Computer screen with password typed in has a sticky note in the top right corner with a fishing hook going through it. White text below computer screen says "Cybersecurity Awareness Month"

Password Phishing Scams: How To Avoid Them

Our digital-everything world comes with convenience, efficiency and fun, but it also comes with risks. For Cybersecurity Awareness Month, we’re providing information about phishing attacks so you can protect your personal and financial information.

Chances are you have online accounts for just about everything: Shopping, banking, work, credit cards, health care, and entertainment. All these accounts contain sensitive information that you want to keep safe. Scammers know that if they can log in to your account, they can steal your personal information, money and identity, and they have figured out inventive ways to do it.

We'll describe some of the current phishing scams, how they work and give you tips for protecting yourself against attacks.

What Are Password Phishing Scams and How do They Work?

Phishing attacks wear disguises. Attackers often pose as people or organizations you've interacted with or that sound official, such as businesses, government organizations and trusted service providers.

Scammers will contact you through emails, phone calls, voicemails or text messages with an offer that sounds too good to pass up, or a threat to discontinue a service you rely on if you don't respond right away. The message often contains a link where you are prompted to enter your username and password, or it will launch malicious software that gives scammers access to your data.

If scammers contact you by phone, they often try to convince you to give them account information or authentication codes.

Common Password Phishing Scams and Tips To Protect Yourself

Phishing attacks take many forms. Here are a few common methods scammers use to steal your personal information and some tips to help you protect yourself.

Fake Password Resets

One type of attack scammers use is a fake password reset message. These types of attacks aren't new, but they continue to be common because they are so successful.

In these types of attacks, a scammer will call you or send a phishing email or text telling you that you must reset your password or provide information to verify your account. They will often pretend to be big brands such as Microsoft or social media platforms like Facebook.

In one recent scam, business executives were targeted with phishing emails that appeared to be from Office 365. The emails said the account passwords were set to expire. Users unknowingly entered their login credentials, which hackers could sell and use to send out more phishing emails.

How To Protect Yourself:

  • Never give passwords or authentication codes to callers.
  • Only reset your password if you initiated the reset. Companies typically won't email you links to reset your password without you requesting it. When in doubt, go directly to the website, not through the email or text link, and reset your password there.
  • Look carefully at the email address of the sender. Make sure it's spelled correctly. Mouse over the email to make sure the address that pops up is the same as the address you see in the sender field.

Fake Package Tracking Alerts (Text or Email)

In this type of phishing or smishing (SMS) scam, attackers send email or text alerts claiming to have tracking information about a package, or that a package is waiting to be delivered. They say they will provide the information after you enter personal information or payment. Usually, the message tries to lure you into providing a username and password or credit card number. In other cases, the scammers will try to convince you to click on a link that installs malware.

The U.S. Postal Service Office of Inspector General recently alerted postal service customers to a campaign in which scammers sent phishing messages claiming to have postal tracking information about packages. FedEx and UPS have also cautioned their customers about these scams.

How To Protect Yourself:

  • Watch out for this type of scam as holiday shopping and shipping season approaches.
  • Look at links in text and email messages to make sure they match the web address of the package carrier service. If you're not sure, don't click the link. Open a new browser window, log in directly to the website and enter your tracking number there.

Texts Offering Fake Rebates and Prizes

Prizes, refunds and rebates can be hard to resist. In one type of phishing attack, scammers send phony text messages offering to send you money if you click a link where you'll be prompted to log in or enter your banking information.

These prizes often use a sense of urgency by telling you the offer is for a limited time only.

A few recent fake prize scams pretended to be from Hulu, Verizon and AT&T.

How To Protect Yourself:

  • Assume that if a prize is too good to be true, it probably is.
  • Pause for a moment, especially if you have to "act now" to get money deposited into your account. Most reputable companies give plenty of time to communicate a special offer or discount, and they won't ask you to log in and provide your account number.
  • Look closely at links before you click on them. Make sure there are no spelling errors, and the links match the company website.
  • When in doubt, go straight to the website and see if the special offer or contest is advertised there.

Fraud Alert Phishing Attacks

In this phishing scam, criminals impersonate financial institutions or credit card companies with text alerts about fake fraud attempts. These types of scams play on the fear of exactly what the scammers are trying to do: Gain illegal access to your accounts and drain your funds.

Scammers have targeted BECU members with this type of phishing scam.

How To Protect Yourself:

  • Never provide your online banking user ID or password. A legitimate credit union or bank won't ask for this information via text, email or by phone.
  • Don't click links in text messages to respond to a fraud alert. Financial institutions won't ask you to log in from a text.
  • Contact your financial institution directly by phone or through your online account about any fraud alerts or threats to your account.

Disaster Phishing Attacks

Scammers prey on vulnerable people during hard times — even during a pandemic. In some COVID-19 scams, attackers send phishing messages posing as government agencies telling would-be victims to sign up or log in to receive stimulus payments or tax credits, or tell them they need to fix a problem with their account to receive payments.

In another recent COVID-19 scam, attackers are playing on fear about the disease and peddling fake cures or soliciting fake donations to help sick people. Don't take the bait. These are attempts to gain access to your personal information.

How To Protect Yourself:

  • Beware of messages that prompt you to apply for benefits. For stimulus payments and tax credits, the first step, if you're eligible, is to file your taxes.
  • Don't respond to email or text messages promising cures or treatment for COVID-19.
  • Consult your medical provider about COVID-19 prevention and treatment.
  • Don't respond to email or text messages soliciting donations.

Unsecured Public Wi-Fi 

Heading to the local coffee shop to get a little work done on your laptop seems convenient, but if you're using an unsecured Wi-Fi network, you're leaving yourself vulnerable. Scammers can eavesdrop by intercepting data as it moves between your computer and the wireless network. Once they're in, they can target you with phishing attempts, use your account to send phishing messages to others, or gain access to your accounts directly.

How To Protect Yourself:

  • Never enter banking passwords or sensitive information over unencrypted public Wi-Fi.
  • Disconnect your Bluetooth if you're not using it.
  • Don't shop online on an unsecured network. Attackers can potentially intercept your login credentials for the site you're shopping on and access your payment information.
  • Use a VPN (virtual private network) to create a secure connection through an unsecured, public Wi-Fi.

3 Tips To Protect Against Password Scams

Although attackers are finding new and creative ways to steal your personal data, there are a few steps you can take to improve your overall security online.

Use a Password Manager

Creating and updating passwords — and remembering them — is a chore, and if you're not on top of it, you could be putting yourself at greater risk. For example, if a password you use everywhere is compromised in one account, all of your accounts become vulnerable.

Using a password manager that creates randomly generated passwords can make the task easier and will likely do a better job of keeping your accounts safe than you can on your own.

PCMag has reviews of password managers in several categories.

If you decide to manage your passwords without a service, be sure to create strong passwords and change them frequently.

Change Your Email and Bank Passwords Often

If you've been using the same password for your email and online banking account, it's time to change them both, and then set up a schedule to change them frequently. This reduces your exposure to risk.

Only respond to password change messages if you initiated them. Remember that legitimate organizations won't send you texts or emails, and they won't call you to ask you for this information.

If someone calls you asking for the authentication code you just received to help you log in, don't give it to them. It's likely a scammer who has intercepted your data.

Use Hard-to-Guess Security Questions

As a secondary layer of protection, many websites require you to choose security questions and answers.

WIRED magazine calls security questions "problematic" and a "weak link" because the answers are too easy for scammers to guess.

If you are required to rely on security questions, choose questions the answers to which can't be Googled.

If you're having trouble finding a security question that doesn't have an easy-to-discover answer, WIRED recommends against answering the security question honestly.