“Phishing”: What is it and how do I avoid getting hooked by this identity theft bait?

There is a rapidly growing Internet fraud called “phishing.” Phishing (pronounced “fishing”) is a term that refers to fishing for personal information, such as account numbers, passwords, PINs, credit card account or Social Security numbers online.

Phishing is quickly becoming one of the most insidious online identity theft scams where fraudulent email messages (spam) are sent to unsuspecting victims’ email addresses requesting them to supply confidential information. The email message may include a warning that there is a problem with your account or that the account will be closed unless you reconfirm confidential information. These emails and links to so-called official sites appear to be quite authentic, but are really baiting you to give up valuable information. Phishers’ latest ploy involves using multiple channels to try to get at your private information, asking people to call instead of using email to obtain user IDs and passwords.

So how do spammers “phish?” They take advantage of a security hole inherent in SMTP email logic to impersonate another’s domain. A phisher falsifies the domain in the email header and copies the look and feel of a company’s web site to make you believe the email is from an authentic site. Identity theft is estimated to rob over half a million people of their identities each year. Once someone steals your personal information, it can be used to establish credit, borrow money, purchase goods and services, and even commit crimes—ruining your good name and your credit.

Protect Yourself

Here are steps you can take to protect yourself from being the next victim of a phishing scam:

• Install a SPAM filter to reduce the number of fraudulent and malicious emails you receive.
• Don’t trust any email urgently requesting personal information, such as checking account or credit card numbers, Social Security numbers, user names, passwords, PIN codes or other financial information.
• When clicking on links in an email, watch the “address bar” of your browser to ensure you’re directed to the authentic, branded domain. It is easy for a phisher to spoof a web link and redirect it to another web site.
• Rather than using hyperlinks in an email that you suspect may not be authentic, you should directly type in the URL in the Internet browser address bar. Certificates for the site ensure that the site you type in is where you’re going. In an email, hyperlinks may appear to be going to one site, but can direct you to another.
• When entering personal information on secure sites, look for the locked padlock on the Internet browser’s status bar or make sure that you see https:// at the start of the URL in the address bar. This indicates SSL security is in place, although it does not guarantee the site’s legitimacy. Without these, however, the web site is definitely not secure.
• Be alert to scammers phishing using any communication method and asking you to confirm using any communication method (phone, fax, email, etc.)
• Keep in mind that legitimate companies would never ask their customers for private information in an email.

What To Do If You Receive a Phishing Email

Will you know a phish when you see one? Unfortunately, phishing is becoming more and more common, and the scammers are getting better at disguising themselves.

If you receive a phishing email, make sure you report it to both of the following email addresses: reportphishing@antiphishing.org and uce@ftc.gov. You should also forward the email to the company that is being imitated or “spoofed.” When forwarding these messages, be sure to include the original email with the complete header information.