Phishing - What It Is and How to Protect Yourself From Identity Theft Frauds

Phishing - Fake Requests for Personal Financial Information

What is Phishing?

Phishing is a method thieves and con men used to get personal information from you in order to steal your identity and then your money or benefits. Pretending to be from a legitimate retailer, bank, or government agency, the sender asks to "confirmrequested people" your personal information for some made-up reason: your account is about to be closed, an order for something has been placed in your name, or your information has been lost because of a computer problem. Typically, you receive an email from a bank asking you to go to its site (with the link provided) to reenter your most personal information. The link takes you to a bogus website! Another tactic phishers use is to say they're from the fraud departments of well-known companies and ask to verify your information because they suspect you may be a victim of identity theft! In one case, a phisher claimed to be from a state lottery commission and requested people's banking information to deposit their "winnings" in their accounts.

Gartner Group reports that, from May, 2005, over 1.8m consumers have been conned by phishing attacks into revealing sensitive information. The majority of that was in 2004 to present. Phishing emails have increased by 4000 % in the past 6 months. The average consumer victim loses $1200 when his bank account is taken over. The United States Treasury even has a warning about phishing scams.

In short,

  • Phishing almost always involves sending out fake e-mail messages that ask the recipients to enter personal financial information, such as bank account numbers, credit card numbers, passport numbers, etc. into forms on Web sites that are designed to resemble the bank, credit card, or other company who they are claiming to be.
  • Phishing can also happen by phone. You may get a call from someone pretending to be from a company or government agency, making the same kinds of false claims and asking for your personal information.
  • Phishing attacks are brief - they normally last  than a week, and often fake sites are active for only 2 or 3 days.
  • And don't think for a moment that the "sent from" or "reply to" addresses are real.. or really who sent it.  See this page about spoofing!

There are a number of examples of phishing emails to look at on this page.


"Vishing" - Phishing by Telephone

A variant, "vishing" uses telephone systems. A vishing scam occurs when a consumer receives a recorded message telling them a credit card and/or financial institution account has been breached and to immediately call a number provided in the message. The phone number leads the consumer to a fraudulent call center where people are asked to supply or verify pertinent financial account, social security or credit card information.


History of Phishing

Phishing scams began in the mid-1990s not to obtain bank or credit card information, but to get free online access. In those days, ISPs like AOL charged by the minute. Phishers would try to obtain AOL members login user id and passwords by sending e-mails appearing to come from AOL's member services department.  The fake email would ask recipients to verify their user names and passwords. The scammers would then log on, using the victims' accounts, and run up a bill.

Phishers target a variety of customers: from CitiBank (which is currently used in 54 per cent of phishing messages) to AOL, Amazon.com, Ebay, PayPal and others.

What do Phishers do with the Information Today?

Now the criminals use the information they obtain to apply for new credit cards in the victim's name, withdraw money directly from victims' bank accounts, and spend, spend, spend... the victim's money

In some cases, the scammers act as a clearinghouse, selling stolen credit card numbers in online forums to others who use the information.  Amazingly, the stolen account numbers usually only bring a dollar or two each!

What Can you Do to Protect Yourself from Phishing Theft

  • First, DON'T click on the link in an email that asks for your personal information. It will take you to a phony Web site that looks just like the Web site of the real company or agency. Following the instructions, you enter your personal information on the Web site ' and into the hands of identity thieves. To check whether the message is really from the company or agency, call it directly or go to its Web site. If you don't have the telephone number, get it from the phone book, the Internet, or directory assistance. Use a search engine to find the official Web site. Banks wouldn't ask for your mother's maiden name.  Also, look for misspellings in the bogus e-mail. If you get an email that warns you, with little or no notice, that an account of yours will be shut down unless you reconfirm your billing information, do not reply or click on the link in the email. Instead, contact the company cited in the email using a telephone number or Web site address you know to be genuine.
  • If someone contacts you and says you've been a victim of fraud, verify the person's identity before you provide any personal information. Legitimate credit card issuers and other companies may contact you if there is an unusual pattern indicating that someone else might be using one of your accounts. But usually they only ask if you made particular transactions; they don't request your account number or other personal information. Law enforcement agencies might also contact you if you've been the victim of fraud. To be on the safe side, ask for the person's name, the name of the agency or company, the telephone number, and the address. Then get the main number (see tip above) and call to find out if the person is legitimate.
  • Check out the list of recent phishing attacks and the information about Phishing Pop-ups!
  • Look at these examples of phishing emails to be familiar!
  • Job seekers should also be careful. Some phishers target people who list themselves on job search sites. Pretending to be potential employers, they ask for your social security number and other personal information. Follow the advice above and verify the person's identity before providing any personal information.
  • Be suspicious if someone contacts you unexpectedly and asks for your personal information. It's hard to tell whether something is legitimate by looking at an email or a Web site, or talking to someone on the phone. But if you're contacted out of the blue and asked for your personal information, it's a warning sign that something is "phishy." Legitimate companies and agencies don't operate that way.
  • Act immediately if you've been hooked by a phisher. If you provided account numbers, PINs, or passwords to a phisher, notify the companies with whom you have the accounts right away. For information about how to put a "fraud alert" on your files at the credit reporting bureaus and other advice for ID theft victims, contact the Federal Trade Commission's ID Theft Clearinghouse, www.consumer.gov/idtheft or toll-free, 877-438-4338. The TDD number is 202-326-2502.
  • Avoid emailing personal and financial information. Before submitting financial information through a Web site, look for the "lock" icon on the browser's status bar. It signals that your information is secure during transmission.
  • Review credit card and bank account statements as soon as you receive them to determine whether there are any unauthorized charges. If your statement is late by more than a couple of days, call your credit card company or bank to confirm your billing address and account balances.
  • Even if you didn't get hooked, report phishing. Tell the company or agency that the phisher was impersonating. Send the actual spam to and spam@uce.gov. You can also report the problem to law enforcement agencies through the National Fraud Information Center/Internet Fraud Watch, www.fraud.org or 800-876-7060, TDD 202-835-0778. The information you provide helps to stop identity theft.    

Reporting a Possible Phishing Attack

If you need advice about an Internet or online solicitation, or you want to report a possible scam, use the Online Reporting Form or call the NFIC hotline at 1-800-876-7060.

To report to the organization impersonated in the email you received, write directly to the company or organization.  Here are the real websites, email addresses and phone numbers of some of the more common targets of spoofing / phishing:

Company name and link to their website

Email address to report spoofing and phishing

Phone

Amazon.com

stop-spoofing@amazon.com

 

American Express spoof@americanexpress.com  

AmSouth Bank

fraud@amsouth.com

1-800-267-6884

Bank Of America

abuse@bankofamerica.com

 

Bank Of The West

abuse@bankofthewest.com

1-949-622-0525

Barclays

internetsecurity@barclays.co.uk

 

Chase

abuse@chase.com

 

CitiBank

emailspoof@citigroup.com

 

EBay

spoof@ebay.com

 

EBay.co.uk

spoof@ebay.co.uk

 

Federal Trade Commission

spam@uce.gov

 

Fifth Third Bank

53investigation@security.53.com

1-800-927-0395

Foxnews.com    

FlagStar Bank

abuse@flagstar.com

 

LaSalle Bank

emailhoax@abnamro.com

1-866-904-7500

PayPal

spoof@paypal.com

 

PayPal.co.uk

spoof@paypal.co.uk

 

Star

service@star.com

 

SunTrust

reportfraud@suntrust.com

1-800-227-3782

TCF Bank

emailfraud@tcfbank.com

 

US Bank

fraud_help@usbank.com

 

Washington Mutual

spoof@wamu.com

1-800-788-7000

Wells Fargo

reportphish@wellsfargo.com

1-866-867-5568


Protect Yourself:

The following documents and websites can help you learn more about phishing and how to protect yourself against phishing attacks.


Methods of Reporting Phishing Email to the US Government

  • In Outlook Express, you can create a new message and drag and drop the phishing email into the new message. Address the message to phishing-report@us-cert.gov  and send it.
  • In Outlook Express you can also open the email message* and select File > Properties > Details. The email headers will appear. You can copy these as you normally copy text and include it in a new message tophishing-report@us-cert.gov .
  • If you cannot forward the email message, at a minimum, please send the URL of the phishing website.

* If the suspicious mail in question includes a file attachment, it is safer to simply highlight the message and forward it. Some configurations, especially in Windows environments, may allow the execution of arbitrary code upon opening and viewing a malicious email message.

For More Information About Phishing, See:


 

 


 

For a comprehensive list of national and international agencies to report scams, see this page.