warn of data roaming rates. But networks won't ever ask you to confirm or verify your details. If you see a "security" text which asks for a password, or any other details, don't click the link, and don't call any numbers in it. Contact your network via their website, or via their phone number (the real one, not the one in the SMS).
If you see a "business" phone number in a text, it's no guarantee it's real. Many SMS phishing attacks will include "toll free" numbers that look like legitimate business ones – they're not.
Don't reply with "STOP" if you're being spammed – contact your network instead. If you're being spammed repeatedly, and the SMS contains an instruction to text back with "STOP" to cut off the emails, don't. This will simply tell the spammers that you're there, and they'll intensify their attacks. Your network will be able to block SMS from specific numbers.
Be very suspicious of "special offers" – especially ones where you have to "act fast". Phishers commonly send out SMS attacks in the form of "special offers" from big companies – such as a $1,000 gift card, where only a limited number are available, and you have to click a link to cash in.
High-value "special offers" that sound too good to be true usually are. If it's your local pizza place offering two-for-one on Tuesdays, you might be safer. Think first, and think hard if you're being asked to click a link.
Set your phone to block apps from unknown sources. Many SMS phishing attacks aim to fool you into installing malicious apps – particularly on Android. As a precaution, block installation from unknown sources (it's in Android's Settings menu). If you have to unblock this (for instance to install a work app), set it back to "blocked" when you've finished. If you do make a mistake, this gives you another line of defense. It's also worth using Google's built-in "Verify Apps" function, which monitors apps for suspicious activity.
Don't fall for texts from your bank or credit union which ask for "confirmation details". Your bank may well text you – for instance to confirm a transaction on PC – but bank texts will not, ever, ask you to confirm details, or for passwords. Banks also won't update their apps in this way. If you're suspicious, don't click links, don't call any numbers in the text. Instead, call your bank on its "normal" number – Google it if you don't know – and check whether the text is from them.
Don't fall for warnings saying, "Your phone is infected". Recent SMS phishing scams use a bogus "security alert" to scare users into installing fake antivirus apps. Reputable security companies will not "push" products in this way.
Don't trust caller ID. Just because your caller ID displays a phone number or name of a legitimate company you might recognize, it doesn't guarantee the call is really coming from that number or company.

A direct-deposit phishing scheme is aimed at employers that use self-service direct-deposit platforms. These platforms allow employees to manage their W-2 and payroll options, so the platforms contain personally identifiable information (PII) as well as direct-deposit banking data. The education sector is a popular target for this scam.
According to the FBI, the scam begins with a phishing campaign targeting individual employees. It's a variation of sorts on the business email compromise, in which fraudsters impersonate a trusted person or a person of authority to get the victim to perform a certain action. This can include the trusted authority of the human resources department or an HR vendor. The email directs the employee to perform what may feel like a common transaction, like confirming a direct-deposit account, viewing changes to the account, etc.
The goal is to get you to reveal login credentials to the fraudster, who can then use those credentials to steal PII as well as redirect the employee's deposit to another account. One of the first things the fraudster will do is change your contact email, so that you don't receive an alert.

Detecting direct-deposit scams are not much different from detecting other phishing emails:

Spelling and grammatical errors.
Urgent or unusual requests (often accompanied by something punitive, like an account lockout, that would result from inaction).
Unusual or questionable sender's address (if the email is signed, also a mismatch between the sender's name in the email header and the name in the email itself).
Embedded link that doesn't match the displayed link.
Misleading URL (sometimes it can be as subtle a deviation as a zero instead of letter o).
Request for personal or sensitive information.

Preventing Direct-Deposit Phishing Scams

A few steps organizations can take to prevent direct-deposit phishing scams include:

Implement two-step or multi-factor verification for HR/payroll platforms.
Require IT, administrators, to monitor unusual activity, such as a large number of accounts having contact and banking info changed over a short period.
Have a policy of temporarily reverting to a paper check after a change to banking information.
Ensure payroll login credentials are different from credentials used for other purposes.
Set up alerts on self-service platforms for administrators so that unusual activity may be caught before money is lost. Alerts may include for when banking information is changed to online bank accounts typically used by fraudsters.
Alert employees about the scam.
Train employees to watch for phishing attacks and suspicious malware links. Checking the actual e-mail address rather than just looking at the display name can be crucial to spotting the attack early.
Set a time delay between when direct deposit information is changed in the self-service portal and the actual deposit of funds into the new account to decrease the chance of the theft of funds.

What is angler phishing?
This attack is named after the anglerfish, which uses a bioluminescent lure to entice and attack smaller prey. In this case, the glowing lure is a fake customer support account that promises to help your customers but secretly steals their credentials instead.
How does it happen?
Fraudsters create highly convincing fake customer service accounts and then monitor social media channels for customer support requests. Angler phishing hackers often wait to strike on evenings or weekends when your brand is less likely to monitor social media interactions. When the hacker sees a customer contact your brand, they hijack the conversation by responding directly to that customer using their fake support page.
Example 1: Fake customer service accounts on Twitter
Online criminals set up fake customer service accounts to phish for bank login and password information and other sensitive data. These imposter accounts look very similar to that of real businesses, but are often one character off -- or they include an extra underscore or other keyboard character.
When someone tweets at their bank or example, scam artists will intercept the conversation, and reply to that message with what seems like an authentic answer.
Let's say John Smith tweeted his request to @mybank, the hackers were able to intercept his tweet and respond using their fake account @askmybank. The link in the fraudulent response will lead John to a perfect replica of the bank's login page. There the hackers can steal his online banking credentials, ATM pin, security questions and answers, and more.
Example 2: PayPal fraud
In this attack, an angler phisher targeted PayPal users from two fake PayPal Twitter accounts. The tweet encourages recipients to click over to the actual PayPal Twitter account, @PayPal, for assistance in an urgent matter. However, the fraudsters are monitoring the replies on the official PayPal Twitter page in order to sweep up replies to exploit for their attacks.
In addition, when victims receive a reply from the phony PayPal Twitter accounts, they're fooled again as the reply has the PayPal logo emboldened as an account image, and the handle seems official, except it amends the word "Ask" at the beginning of the handle. Targets are lured into entering their PayPal credentials into the seemingly legitimate, but fake page. The bad actors are thus provided with the personal information they need to gain access to accounts and transfer out funds held there.
Who is at risk?
Fraudulent customer support accounts are a problem for any business that provides customer service on social media. However, 2016 research from the Anti-Phishing Working Group shows that more than 75% of phishing attempts target financial service and ecommerce organizations to steal banking credentials and make fraudulent purchases.
How can I stop angler phishing attacks?
For Consumers:

Never LOGIN to an account if the link is provided to you through email or social media.
If you are unsure about a link in a social media post, do NOT copy and paste the link in your web browser. You could still end up at the malicious site and potentially load malware on your computer or network. If you are unsure whether a link you received in a post is safe, it is not safe to copy and paste the link in the URL section of your web browser.
Access web sites through your web browser. Typing the address of a web site directly into your Web browser will ensure that you are going to the legitimate Web site and not a phishing site that was designed to mimic the look of the real thing. Unless the site was hijacked or your computer has a virus, typing the web address yourself is the best way to guarantee the authenticity of a web site.
Technology-based security measures such as firewalls, encryption, anti-virus, spam filters, and strong authentication will NOT prevent social engineering fraud. No matter how much security technology you implement, you can never get rid of the weakest link - the human factor. A social engineer is someone who uses deception, persuasion and influence to get information that would otherwise be unavailable.
Use caution when you click links that you receive in messages from your friends on your social website. Treat links in messages on these sites as you would links in email messages.
Don't trust the sender information in an e-mail message. Even if the e-mail message appears to come from a sender that you know and trust, use the same precautions that you would use with any other e-mail message. Fraudsters can easily spoof the identity information in an e-mail message.
Know the social media account handle for the company you are dealing with. Make sure you communicate only with the legitimate account.
Look closely at the reply you receive and be skeptical. Look for misspelled Twitter handles, email addresses, etc.

For Businesses:
These types of attacks will be a problem for any business that provides customer service on social media. The following is a list of some key actions an organization can take to help prevent angler phishing attacks:

Identify your organization's social media platforms, accounts and key individuals.
Document who is responsible for the corporate accounts. These accounts should have strong passwords that are continuously being changed every few months.
When applicable, use verified accounts. Twitter and Facebook offer an option for verified accounts to help ensure authenticity.
Continually monitor for fraudulent accounts. Make sure you take down any suspicious activity and report it to your IT team or service provider.
Enhance your security by leveraging email security solutions.

One of the most sophisticated types of phishing attacks is called spear phishing. This is when a hacker will target a specific group or organization and will tailor their attacks to make them look relevant to the recipient. When receiving emails, users should look at the following:

Do you know the sender, and is the email address one you would expect them to use? An email purporting to be from your CEO, but sent from a Gmail account, should always ring alarm bells.
Are you expecting a message from the person? Does the email look suspicious? Does the link look genuine?
The content of the email can be a giveaway. One of the most basic reasons that phishing attacks work is that they prey on a user’s emotional response – fear, curiosity or reward, and emails that evoke strong emotions such as these should be considered triggers.
Is the email specific? Does it make sense? Although criminals have a lot of information about individuals they will still keep messages generic to pique your interest, and make you take action.
And of course, while grammar has improved in recent years, mistakes are often an indicator that all is not as it seems.

Phishing is one of the most common attack methods for cyber-criminals, however an effective training program and user awareness will minimize the risk of employees falling victim. Once employees know what to look for they will be able to quickly identify any potential phishing emails and report them before any damage is done.

eFraud Prevention™, LLC