Don't Get Hooked: How to Identify and Avoid Phishing Scams

Until recently, it used to be easy for Internet users to avoid phishing scams. Hackers used to send emails from clearly fake accounts without bothering to make the content even seem believable. Over the years, however, cyber attackers have stepped up their game. These days, phishing scams can be incredibly difficult to identify. 

If 2017 has taught us anything (looking at you, Equifax), it's that we need to be more careful with our online safety. That’s why, we want to show you how to avoid phishing scams. From teaching you what they are and how to detect them, we’ll show you how to avoid the headaches and ensure the safety of your web browsing experiences.  

What is a Phishing Scam?

In much the same way, phishing scams are the proverbial wolves in sheep's clothing of the internet. They are called Phishing because it involves using “bait” or a “lure” to trick unsuspecting targets.  These scams are characterized by emails that purport to be from a known and trusted organization, usually linking to a website designed to look almost identical to that of a trusted company, known as a Spoof Site.

There, users are prompted to enter important personal information such as credit card numbers, social security numbers, and other credentials that can be leveraged for personal profit.

Sometimes the Spoof Sites will just ask for money directly. In all cases, however, once the target has fallen for the lure, the consequences to their bank account, credit score, company, job security, and peace of mind can be catastrophic.

How Many “Phish” are there in the Sea?

Cyber thieves are constantly honing their malicious craft, devising new ways to fool the public into accidentally revealing personal and profitable information. However, some of the most commonly employed tactics online “Phishermen” use include: spearing, cloning and whaling. Don’t worry, we’ll get to what those actually mean.

Spear Phishing

This type of phishing scam is one of the deadliest varieties, touting a 91% effectiveness rate. The reason behind its potency is the personalized nature of these email scams.

Oftentimes, they will include personal information about the target, adding to the illusion of the email and the spoof site's authenticity. Attacks like these might be employed when trying to get access to credentials an individual is known to possess, or when trying to obtain personal information pertaining to a high-profile target.

Clone Phishing

This type of phishing scam is as insidious as its name is futuristic-sounding. Using malware already inside of a system, attackers are able to “clone” an already delivered email from a legitimate source, and change some of the details within it to make them suit the scammers' purposes.  

Frequently, the email will claim to be an update or a correction to a previously received email, and will feedback to an almost identical-sounding email address. Clone attacks can be used to not only gain information from the recipient, but also as a vector into new machines.


Those with the most money and information to render are known as “Whales” in this type of phishing scam. The cyber scammers that specialize their efforts in going after executives, heads of corporations, politicians, and others in similar, top-tier positions are known as “Whalers”. In the same way that one would use different equipment to land a humpback than a tuna, so, too, do these scammers employ more refined and convincing versions of the traditional phishing tools to convince their titanic targets to relinquish their information.  

Many times, they'll design executive-caliber letters purporting to be from either other parts of the company or regulatory bodies that express in well-written, official-seeming language a need for them to take immediate action against something that is of imminent concern to the corporation.

To compound to the sense of urgency, many of the emails used in Whaling will pretend to originate from law enforcement agencies, such as the FBI, and state that a subpoena is contained in an attachment. However, in order for the attachment to be viewed, a separate software must be downloaded. Once the software is downloaded, criminals gain access to the executive's files, proving once more that, “Where there's a whale, there's a way.”

Link Manipulation

One of the tactics employed by phish scam operators to convince their victims of the authenticity of the Spoof Site to which they link, is the manipulation of the URL to make it resemble that of a trusted site.

URL links can be manipulated in a variety of ways, including using sub-domains in order to fool site visitors into thinking that they are in another company's website.

Example of Link Manipulation

If a phishing scammer purchased a site domain called, “,” he or she could then create a subdomain for that site that would appear in the URL bar as “” Using this ruse, he or she could fool unsuspecting targets into believing that they were in the “Models” subsection of the “Mercedes” website, which just happened to be selling $10 convertibles in exchange for their credit card information, when, in reality, they were in the “Mercedes” section of a site called “”  

Other Link Manipulation Techniques

Another technique popular for its effectiveness is making the text that reads for a link show the name of a known and safe location, but, in the HTML coding, make the link direct to the scammer's malicious duplicate. Usually, hovering your cursor over a link will reveal the true address, but well-versed developers can disable this feature, as well.

Additionally, on mobile platforms, the lack of a cursor leaves users without recourse to inspect the validity of a link before clicking on it.

Man-in-the-Middle Attacks  

As the name suggests, Man-in-the-Middle attacks place a malignant website or software in-between the user and the website to which they intend to transmit their credentials. Though they operate in a variety of ways, some of the most common involve either using custom code to place a fake URL displaying a valid address over the counterfeit address, or they use software embedded in the original link to send users over to their actual website, but then have the software report back to the scammer what information the user sent.

Other Types of Attacks  

Phishing can also be carried out without using the internet at all. Phone phishing allows scammers to place calls pretending to be from law enforcement, business partners, family members, or other parties to which one might be willing to reveal personal information.

How to Avoid a Phishing Attack

It's basically the same way you avoid any attack: be prepared. Though phishing scammers are wily, inventive, and relentless in their pursuit of information and money, there are simple ways to avoid accidentally becoming another notch in their tally board.

Be Wary of Exaggerated Urgency:  

Phishing scammers like to increase panic levels to decrease scrutiny. As a consequence, their emails and web pages tend to convey an unrealistic sense of urgency that frequently threatens to bring harm to you, your loved ones, or your company in the event that their directives aren't followed. However, rest assured that law enforcement will never issue a warrant or a subpoena via email, and financial institutions will happily corroborate their electronic communications either over the phone or in person.

Call to Corroborate  

In the event that you're not certain whether or not law enforcement, a financial institution, or your family members really do need personal information from you, call them at the number that you have saved for them. Do not use the phone number provided in the email, as scammers may set up false numbers to corroborate the details of fake emails and Spoof Sites.

Type for Yourself

One simple way to inspect whether or not the information in an email is correct is to look up the company's webpage on your own, without using the links provided. If the information contained in the email is corroborated by a website for a major company, this might help to indicate the truthfulness of the email. Still, once more, if you feel uncertain, do not hesitate to call and make certain before giving out personal information.

Assess the Quality of the Webpage:  

Generally, top-end webpages for financial institutions, law-enforcement, and other official entities are constructed by top-tier developers and checked time and time again before being released. Spelling and grammatical errors, as well as clumsy website design and antiquated layouts could indicate that the webpage was constructed by a cabal of scammers, and not by the party it purports to represent.

Use Two-Factor Identification:  

By enabling two-factor identification, you'll make it so that even if a phishing scammer gets a hold of your password, they will still need an additional bit of information, such as a text sent to your phone, in order to enter a protected zone.

Use Up-to-Date Security Software:  

Security software that is up-to-date stands the best chance of emerging victorious against the onslaught of phony emails and false websites used by phishing scammers. The older your software, the less likely it will be able to recognize emerging phishing scams, so update your security software frequently!

Click here are more preventative measures you can take to protect yourself from phishing scams and ensure safety in your online endeavors.

Don’t Act Before You Know

The easiest rule of thumb to follow is that if something feels strange about a website, it’s worth taking the time to follow your instincts and make sure that what you're being told is true.

When you interact with reputable, industry-grade institutions like, you can rest assured that your information will never be solicited over unsecured channels, nor using high-pressure tactics. If you suspect that you're being asked for information or money in a way that's not in accordance with how legitimate companies interact with their customers, call the number for them that you have on your contract details, or email them at the address found on their company page. 

Visit and contact one of our representatives to learn about more about our loan services and how we provide our clients with preventative measures against falling victim to phishing.

The information contained herein was prepared for general information and educational purposes only and should not be construed as professional, tax, financial or legal advice or a legal opinion on specific facts or circumstances. Eloan a Division of Banco Popular de Puerto Rico, its subsidiaries and/or affiliates are not engaged in rendering legal, accounting or tax advice. Please consult with your attorney, financial consultant/planner, accountant, and/or tax advisor for advice concerning your particular circumstances.