“Help… I need to change my hotmail password – I can’t see where you do that, can you tell me pls???” I received this text from my mother recently.
Many of you may sympathize with this, but having once helped re-program the time on the VCR when I was 10 - I am now the default technical support contact for my whole family when it comes to anything that has electricity running through it. So, on the face of it, getting asked to show her how to do something on a website is one of those requests that I expect to receive. This time I was worried though. And the reason I was worried was because in her text she said she “needed” to change her password not that she “wanted” to.
Prioritizing this as an urgent support case, I phoned my mother and said “what have you done?” A pretty abrupt question you may think, but when it comes to the Internet, my mother will be the first to concede that she does some pretty silly things online, therefore it was best we got to the root of the issue as soon as possible.
“Well Tom”, she said, “I phoned a help line about my Kindle, and this was so stupid of me, but during the conversation I gave the person on the other end of the line my username and password”. My mother had fallen prey to a phishing scam.
Phishing is where someone attempts to acquire information such as usernames, passwords or credit card details, in order to benefit – financially or otherwise – from that information. It is an ongoing and growing problem. Phishing attacks are increasing by an average of 22% each year and it is thought to cost brands over $70bn a year.
What had happened to my mother was pretty typical of a phishing scam. She had broken the screen on her Kindle, visited Google and searched for “Kindle help”. Confusing the ads that Google run at the top of the page for search results, she clicked on the first result that contained her keywords. Unfortunately for my mother, this did not take her to an Amazon site, but to another professional looking site which talked about the Amazon Kindle and gave her a premium phone number to call for help. She phoned and spoke to a very knowledgeable person who guided her through a number of steps to see if there was anything they could do to help (a nice little earner on a phone line that costs over £1.50 a minute!). And it was during this call that she disclosed her username and password details.
However, the keen eyed among you will have noticed in my text that my mum asked how to change her “hotmail” account password not her “Amazon Kindle” account. Unfortunately my mum thinks all of her accounts are the same online, because she uses the same e-mail address and password to access them. As scammers know that people reuse their username and passwords on different accounts it also meant the accounts that she hadn’t changed the password on were also now vulnerable - including her Amazon account where her credit card details were stored.
So we went through a list of the accounts she may have registered and quickly went to change her password on all of these sites. As an extra precaution we also cancelled the credit cards registered on any of those sites, just in case that information had been compromised. (In fairness to Amazon, they hid my mother’s credit card details very well, but that’s not true of all online accounts).
As a consumer there are a number of things you can do to protect yourself online so the fraudsters don’t have a chance:
- Never give your username, password security details out over the phone.
- Always use the real search results to access online services rather than advertisement links based on your keywords.
- Never click on links in e-mails, instant messages or chat if you suspect the message may not be authentic or you do not recognize the sender.
- Always ensure you are using a secure website when submitting account or credit card information. Look in the address bar – is the bar green or does it contain a padlock? If so click on it and look at the details.
- Check the website address. Does the web address look correct? Check to make sure you haven’t made a typo.
But as you can see from this story, my mother didn’t know to do this, and therefore fell victim to a scam. This story is not only an important lesson for consumers, but brands too as it is just as important for brand owners to be proactive and to protect their brands online from fraudsters before their customers and brands are compromised.
My mother was lucky to come out from this scam pretty much unscathed... well except for the £30 phone call. And as a thank you she also took me out for a meal. I had the fish.
Written by Tom Webb, Product Architect at NetNames
8 October 2012