What is Phishing? Recognizing Phishing Attempts Before It's Too Late

Reading time: 5 minutes

Highlights:

• Phishing attempts try to trick you into divulging personal or financial information

• You can be phished through emails, text messages or social media sites

• Here are some ways to evaluate a message before clicking on a link or attachment

You’re checking your email and receive a message that looks like it's from your credit card company. It says your billing information is out of date and asks you to log in within 24 hours to update it, or your account will be deleted. What do you do?

These “phishing” messages are used by scammers to trick you into clicking a link (like that login button in the email) or an attachment that will provide them access to your information or download malware onto your computer. The goal is to get you to take the bait, and snare your personal or financial information.

While phishing traditionally has been done through emails or text messages, recently phishing has been seen on communication apps and social media messaging. Attackers are also using attachments within shared files and posting them on trusted file-sharing sites. 

Phishing attempts can be convincing 

Phishing attempts may look legitimate and may appear to be from your bank, credit card company, a company you do business with, or even your employer. Others may seem to come from a social networking site, an online payment website or app, or an online store. 

Like the example above, these messages may tell you there is a problem with your account or your payment information, or that some suspicious activity and login attempts have taken place. They may include a fake invoice, a link to login or “make a payment” or ask you to register for something. Still others may offer online coupons or try to entice you to open an attachment. 

Phishing attempts may play on your emotions or sense of urgency. If you’re concerned about suspicious activity on your account, you may be more likely to use the link in the email to quickly log in and check out the situation. 

How to recognize phishing attempts 

Look closely at any messages like this you receive. Ask yourself the following:

• Do you have an account with this business? If so, is the email address the message was sent to the same email address associated with your account? Did you sign up to get emails from this company?
• If the message seems to come from a person, do you know them? 
• Did the email come to your junk or spam folder?
• Does the message greeting address you by name?
• For emails, hover over the sender’s email address and any links in the email to see where they lead. Do they look legitimate?
• Hover over any attachment to see where the link goes. Does it look like a legitimate site?
• Are there misspellings and awkward grammar in the email?
• Are you being asked for a payment you don’t think you owe?
• Are you being threatened with legal action or penalties if you don’t immediately take action?

If you aren’t sure whether links or attachments are legitimate, it’s best to avoid clicking on them. And even if a message seems to be from a company you do business with, it’s a good idea to go to the company website to log in rather than using a link in the email. 

It’s also important to know that most financial institutions and government agencies will not request personal information through emails, texts or other messages.

How to help protect yourself from phishing attempts 

Your email spam or junk mail filters may keep some phishing emails out of your inbox, but as scammers and hackers constantly try to get past those filters, you might consider some other ways to help protect yourself from phishing scams . These might include:

• Installing security and anti-virus software on your computer, and setting it to update automatically so it will combat any new threats. You can also set automatic updates for apps or software updates on your mobile phone.
• Enabling multi-factor authentication. This might mean adding a passcode sent to your phone or a fingerprint or facial scan in addition to your username and password. This extra step can make it harder for scammers to access your accounts, even if they have your username and password.

Help! I’ve been phished! 

If you clicked on a suspicious link or attachment, here are some steps you can take: 

• Disconnect your device from the internet as quickly as possible. Unplug the internet cable or disconnect it from your WiFi network. This may help reduce the risk of malware spreading to other connected devices and may prevent a hacker from remotely accessing your device.
• Back up your files to an external hard drive, USB drive or cloud storage in case your data is destroyed or deleted. 
• Run a scan using your anti-virus or security software. You should be able to run the scan even if you aren’t connected to the internet. If you entered any personal information, such as a password, use an uncompromised device to change that password on any accounts.
• If you entered a credit card or bank account number, contact your credit card company or financial institution.
• Report the fraud to the Canadian Anti-Fraud Centre.

You may also want to consider adding an Identity Alert or a Fraud Warning to your Equifax credit report. 

With an Identity Alert, you can choose to add a personal statement to your credit report, and must provide a phone number. If you live in Manitoba or Ontario and are applying for credit, this alert requires lenders and creditors to call you and verify your identity before extending credit. If you live elsewhere in Canada and are applying for credit, lenders and creditors are encouraged – but not legally required – to call you before extending credit. 

A Fraud Warning is only available to confirmed victims of fraud, including identity theft. This special statement added to your credit reports will also include a phone number to encourage (but not legally require) lenders to call you before extending credit. 

Please note that an Identity Alert or Fraud Warning must be placed separately on your Equifax and TransUnion credit reports.