Phishing - What It Is and How to Protect Yourself From Identity Theft Frauds

Phishing - Fake Requests for Your Personal Financial Information

What is Phishing?

Phishing is a method thieves and con men used to get personal information from you in order to steal your identity and then your money or benefits. Pretending to be from a legitimate retailer, bank, or government agency, the sender uses generic statements like your account is about to be closed, an order for something has been placed in your name, or your information has been lost because of a computer problem to scare you into clicking on a link, calling them or emailing back. Typically, you receive an email from a bank, credit card company, etc. asking you to go to its site (with the link provided) to reenter your most personal information. The link takes you to a bogus website! Another tactic phishers use is to say they're from the fraud departments of well-known companies and ask to verify your information because they suspect you may be a victim of identity theft! In one case, a phisher claimed to be from a state lottery commission and requested people's banking information to deposit their "winnings" in their accounts.

Gartner Group reports that, in one year from May, 2005, over 1.8m consumers have been conned by phishing attacks into revealing sensitive information. The majority of that was in 2004 to 2005. And it has only grown enormously ever since then.  Phishing emails have increased by 4000 % in the past 6 months. The average consumer victim loses $1200 when his bank account is taken over. The United States Treasury even has a warning about phishing scams.

In short,

• Phishing almost always involves sending out fake e-mail messages that ask the recipients to enter personal financial information, such as bank account numbers, credit card numbers, passport numbers, etc. into forms on Web sites that are designed to resemble the bank, credit card, or other company who they are claiming to be.
• Phishing can also happen by phone. You may get a call from someone pretending to be from a company or government agency, making the same kinds of false claims and asking for your personal information.
• Phishing attacks are brief - they normally last  than a week, and often fake sites are active for only 2 or 3 days.

• And don't think for a moment that the "sent from" or "reply to" addresses are real.. or really who sent it.  See this page about spoofing!

You can see examples of phishing emails on this page.

"Vishing" - Phishing by Telephone

A variant, "vishing" uses telephone systems. A vishing scam occurs when a consumer receives a recorded message telling them a credit card and/or financial institution account has been breached and to immediately call a number provided in the message. The phone number leads the consumer to a fraudulent call center where people are asked to supply or verify pertinent financial account, social security or credit card information.

History of Phishing

Phishing scams began in the mid-1990s not to obtain bank or credit card information, but to get free online access. In those days, ISPs like AOL charged by the minute. Phishers would try to obtain AOL members login user id and passwords by sending e-mails appearing to come from AOL's member services department.  The fake email would ask recipients to verify their user names and passwords. The scammers would then log on, using the victims' accounts, and run up a bill.

Phishers target a variety of customers: from CitiBank (which is currently used in 54 per cent of phishing messages) to AOL, Amazon.com, Ebay, PayPal and others.

What do Phishers do with the Information Today?

Now the criminals use the information they obtain to apply for new credit cards in the victim's name, withdraw money directly from victims' bank accounts, and spend, spend, spend... the victim's money

In some cases, the scammers act as a clearinghouse, selling stolen credit card numbers in online forums to others who use the information.  Amazingly, the stolen account numbers usually only bring a dollar or two each!

What Can you Do to Protect Yourself from Phishing Theft

• First, DON'T click on the link in an email that asks for your personal information. It will take you to a phony Web site that looks just like the Web site of the real company or agency. Following the instructions, you enter your personal information on the Web site ' and into the hands of identity thieves. To check whether the message is really from the company or agency, call it directly or go to its Web site. If you don't have the telephone number, get it from the phone book, the Internet, or directory assistance. Use a search engine to find the official Web site. Banks wouldn't ask for your mother's maiden name.  Also, look for misspellings in the bogus e-mail. If you get an email that warns you, with little or no notice, that an account of yours will be shut down unless you reconfirm your billing information, do not reply or click on the link in the email. Instead, contact the company cited in the email using a telephone number or Web site address you know to be genuine.
• If someone contacts you and says you've been a victim of fraud, verify the person's identity before you provide any personal information. Legitimate credit card issuers and other companies may contact you if there is an unusual pattern indicating that someone else might be using one of your accounts. But usually they only ask if you made particular transactions; they don't request your account number or other personal information. Law enforcement agencies might also contact you if you've been the victim of fraud. To be on the safe side, ask for the person's name, the name of the agency or company, the telephone number, and the address. Then get the main number (see tip above) and call to find out if the person is legitimate.
• Check out the list of recent phishing attacks and the information about Phishing Pop-ups!
• Look at these examples of phishing emails to be familiar!
• Job seekers should also be careful. Some phishers target people who list themselves on job search sites. Pretending to be potential employers, they ask for your social security number and other personal information. Follow the advice above and verify the person's identity before providing any personal information.

• Be suspicious if someone contacts you unexpectedly and asks for your personal information. It's hard to tell whether something is legitimate by looking at an email or a Web site, or talking to someone on the phone. But if you're contacted out of the blue and asked for your personal information, it's a warning sign that something is "phishy." Legitimate companies and agencies don't operate that way.
• Act immediately if you've been hooked by a phisher. If you provided account numbers, PINs, or passwords to a phisher, notify the companies with whom you have the accounts right away. For information about how to put a "fraud alert" on your files at the credit reporting bureaus and other advice for ID theft victims, contact the Federal Trade Commission's ID Theft Clearinghouse, www.consumer.gov/idtheft or toll-free, 877-438-4338. The TDD number is 202-326-2502.
• Avoid emailing personal and financial information. Before submitting financial information through a Web site, look for the "lock" icon on the browser's status bar. It signals that your information is secure during transmission.
• Review credit card and bank account statements as soon as you receive them to determine whether there are any unauthorized charges. If your statement is late by more than a couple of days, call your credit card company or bank to confirm your billing address and account balances.
• Even if you didn't get hooked, report phishing. Tell the company or agency that the phisher was impersonating. Send the actual spam to and spam@uce.gov. You can also report the problem to law enforcement agencies through the National Fraud Information Center/Internet Fraud Watch, www.fraud.org or 800-876-7060, TDD 202-835-0778. The information you provide helps to stop identity theft.    

---

Reporting a Possible Phishing Attack

If you need advice about an Internet or online solicitation, or you want to report a possible scam, use the Online Reporting Form or call the NFIC hotline at 1-800-876-7060.

To report to the organization impersonated in the email you received, write directly to the company or organization.  Here are the real websites, email addresses and phone numbers of some of the more common targets of spoofing / phishing:

Company name and link to their website	Email address to report spoofing and phishing	Phone
Amazon.com	See this page for detail information about Amazon scams and reporting them, or forward the email to stop-spoofing@amazon.com
American Express	spoof@americanexpress.com
AmSouth Bank	fraud@amsouth.com	1-800-267-6884
Bank Of America	abuse@bankofamerica.com
Bank Of The West	abuse@bankofthewest.com	1-949-622-0525
Barclays	internetsecurity@barclays.co.uk
Best Buy or Geek Squad	abuse@bestbuy.com
Chase	abuse@chase.com
CitiBank	emailspoof@citigroup.com
CVS		888-607-4287.
EBay	spoof@ebay.com
EBay.co.uk	spoof@ebay.co.uk
Facebook
Federal Trade Commission	spam@uce.gov
Fifth Third Bank	53investigation@security.53.com	1-800-927-0395
Foxnews.com	Ureport to Fox News
FlagStar Bank	abuse@flagstar.com
LaSalle Bank	emailhoax@abnamro.com	1-866-904-7500
PayPal	spoof@paypal.com
PayPal.co.uk	spoof@paypal.co.uk
Star	service@star.com
SunTrust	reportfraud@suntrust.com	1-800-227-3782
TCF Bank	emailfraud@tcfbank.com
US Bank	fraud_help@usbank.com
Walmart	Walmart2Walmart/RIA Fraud Hotline fraudprevention@riafinancial.com	855-355-2145
Washington Mutual	spoof@wamu.com	1-800-788-7000
Wells Fargo	reportphish@wellsfargo.com	1-866-867-5568

Protect Yourself:

The following documents and websites can help you learn more about phishing and how to protect yourself against phishing attacks.

• Avoiding Social Engineering and Phishing Attacks
• Protecting Your Privacy
• Understanding Web Site Certificates
• Anti-Phishing Working Group (APWG)
• Federal Trade Commission, Identity Theft
• Recognizing and Avoiding Email Scams

Methods of Reporting Phishing Email to the US Government

• In Outlook Express, you can create a new message and drag and drop the phishing email into the new message. Address the message to phishing-report@us-cert.gov  and send it.
• In Outlook Express you can also open the email message^* and select File > Properties > Details. The email headers will appear. You can copy these as you normally copy text and include it in a new message tophishing-report@us-cert.gov .
• If you cannot forward the email message, at a minimum, please send the URL of the phishing website.

* If the suspicious mail in question includes a file attachment, it is safer to simply highlight the message and forward it. Some configurations, especially in Windows environments, may allow the execution of arbitrary code upon opening and viewing a malicious email message.

For More Information About Phishing, See:

• Click Here for a copy of NCL's Phishing Brochure.  Requires Adobe Acrobat Reader'.
• How Not to Get Hooked by a 'Phishing' Scam  [PDF version]
  Offers tips on how to avoid falling victim to a new type of spam scam in which consumers are deceived into handing over personal financial information.
• Is Someone "Phishing" for Your Information?  [PDF version]
  Cautions consumers about emails that claim to be from government agencies in an attempt to steal personal information.
• Digital PhishNet Web site.
• Phish Report Network - a cooperative effort by several companies providing an information clearinghouse that will be run by WholeSecurity, a provider of client-side security solutions.
• Internet Crime Prevention & Control Institute, a cooperative effort between Zero Spam Network Corp. and the University of Miami. Staffed by Miami undergraduate and graduate students and Zero Spam employees, works closely with the Secret Service's Electronic Crimes Task Force and ISPs in the United States and abroad to identify and block traffic to machines hosting phishing sites.
  • Report A Crime
  • FTC Fraud Reporting

 

 

---

 

For a comprehensive list of national and international agencies to report scams, see this page.