Phishing

Phishing (FISH-ing) refers to a scheme cybercriminals use to trick an individual into clicking a malicious link or revealing personal information. Cybercriminals “phish” for information by sending fraudulent emails where they impersonate a bank, service provider, or another institution asking for account numbers, passwords, or other personal financial information.

Cybercriminals send emails that appear to be from a legitimate institution, often financial institutions. These emails typically ask users to supply their credentials and account information through a malicious website link or a simple reply. The techniques vary, but in most cases, the email uses warnings to drive users to supply credentials or accounts without first confirming the email.

Once cybercriminals have your information, they can commit direct theft or use it to steal your identity and commit other fraudulent activities.

Phishing doesn’t always happen over email. Cybercriminals may attempt to steal information via text messaging, voice calls, or social media. Be skeptical of suspicious messages on any platform.

Unless you are 100% sure that a particular message is legitimate, proceed with caution. Do not click links in emails you find suspicious. If you suspect the email is legitimate, open the company’s website independently in a new browser. Once logged in, reputable companies will post important notifications to your account. Thrivent will not ask you to verify your credentials via email. Never supply your username, password, or account information in a reply.

You can always use the old-fashioned way—pick up the telephone and call the company's customer service, explain the email, and verify if the message is legitimate.

The best way to protect yourself from phishing attacks is to stay diligent and know the indicators. Ask yourself the following if you receive a suspicious email.

Check the sender’s email address. Does it match the sender’s name and company?
Hover over links before clicking on them. Does the URL match the expected destination?
Is the message full of misspellings and bad grammar?
Is the message urgent in nature?
Is the sender asking you to supply personal information?
Is the request strange or abrupt?

Longer passwords or passphrases (sentences such as “I have a purple dog”) are harder to guess or crack. Use a variety of character types (numbers, letters, symbols) in the passphrase. Don’t reuse the same passwords for email accounts, social media sites, or financial sites. Change your password when it has been compromised.

Many websites will allow you to enable multi-factor authentication for additional security measures. This will send a push notification to a trusted device to verify your identity before logging in.

Download the latest web browser for your system and keep it patched. The latest generation web browsers come with built-in phishing protection. These browsers analyze websites and compare them against known or suspected phishing sites to warn you if the site you are visiting may be malicious or illegitimate.

Know what signifies secured websites, and where to find these indicators within your browser. Typically, there will be a lock symbol in the search bar. Be skeptical of any site that triggers browser warnings.

Know when your statements arrive and analyze them closely for transactions you can't account for. If you find problems, contact the company or financial institution immediately.

If you receive emails that are part of a phishing scam, or even seem suspicious, and are targeting a financial institution or company you work with, report it to them.

In addition, you can report suspicious activity to the Internet Crime Complaint Center at www.IC3.Gov or to the Federal Trade Commission (FTC) at www.ftc.gov.

If you discover that you have responded to a fraudulent email, contact the company or financial institution immediately so they can help protect your account and identity. Change your online account passwords immediately.

For more information on phishing or identity theft, go to www.antiphishing.org or staysafeonline.org. Each year, phishing con artists convince 5% of the public to fall for their scams. Make sure it's not you.