Phishing: Keep from Getting Caught

Increasingly, Americans are receiving fraudulent e-mails that direct recipients to websites where they are asked to provide confidential personal and financial information. These e-mails may vary significantly. Some claim that the individual’s personal information is necessary to assist in the fight against terrorism or for some other alleged legal purpose. Other e-mails purport to be from government agencies or private sector entities, such as financial sector firms, Internet auction sites, or electronic payment services.

In these fraudulent schemes, commonly known as “phishing”, the fraudster sends an e-mail to consumers, falsely claiming to be from a legitimate company, in hopes of luring consumers to a “spoofed” website. The spoofed website mimics the legitimate website for the sole purpose of stealing the consumer’s personal information. At the typical spoofed website, consumers are asked to update sensitive personal information, such as name, account and credit card numbers, passwords, social security numbers and other information.

What is Phishing?
Phishing is a term coined by Internet hackers who use email lures to ‘fish’ passwords and financial data from the sea of Internet users. Email messages designed to look like they came from a merchant or financial institution are mailed to Internet users. The emails direct the recipient to update or provide information back to the company’s web site by instructing the user to click on a URL embedded within the email. The embedded URL links the user to a counterfeit web site designed to look like the company’s legitimate web site. Passwords and other personal information are then solicited and collected by the web site and used by the scammer to defraud the user.

Many consumers have avoided falling victim to phishing attacks by applying the following precautions and practices:

Measures to Prevent Falling Victim to Phishing:

1. Do not reply to or click on a link in an e-mail that requests personal information such as passwords, credit card numbers, ATM PINs, social security numbers, etc. Instead, contact the company cited in the e-mail using an authenticated telephone number or other form of communication that you are sure is genuine.



2. Do not fill out forms contained in email messages requesting sensitive information. Personal information should be provided by calling your financial institution directly or by logging onto their secure web site by typing the URL (web address) into your browser. Type your financial institution’s URL (web address) into your browser and bookmark it. Use the bookmark derived from hand-typing the address for all subsequent visits to your financial institution’s website.



3. Apply the latest patch for your web browser and/or operating system software (but be sure that the patch is legitimate).

Measures to Detect Phishing Attacks:

1. Review credit card and bank account statements as soon as you receive them to determine whether there are any unauthorized charges. If your statement is late by more than a couple of days, call your credit card company or bank to confirm your billing address and account balances and to determine whether they have mailed your statement.



2. Look for a domestic telephone number on a company or agency website, and call the number to verify the legitimacy of the web site. Many phishing attempts originate from outside the U.S. and thus are not likely to have a working domestic phone number. As a further precaution, particularly against U.S.-based phishing efforts, seek to verify the number, such as with directory assistance or company information that you know to be reliable.

Measures to Respond to Phishing: