Your Bank > Education and Advice > CNB University

Five Red Flags to Identify Help You Spot a Phishing Scam

By John B. Folkerts, CISSP, Vice President, Information Security Manager, Canandaigua National Bank & Trust

What is “phishing”? It’s one of the most common tactics today to steal a person’s online banking password, secure access code, or other sensitive information. It starts with a convincing story or emotional appeal—a hook—and then quickly urges the victim to do something to prevent a negative outcome.

Three examples of this approach recently include:

  • “Your password has expired – change it before you get locked out!” (I don’t want to lose access!)
  • “Your bill is overdue! Click here to avoid late fees.” (What bill?!)
  • “Thank you for your payment of $507.13” (Wait, I didn’t authorize that!)

A phishing story originally sent via email might be more convincing by a person calling you on the phone. This kind of approach (message followed by phone call) is becoming even more prevalent, because people have a tough time believing that someone would lie to them on the phone. Combining two communication tactics can even make it seem more urgent and believable.

What can you do to prevent this from happening? First, slow down. Think before you click. Make sure you know the red flags of phishing:

  1. The communication is unexpected. Does your bank usually send text messages? For what reasons? Be suspicious of messages from new phone numbers or out-of-state area codes.
  2. Suspicious sender address. You may know the sender’s name, but the email address could be from a strange domain.
  3. Spoofed hyperlinks and websites. Check any links by hovering your mouse over the link. If you see an unknown website or domain, beware.
  4. Spelling and layout. Poor grammar, misspellings, or unprofessional formatting would indicate a possible phishing attempt.
  5. Suspicious attachments. Any unsolicited email that requests a download or open an attachment should be verified before opening. Call the sender at a known phone number to see if the request is legitimate.

When dealing with a message that you suspect to be phishing, contact the sender through a verified phone number (look it up separately). Don’t reply to an email or text message directly or call any phone numbers in a suspicious message. If you think that you may have entered your password on a counterfeit website, change your password immediately.

Want to learn more? Visit our Security Center for more information about protecting yourself against cyber and fraud threats.