Well, I knew it would probably happen to me sooner or later, and it did. I have been phished! If you’re unfamiliar with the term phishing, it simply means scamming someone into handing over his/her personal information, credit card or bank account numbers, or user names and passwords using any number of nefarious methods.
These days the most common (and most effective) way of phishing for sensitive information is via email. The scammer simply sends out a flood of emails that are designed to look like they were sent from legitimate companies requesting that the recipients log in to their accounts (PayPal, bank, credit union, Ebay, etc.) to update their personal information.
But instead of the targeted company’s real website, the authentic-looking link in the email takes them to a non-functional replica site – a fake site – that captures the unsuspecting user’s login details. The scammer then uses that login information to log in to the victim’s real account and clean it out or do other serious damage.
Another common ploy (the one that I fell for) is to set up a fake website at a domain that is very similar to that of a legitimate website. Careless users (I’m kicking myself now) mis-type the real domain name and end up on the scammer’s site instead.
In my case, I was attempting to log in to godaddy.com in order to renew a couple of expiring domains. Instead, I accidentally left off the leading “g” which sent me to a site named odaddy.com. Check it out for yourself if you want – just type www.odaddy.com into your browser’s address bar and you’ll see a website that looks exactly like www.godaddy.com.
The scary part is I would never have even noticed that I wasn’t on the real godaddy website if I hadn’t just happened to glance at the address bar and notice that it read www.odaddy.com instead of godaddy.com! Luckily, I did notice, and I logged into my account on the real site and immediately changed my password.
I have always been very careful to avoid being phished, but the scammers are extremely adept at their craft and it’s really easy to fall into their traps. Here are a few tips that might help you avoid falling victim to a phishing scam yourself:
1 – Never, ever click a link in an email that claims to have been sent by a legitimate company that requires a login to access your account. Instead, type the company’s URL into your browser directly or click on a known good bookmark and log in from the website’s home page. These phishing emails typically look quite authentic and they are designed to create a sense of urgency and an immediate call for action. Always simply ignore their links and log into your account directly!
2 – Be especially careful when typing in URL’s. A simple typo in a domain name can leave you in a whole heap of trouble if you don’t catch it. (Can I stop kicking myself now? It’s really starting to hurt!)
3 – Virtually all websites that collect, store, and/or share sensitive information are hosted on a “secure sever”, and if the URL in the address bar doesn’t start with https:// instead of the usual http://, you are almost certainly on a fake website. You should also see a little icon that looks like a padlock somewhere near the address bar indicating that you’re on a secure site.
4 - Always remember that the IRS NEVER notifies taxpayers of unclaimed refunds via email. Yes, that’s NEVER. If you receive an IRS email notice explaining that you need to log in to some account to claim an unexpected refund, send it directly to the trash can. It is guaranteed to be a scam, each and every time!
Well, I consider myself pretty lucky. Even though I fell for an easy-to-avoid phishing scam, I noticed it quickly enough to log into my real account and change my password before the scammer had time to perform his/her dirty deed(s). I’m breathing a bit easier now, but I need to go take something to ease the pain in my sore leg.
Stop kicking your leg, you have probably kept some of us from doing the same thing. Thanks for the warning.