When you hear the phrase “identity theft,” you might picture forceful entry into your personal files, like someone physically stealing your credit card. In practice, identity theft often relies on social engineering. Phishing is the name of a form of social engineering in which targets are tricked into handing over their own personal information – including sensitive information like their MLS logins – via malicious emails and websites.
Cybercriminals are after more than just credit cards and Social Security numbers. Any information meant only for you could be a target. Protecting personal information like your MLS login and password is critical to the safety and security of both individual users like yourself and the MLS as a whole.
With that in mind, below is a brief checklist that will help you identify fake phishing messages.
1. Who sent it?
The “from address” will often be disjointed or unrelated to the “from name” of the person or company. For example, the email’s “from name” is California Regional MLS, but its “from address” is not something @crmls.org.
2. Misleading links.
Links in the email are not to where they say. For example, a link claiming to direct the reader to a CRMLS notice goes to a domain unrelated to CRMLS.
3. Incomplete information.
Instead of addressing you by name, phishing emails often use generic terms like “Dear Customer.” This may be because the information cybercriminals have about you is incomplete, or because they save time by not entering all their targets’ information.
4. Requests that you enter sensitive data.
The misleading links embedded in phishing emails often point to spoofed sites that closely resemble a site you’re used to entering information into, like an MLS login page or an online banking account. In general, legitimate senders – including CRMLS – will not link you to a page like this directly, instead directing you to login as you would otherwise.
5. Unexpected emails that include your specific personal information.
If an email sets off some of the other warning flags in this list, but includes information like your job title, previous employment, or professional interests – that doesn’t mean it’s legitimate. This information can often be gathered from your profiles on social networking sites and is used to make a phishing email convincing. Check the email for other signs of phishing before clicking any links or downloading any attachments.
6. Alarming or urgent wording.
Cybercriminals often use alarming wording (such as, “You have received an MLS violation,” or, “Your account has been breached”) to trick you into moving fast without thinking, causing you to reveal sensitive information. Take a moment to consider the motivations of the sender before handing over information you otherwise wouldn’t.
7. Poor grammar or spelling.
While nobody is perfect and mistakes slip through occasionally, most formal communication – and certainly anything like an MLS violation – is written and/or edited by professionals. If an email is laden with typos or unusual syntax, something is likely amiss.
8. Unnecessary account verification.
Some messages spoof real emails asking you to verify your account. Be sure to question why you’re being asked to verify – if there’s a shaky justification in the email, or no justification at all, you may be dealing with a phishing attempt.
This is another kind of misleading link. Cybercriminals will often purchase and “squat” on website names similar to official websites, hoping to mislead users who don’t look carefully at the URL – e.g. g00gle.com or paypa1.com instead of google.com or paypal.com. Always check the URL before entering sensitive information.
10. It doesn’t pass the smell test.
Does something feel a little off with this email message? Does it warn you of a false danger or promise you an unlikely reward? Is it referencing a listing or case unrelated to you? Does it seem too good to be true? Trust your instincts.
(The list above draws inspiration from Sophos’s excellent guide to protecting yourself from phishing.)