Phishing scams are getting more devious. Here’s how to outwit them

I received an . . . ahem . . . interesting email message in my Gmail inbox this morning, thanking me for my PayPal transaction of $579 for two years of antivirus software that was being shipped to me UPS priority overnight.

It was so painfully full of red flags indicating that it was a phishing scam out to steal my money that I thought it interesting that Gmail didn’t catch it and prevent it from reaching my inbox at all. So I decided to investigate a bit.

Now, there are a few ways that cybercrooks attempt to hook people via emails such as these—some are a bit more straightforward than others.

The first is to send you a “poisoned attachment” and convince you to run it. It may look like a document but actually be a program in disguise. Once you run it, it installs malware or ransomware on your computer.

Good email services are generally pretty adept at weeding these out, but this method is still in use today. It’s a bit lazy, often labeled as a “spray and pray” scam: send out as many emails as possible and hope that a handful of people fall for it.

The second is “credential theft.” These emails don’t contain poisoned attachments, but often contain links to fake websites that look and feel just like the real thing.

The email I got could have leveraged this approach: “Hey, you spent $579 on $99 software. Click here to log in and dispute the charge.” If I made the mistake of clicking, I would get sent to a phony landing page that looked just like the PayPal login page where I would enter my PayPal username and password. Instead of logging into PayPal, though, my credentials would be sent straight to the crooks.

The challenge for scammers with this approach, however, is that when they tried to use my credentials to log in, PayPal would likely notice “me” trying to log in from the other side of the world and send a code to my email address or phone number to verify that it was really me. Without that code, a scammer couldn’t get into my account.

This is where phone scams come into play. The email I received has no links to click on: just a phone number to call in order to dispute the charge. Indeed, it’s featured three times throughout the phony invoice.

I called this number and was connected with a very helpful “PayPal customer service agent” who offered to log into my PayPal account on my behalf to see what was going on.

He asked for my username and password, and advised that I’d probably be sent a secondary code, which I should relay to him so that he could access the account. And that’s when I hung up.

How to outsmart phishing scams

On a scale of one to brilliant, the PayPal scam that tried to ensnare me ranks around a five or six.

It looked reasonably official, they’d gone through the trouble of setting up a phone system, and instead of a too-good-to-be-true message saying I’d won the lottery, it played upon the emotions I’d feel at the prospect of losing almost $600.

Drilling down into the aforementioned red flags, the first one is that a quick Google search reveals PayPal’s customer service phone number isn’t the same as the phone number in the invoice. If you’re ever asked to call some sort of customer service line, look up the number on your own to see if it jibes with the number in the email.

The rest of the red flags are things like two years of antivirus costing $579—which is insane—being supposedly shipped from a person in Florida instead of downloaded directly from the company itself. But before I even got to that, the phone number gave it away immediately.

Had this been a credential theft with a link that led to a phony login page, my advice is similar. Don’t click the link in the email: instead, navigate to the site in question.

And finally, be on the lookout for “spear phishing.” It takes phishing scams to another level by sending you email that appears to be from someone you know.

These are more targeted scams that require crooks to do a little background research on you in order to find out, say, who your boss is, or what your spouse’s name is.

This type of scam is easier to fall for since it appears to be coming from a legitimate source. Never send usernames and passwords over email and if the request appears to be urgent, pick up the phone and call or text the person to make sure they’re actually the ones sending the emails.