Updated: July 20, 2020
A friend got his Facebook account hacked. Although he was able to recover it after a few days, he’s worried that it might happen again.
When I asked him how his account got compromised in the first place, he suspects that he might have been a victim of a fake website. Or in other words, he fell into a phishing scam.
What is Phishing?
Phishing refers to the deceptive and fraudulent act of obtaining personal information from an individual. The intent is to use that information to steal or extort money from the victim.
Phishing normally happens online, through email, instant messaging, and fake websites. These are used to get bank account information, credit card numbers, passwords, and other log-in credentials.
Types of Phishing
There are many kinds of phishing attacks. Below are the most common ways that you might encounter as a consumer.
Victims would normally receive an email, which claims that they need you to log-in to their bank or social media account. For convenience, the email gives a link going to the log-in page.
However, that link instead goes to a fake website that looks exactly like the real one. When the victim logs-in, their username and password is now compromised.
Victims can also receive file attachments, either via email or instant message. When it’s clicked, malware (malicious software) could install itself on the computer or mobile phone.
When that happens, the malware can now search for personal information in the device. And then sent to the scammer while the device is connected to the Internet.
Most of the time, these emails or instant messages come from a stranger. However, it is now more common to receive them from a known contact or friend, which have most likely been victimized as well.
Do you like taking online quizzes? How about going to websites that require you to “log in with your Facebook account” first before you can access a page?
These websites can maliciously gather information about you, which can be used to engineer your password and other personal credentials.
Phishing can also happen offline. You can receive calls from someone pretending to be your bank, who will then ask for your credit card number or other financial information under the guise that it’s for “security checking”.
You can also receive news that you’ve won in a raffle and you need to give your personal information to claim the prize. Little do you know that those data will later be used to hack into your bank or social media accounts.
How to Prevent Phishing
Here are six tips that will help you avoid becoming a victim of phishing.
1. Never give your password or ATM PIN to anyone.
Phishing emails often ask to quickly reply with your bank details or credit card number. It may also contain a link to a “phishing page” or “pop-up window” where you have to fill in your account number, ATM PIN, or online banking password.
Your password and PIN will never be asked from you by your bank. So ignore anyone asking you to give it to them. They’re guaranteed to be scam.
2. Never share sensitive information anywhere.
Your birthday, your mother’s maiden name, the name of your first pet, etc. — these are often used by websites as security questions for your account. Thus, it’s best to never share them online.
And please, don’t use them as your password as well. I’ve already pranked a couple of friends by logging into their Facebook accounts by using their wedding dates.
3. Never use the same password for all your accounts.
Make sure to have different passwords for each online account that you have. And be sure to change them regularly, at least once a year.
If you’re not good at remembering passwords, you can simply choose a “main key phrase” and then add a prefix and a suffix to make it unique.
For example, let’s say that your motto in life is “Time is gold”. This is now your main key phrase. Prefix your age and add the website as your suffix. Use dash as space or separator. And that’s your password!
So assuming that you’re 30 years old, then your Facebook password will be “30-time-is-gold-facebook”; for your Gmail account, it will be “30-time-is-gold-gmail”; for your BPI online account, your password will be “30-time-is-gold-bpi”; etc.
Next year, when you turn 31, just update all your passwords again. You can use spell out your age instead of using numbers. Or maybe use the age of your child.
4. Type the website directly.
Emails can be spoofed. Links can be masked. There are many ways to fool you online and make you believe that you’re on the correct website.
My personal strategy is I never click those links, and I always type the website directly on the browser if I want to go to them.
Just be sure to check your spelling before hitting enter, but you can also bookmark them for faster access. Or use their official apps to log-in to your account on your mobile phone.
5. Use 2-factor authentication when available.
Some websites, such as Gmail and Facebook, offers the security option of you receiving a text message or email that is needed to log-in to your account. This way, even if your password is stolen, it can’t be used because they don’t have your phone.
6. Avoid using public wi-fi when accessing sensitive information.
There are may places that offer free WiFi. Never log-in to your online bank or primary email addresses when connected to these untrusted public connections.
When it’s necessary for you to go online, then use your own mobile data. It would cost you, but it’s better to be safe than sorry. Connect to free public wifi to browse websites, play games, or watch videos, but never to do personal and sensitive tasks.
My friend remembers logging into his Facebook account on the public computer at the gym. He suspects that’s how he got hacked. And now he knows better.
If you or someone you know becomes a victim of phishing, be sure to call the bank immediately, or contact the customer support of the online account to ask for assistance.
Don’t panic. And change the passwords and PIN in other accounts to secure them. Lastly, inform friends on social media about it, so that they can avoid getting victimized by anyone who might pretend to be you.