Imagine you’re about to buy a new home. You’ve found the perfect property, your offer has been accepted and your down payment is ready. When you receive an email with instructions to wire your down payment, you do as directed. But when you speak with your real estate professional, attorney, closing agent and mortgage professional, you find out that the request did not come from any of them.

“No one on our side requested your down payment,” they tell you. “You need to call your bank immediately and try to recall the wire, or you’ll lose your down payment and the house!” As your heart begins to pound, you hang up and frantically dial your bank, hoping it’s not too late.

While this event is unlikely, it’s also far from unheard of. It’s an example of phishing, a practice where scammers pose as trusted individuals or companies to trick victims into sending money, providing personal information or exposing themselves to cyber attacks.

Phishing comes in many forms and levels of sophistication. A phishing attack could appear as a social media invite from an acquaintance, an urgent request from your bank or an important email from your company’s CEO, but any could lead to serious financial or identity theft. Email is the most common tool for phishing, but text messages and even phone calls be used as well.

As mortgage professionals, we coach our clients on how to protect themselves from these dangers. However, even if you’re not currently buying a home, you need to know the ways to recognize and guard against phishing in your personal and professional life. Here are important tips on how to stay safe from this threat.


Don’t believe everything you see

Just because an email looks professional or uses the names, logos or style of a trustworthy individual or business does not make it legitimate. Scammers can imitate almost every aspect of an authentic message, especially if they manage to compromise the email account of someone you trust.


Suspect the unexpected

Messages or requests you weren’t expecting should be treated with suspicion, even if they appear to be sent by someone you trust. Whether it’s a password reset email from your bank or a request for emergency cash from your cousin, if it wasn’t expected, it’s suspect.


Be wary of urgent or threatening language

One common tactic phishers use is to create a sense of urgency in the hopes that you’ll act quickly without caution. Beware of messages such as “security alert”, “urgent action needed” and “change of password required immediately”.


Watch for bad grammar

Scammers can struggle with proper business English. If a message you receive is written unprofessionally or contains strange word choice, spelling, capitalization or punctuation, be on your guard.


Keep an eye out for details

Legitimate businesses and professionals should address you by name and include their phone number and other contact information. If a message refers to you as “Valued Customer”, “Sir/Madam” or another generic term and provides no way for you to call them, treat the message with suspicion.


Avoid risky links and attachments

Clicking a dangerous link or downloading an infected file could open you up to a range of serious cyber attacks. If a message asks you to visit any links or download any attached files, be absolutely sure the message is from a legitimate source before doing so.


Be careful giving out personal information

No one should ever ask for your login credentials to bank accounts or other services or require you to send personal information such as your Social Security number over email. Only upload personal information to recognized webpages that start with https://, or fax them to a trusted number.


Keep your systems up to date

Make sure your operating system, security software, email client and web browser always have the most recent updates. No piece of software offers complete protection, but keeping yours updated is an important last line of defense.


Contact a trusted party to verify

The best way to confirm the legitimacy of a message you’ve received is to call an official phone number. Do not use any contact information from the suspicious message itself. Instead, call the number from a trusted source such as a familiar website or your own records.


Take quick action if you think you’ve been compromised

If you think you’ve been the victim of a phishing attack, it’s important to act as soon as possible to prevent or limit damage. Depending on how you believe you’ve been compromised (payment theft, identity theft, computer infection, etc.) you may need to contact your financial institutions, other account providers, credit agencies and/or an IT professional.

Phishing is worrying threat, but by following these tips, you’ll be well equipped to keep your identity, your finances and your computer safe. For more information, visit the FTC page on phishing.