Last fall, Facebook users began receiving an alarming email warning. "For security reasons, your account will be disabled permanently," said the email. To confirm your identity, the message—which was signed by the "Facebook Team"—instructed users to click on a link and log into what looked like a real Facebook page. 

But this email had nothing to do with Facebook. It was a phishing (pronounced “fishing”) scam, a form of identity theft in which hackers use fraudulent websites and fake emails to attempt to steal your personal data, especially passwords and credit card information. Phishing scammers send emails that appear to come from trustworthy sources such as a social media website or a financial service provider, and tell you that they need you to follow certain links in order to rectify some problem. Then they steal your data as you enter it, lock you out, and begin using your account to send more scam messages in your name.

Phishing attacks are happening everywhere. Online security firm Kaspersky Labs says it repelled nearly 800 billion attacks in 2015, almost 2 million of which were attempts to steal money from online bank accounts.

According to Fraudwatch International, a global online fraud protection service, some of the recent phished sites included Bank of America, PayPal, Chase Bank and Apple Store. Typical fake email alerts: “Westpac Bank—Your Account Has Been Blocked,” or “Apple Store—About your last Transaction.”

With tax season starting to ramp up, scammers have been targeting TurboTax users with fake subject lines such as “TurboTax Update: Resolve Account Issue Now” and “TurboTax—Important Notice” that urges users to open a fraudulent attachment.

Internet Service Providers (ISPs) are also now among scammers’ favorite phishing targets, surpassing the banking and financial services sectors during the first three quarters of 2015, reports the non-profit Anti-Phishing Working Group (APWG). Phishers like to break into ISP accounts so that they can send spam from those user accounts. ISP accounts can also contain other things that phishers want: personal identity information, credit card details, and access to domain name and hosting management.

The Best Defense

How can you protect yourself against phishing lures? Here's some advice:

  • If you aren’t 100 percent certain of the sender’s authenticity, don’t click on attachments or embedded links; both are likely to result in malware being installed. Instead, open a new browser window and type the URL directly into the address bar. Often a phishing website will look identical to the original, so check the address bar to confirm the address.

  • Similarly, never submit confidential information via forms embedded in or attached to email messages. Senders are often able to track all of the information you enter.

  • Be wary of emails asking for financial information. Emails reminding you to update your account, requesting you to send a wire transfer, or alerting you about a failed transaction are compelling. However, scammers count on the urgency of the message to blind you to the potential for fraud.

  • Don’t fall for scare tactics. Phishers often try to pressure you into providing sensitive information by threatening to disable an account or delay services until you update certain information. Contact the merchant directly to confirm the authenticity of the request.

  • Be suspicious of social media invitations from people you don’t know. According to Kaspersky Lab research, over one in five phishing scams target Facebook. Phishers rely on your natural curiosity to click on the person’s profile “just to find out who it is.” However, in a phishing email, every link can trigger malware, including links that appear to be images or even legal boilerplate; scammers use your hijacked account to send spam to your friends, because spam from real accounts is more believable than spam from a fake account.

  • Watch out for generic-looking requests for information. Many phishing emails begin with “Dear Sir/Madam.” Some come from a bank with which you don’t even have an account.

  • Ignore emails with typos and misspellings. Recent real examples targeting TurboTax include ”Your Change Request is Completeed” and “User Peofile Updates!!!

  • Update and maintain effective software to combat phishing. Reliable anti-virus software should also automatically detect and block fake websites, as well as authenticating the major legitimate banking and shopping sites. 

Mobile device users should be especially vigilant. Scammers increasingly design mobile-friendly pages; what’s worse, many browsers hide the web address bars, so it can be even more difficult to spot scams on a mobile device.