Tired hands, quiet minds. By Big Cartel.

Tips to Avoid Phishing Scams

You’ve received an email claiming to be from some reputable service you use, telling you your billing payments are way overdue and your account is about to be closed. “Quick,” it says, “Click this link to sign in and re-enter your payment info before it’s too late!”

Don’t click that link! There’s a good chance you’ve just received what is not-so-affectionately known as a “phishing scam” - an attempt by a malicious party to steal your account information, your credit card number, even your identity. Sadly, these unsavory types are lurking out there waiting to bait you into giving away your personal information, but there are easy ways to defend yourself.

Don’t panic, don’t click anything phishy

Take a breath. When something’s not right, it’s easy to trust the first solution that gets offered your way. That’s the vulnerability phishers prey upon. They want you to panic. Panic leads to hastily clicking links. Panic leads to entering your account info on strange forms. Panic leads to the dark side.

Remember, if there’s a problem, clicking a link in an email won’t be the only way to fix it. Instead, it’s a good idea to log into your account separately and see for yourself what’s going on. Keep important login pages bookmarked so you’ll always have a safe link to click.

phishing-caution

Always dive deeper

Ever notice how your mailbox will sometimes replace a person’s email address with just their name? Phishers can use that feature to trick you into thinking you’ve received an email from someone you trust. Some phishers can even make the sender’s email address look like it’s coming from an address you recognize - this is called “spoofing.”

To avoid falling into this trap, always verify the email sender. Some email providers, like Gmail, let you see the full address just by hovering your mouse over the sender. For providers without that feature, you’ll need to look at the email’s “message headers.” This is the raw text of the email itself. Each email provider has a different process for viewing message headers, so make sure you know how to view yours.

Similarly, it’s easy to disguise a link to look like it’s going to one location when it really leads somewhere else. On some browsers, hovering your mouse over the link will reveal where it actually leads. For others, you’ll need to right-click and copy the link, then paste it into a plain text document to see the actual destination.

If you have any reason at all not to trust an email, don’t click anything and don’t respond to it - reach out separately to your account’s support team to ask if it’s legit.

Again, don’t panic! There’s work to be done.

If you clicked the link and nothing happened - no files were automatically downloaded to your computer, you didn’t enter any of your personal information - you’re probably fine. Close the page and go on with your day.

If you entered a password or credit card number, change that password and notify your bank so they can help you secure your account. If you think someone gained access to your account for any reason, also make sure your settings (like addresses or payment accounts) haven’t been changed.

phishing-clicks

How to fight back

The best way to thwart phishers is to pull the rug out from under them! Here are some quick steps you can take to help get them shut down:

  1. Take a screenshot of the email.
  2. Grab the full message headers per the instructions above.
  3. Send those details to the support team for the service they’re impersonating.
  4. Report the email to spam@uce.gov or with your email provider’s built-in tools.

Beyond that, most services offer various security options to help defend against attacks. Some of these options, like Big Cartel’s Active Devices feature, are always active. Other features need set up, like Google’s 2-Step Verification. No matter how inconvenient entering your phone number may seem at the time, you’ll be glad you did it if anyone ever gains access to your account.

phishing-freewilly

Caution is your best defense

The next time you receive a suspicious email, remember to pump the brakes, breathe, and start asking questions. No matter what answers you find, you’ll be the one in control.