What it is:
Phishing is the practice of electronically obtaining personal information such as passwords, credit card numbers and other sensitive personal information by posing as a trusted institution, such as a credit union, bank, the IRS or a credit card company.
How it works:
Phishing usually involves an email message that purports to be from a financial institution. The recipient is instructed to click on a link within the message to “verify” their account information, with a threat of account deactivation or suspension.
Users who click on this link will be taken to a fake website that may look very similar to their own financial institution’s. The user may be asked to provide his or her account number, PIN, Social Security number, mother’s maiden name and other information, which can be used to commit identity theft and fraud.
Occasionally, the message will contain instructions to call a phone number, at which time they will be prompted to enter this information.
Another variation involves online payment systems such as PayPal. In this case, the recipient will be alerted of their “recent purchase,” usually through eBay, and will be instructed to verify this by clicking on a link. Since the user hasn’t made any purchase, they are expected to react emotionally and try to clear up the problem right away. Naturally, they will be taken to a fake PayPal website and tricked into giving away account information, which can be used to steal money directly from linked accounts.
How to protect yourself:
The first thing to remember when it comes to phishing is this: your credit union, bank, credit card company, the IRS, and other legitimate institutions you do business with already have your personal information. They have no need to contact you to verify this information. The IRS will never use email to contact you at all.
If there is a legitimate problem with an account, your financial institution will contact you with instructions to rectify the situation, which will never involve revealing personal information to an unsolicited caller.
When you receive an email message that claims to be from a trusted institution and asks you to verify account information, the easiest way to deal with it is to simply delete the message.
You may also forward the message (including all headers) to reportphishing@antiphishing.org, spam@uce.gov and to the institution whose name is being used in the message.
If a message seems like it might be legitimate, contact the institution directly, using the number in the phone book or by typing their web address directly into your web browser. Do not use the phone number contained in the email message, and do not click on any links contained in the message. It is easy to make a link say one thing, but lead elsewhere.
Warning Signs:
- The message uses a generic greeting (“Dear valued customer”) instead of your name
- The tone of the message is urgent and demands that you respond immediately
- The message asks you to verify account information or provide other personal information
- The message is from an institution you don’t even do business with
- If your web browser or other software are trying to alert you of a problem with a website or message, pay attention to these warnings
Links:
- Anti-Phishing Working Group: http://www.antiphishing.org/
- Federal Trade Commission: http://www.ftc.gov/
- Internet Crime Complaint Center (IC3): http://www.ic3.gov/
