If you think tax season is loads of fun, consider for a moment the joy scammers and con artists get this time of year.
There you are, all vulnerable with your W-2s, 1099s and itemized deductions, just hoping this year something magical will happen to ease your tax burden. Maybe, at the height of your hope or depth of despair, you click an email that promises to deliver that unicorn.
Only, it’s not a unicorn. It’s not even a donkey wearing a party hat. You’ve just joined the other one-third of Americans who have experienced identity theft.
It happens fast. Scammers play on emotions like fear or excitement to convince you to act against your better judgment. All it takes is a click on the wrong link or email attachment to give scammers access to your most sensitive information.
Before you’re even aware, that click opened the door for malware to infect your computer. It’s called phishing, and it can take many forms—ransomware, spyware, adware and viruses—but they all end up compromising your pocketbook, your identity, or both.
According to the FBI, Americans lost nearly $30 million in 2017 to phishing scams. Here’s what you need to know to protect yourself.
What is phishing?
Phishing scams are attempts by scammers to get unsuspecting consumers to reveal sensitive personal information like a social security number, date of birth, or login credentials to a financial or credit card account, which they can use to open lines of credit, make purchases or sell to other criminals.
How does it work?
In a typical email phishing scam, the sender poses to be a legitimate organization, such as an online retailer, government agency (like the IRS) or credit card company. The scammer uses one of two main tactics—either offering something that seems too good to be true, or taking advantage of common fears.
How to spot phishing
Phishing emails and texts often look like they came from a company you know and trust, such as a bank, credit card company, online store or online payment website. The Federal Trade Commission recommends consumers be wary of emails from trusted organizations that:
- say they’ve noticed suspicious activity or log-in attempts to an online account.
- claim there’s a problem with your account or your payment information.
- say you must confirm some personal information.
- include a fake invoice.
- want you to click on a link to make a payment.
- say you’re eligible to register for a government refund.
- offer a coupon for free stuff.
In most cases, the differences are in the details. Sharpen your eagle eye and watch for these.
- Use caution if the “From” or “Reply to” email address doesn’t match the supposed sender’s public website address.
- Watch for misspellings and obvious mistakes in grammar. Most legitimate companies employ copywriters and editors who make sure their emails read correctly.
- Don’t open email attachments, even from sources you know, unless you’re expecting them. Be especially suspicious of .exe and .zip file extensions.
- Before clicking on any hyperlinks, hover over the linked word or phrase with your cursor. Wait for the web address to appear. If the address doesn’t match the description, don’t click it.
How to prevent identity theft
- Subscribe to computer security protection from a reputable provider like McAfee, Norton or Kaspersky. These companies constantly scrub the internet for new viruses and scams, and will keep your computer up to date to guard against fraud.
- Make sure your software programs are up to date. Companies will issue periodic updates that fix security holes and vulnerabilities.
- Watch your typing. Typo-squatting, the practice of buying website domains that are a keystroke away from legit sites, and then mimicking those sites, is another way phishers can dupe consumers.
- If your bank, credit card or other financial institution offers multi-factor identification, use it. That means if you accidentally give up your password, or an algorithm guesses it correctly, there is a second barrier to protect your information. But if you’re not on the right website to begin with, even the savviest consumer could fall for tricks like sending a confirmation code to your cell phone.
- Backup your data. Google Drive and Microsoft OneDrive offer ways to sync your computer to their cloud storage servers, so if ransomware locks up your computer, your files are not lost.
- Remember that the IRS will not call to demand immediate payments or threaten you with arrest for not complying, and it won’t initiate contact by email, text messages or social media channels to request personal or financial information such as PIN numbers, passwords or similar information for credit cards, banks or other financial accounts.