The SEC’s Office of Investor Education and Advocacy is issuing this Investor Alert to help educate investors about common scams fraudsters may use to compromise investment, financial, or other personal accounts. Investors should always take steps to safeguard their personal financial information (e.g., social security number, financial account numbers, phone number, e-mail address, or usernames and passwords for online financial accounts). These security tips can help ensure that your investment, financial, or other personal accounts remain secure.
What are Phishing, Smishing and Vishing?
Phishing, smishing, and vishing are types of scams where a fraudster tries to trick you into providing sensitive personal or financial information by posing as an entity you know or trust, such as an investment firm, bank, or some other personal service that you use. The main difference between these “ishing” scams is the method the fraudster uses to try to steal your information or carry out other attacks. Phishing generally involves the use of e-mail; smishing involves the use of text or other types of direct messaging (e.g., messaging apps in various social media platforms); and vishing involves phone calls.
What type of information do these scammers want and why do they want it?
Fraudsters use “ishing” scams to steal personal information that may allow them to gain access to your e-mail, financial, or other accounts. Some of the information they may try to steal includes:
- Sensitive personal information (e.g., Social Security, driver’s license or passport numbers)
- Bank, investment, or other financial account numbers
- ATM PIN numbers
- Usernames and passwords
What are some common characteristics of “ishing” scams?
Phishing scams involve fraudsters sending you e-mails to try and trick you into providing sensitive personal or financial information by having you reply to the e-mail, click on a hyperlink to a website that mimics a legitimate website, or open an attachment that may download dangerous software to computer or mobile device. Fraudsters try to make these e-mails appear authentic by using:
- Names of real people, companies, or government agencies
- E-mail addresses that contain name of company or government agency
- Authentic-looking graphics and logos
- Links to webpages that appear to be a real company or government website
- Official-looking fine print and legal references
These e-mails also generally use an “urgent” message to try and solicit the information from you. Some examples of these messages include:
- Claims your account will be closed if you do not update your account information
- Alerts of suspicious activity in your account that ask you to verify your identity
- Claims of problems with your account or payment information
- Claims you have won a prize or money
Smishing scams involve fraudsters sending you texts or other direct messages to try to trick you into providing sensitive personal or financial information by having you reply to the text, or click on a hyperlink in the text that downloads dangerous software to your mobile device or takes you to a website that mimics a legitimate website. Fraudsters try to make these texts appear authentic by using names of real people, companies, or government agencies. These texts also generally use “urgent” messages similar to those used in phishing scams to try and solicit this information from you.
Vishing scams involve fraudsters using the same tactics used in phishing and vising scams except they call you on your home or mobile phone. Vishing fraudsters can make their calls look like they are coming from legitimate sources. These fraudsters also may learn some basic information about you from social media or other publicly available sources to make the call sound more legitimate.
Red Flags of “ishing” scams
- Any request for personal or financial information – Use caution with any e-mail, text message, or phone call that asks you to provide any personal or financial information.
- Generic greetings, no greeting, and impersonators – These scams often target large numbers of people, so the text message or e-mail may use a generic greeting like “Dear sir or ma’am” or no greeting at all. Scam callers may ask to speak with “the head of the house,” or claim to be a representative from your investment or other financial firm, or from a government agency.
- Fear and Excitement – Fraudsters generally design these scams to prey on one of two powerful human emotions: fear or excitement. These emotions may lead you to make quick decisions without carefully considering your actions. This is why many of these scams involve either telling you something bad has or will happen, or that you have won something (usually money).
- Misspellings and bad grammar – E-mails and text messages associated with these scams often contain misspelled words and bad grammar. If you notice these types of mistakes in an e-mail or text message, treat your response to it with caution.
- Attachments and Hyperlinks – DO NOT open any attachment (e.g., pdfs, word processing and spreadsheet files, zip files) or click on a hyperlink in an unexpected e-mail or text message.
- Never provide personal or sensitive information via text message, e-mail, or to anyone on an unsolicited phone call.
- Never reply to any unfamiliar or unverifiable text messages or e-mails. Do not click any hyperlinks, open any attachments, or call back any telephone numbers in these messages. Fraudsters may be trying to see if a phone number or e-mail is active. By responding to the e-mail or text you have alerted the fraudster that they have a live target which may prompt additional e-mails and texts. Clicking on hyperlinks or opening attachments in these messages may also download dangerous software programs to your computer or mobile device that log your keystrokes and allow fraudsters to obtain usernames and passwords to your online accounts.
- If you receive a text message or e-mail from what appears to be your investment, bank or other financial firm, contact the firm directly through a verified telephone number to confirm that the information in the text or e-mail message is real.
- Immediately delete all suspicious e-mails and text messages.
- Enable multi-factor authentication for all your online investment and financial accounts.
- Download and install software and security updates for all your computers and mobile devices.
- Specific tips for Vishing scams:
- Join the Do Not Call Registry.
- Do not answer telephone calls from phone numbers you do not know. Let these calls go to voicemail. If the caller leaves a call back phone number in a voicemail, make sure you verify the phone number before calling it back.
- If you accidentally answer a call from an unknown number do not respond to any prompts from the caller and hang up immediately.
- If you are a victim of any “ishing” scam, contact your investment, bank or other financial provider immediately and change the online passwords for your accounts.
Investor Bulletin: Protecting Your Online Investment Accounts from Fraud
Investor Alert: Identity Theft, Data Breaches and Your Investment Accounts
Investor Alert: Beware of Government Impersonators Targeting Fraud Victims
FINRA Investor Alert: “Phishing” and Other Online Identity Theft Scams: Don’t Take the Bait
FTC: How to Recognize and Avoid Phishing Scams
Call OIEA at 1-800-732-0330, ask a question using this online form, or email us at Help@SEC.gov.
Visit Investor.gov, the SEC’s website for individual investors.
Receive Investor Alerts and Bulletins from the Office of Investor Education and Advocacy (“OIEA”) by email or RSS feed. Follow OIEA on Twitter @SEC_Investor_Ed. Like OIEA on Facebook at facebook.com/secinvestoreducation.