It seems like every week, some thief discovers new way to steal from and deceive the general public. One of the most convincing scams of late is commonly referred to as phishing. Phishers often lay their bait in the form of cautionary emails, luring in the believing public and tricking innocent people into giving up their personal information.
The criminals who engage in phishing are interested in stealing the identities of their victims and in so doing, gaining access to their names and resources. Early phishing scams were crudely performed, but the phishing scams being encountered today are increasingly complex, sometimes fooling even computer experts. By familiarizing yourself with the methodologies used by these scam artists, you can protect yourself and do the public a service by alerting companies when their names, logos, and reputations are being used to steal from innocent people.
Phishers aim to lure or lead people to fake websites where they trick their victims into providing their personal information such as their Social Security numbers, credit card numbers, PINs, and account numbers. Generally, the phisher first sends out a mass email, assuming the identity of a major bank or retailer, such as Wells Fargo Bank or eBay. In this email, they try to convince recipients that there's been some sort of crisis and that the company is for some reason in need of the victims' personal information-sometimes threatening that their accounts will be closed if they do not comply.
A phisher trying to imitate Wells Fargo Bank, for example, would first send out a mass email claiming, perhaps, that there had been a security breach within the company. The email might instruct you to click on the link supplied and submit your personal information for verification purposes, saying that without this verification, your account will be put on hold. Clicking on the supplied link would lead you to a website that would look almost identical to Wells Fargo Bank's actual website, where, as promised, you would be asked to supply your personal information. Those not aware of how phishing scams function are often tricked into supplying their information and later find out that they have become victims of identity theft. There are things you can do, however, to ensure that you do not become a victim.
Signs that You're Being Phished
Most reputable companies will not ask you to provide your personal information in detail or in large amounts over the internet. If you receive an email or arrive at a website that asks you to provide your Social Security number or any other personal information in excess of what you find to be normal, be wary. It's wisest in these kinds of situations to contact the company you are supposedly dealing with directly. The email you received may list a phone number, but it is most likely that calling this number will connect you with someone who is in on the scam, only perpetuating the situation. Look up the phone number of the company in the phone book or on one of your most recent statements. You can then call the company and ask them if the request for your information is legitimate. If it ends up that it was, then you can feel safe supplying the requested information. If the request was not sanctioned by the company, then you know not to supply any information. Also, having let the company know about the scam, their representatives can now take steps to find the phisher and stop them from deceiving any more of customers.
There are a couple signs that you personally can watch for on any website that asks you for your personal information. Aside from using these signs to assure you're not being phished, you can also watch for these things when purchasing items online to ensure that the website you are using is secure and can be trusted to guard your personal information.
On any site that asks you to submit your personal information, you should be able to see a yellow lock symbol on the bottom of the window on the right side. If you see this lock, and it is in the locked position, that's a good sign. If you can't find the lock or if it is in the unlocked position, you may want to start asking questions. Some phishers now have technology that is able to imitate this lock symbol. Microsoft offers a way for potential victims to check the locks validity-all you need to do is double-click on the lock symbol. Doing this should bring up the security certificate of the website you're viewing. After the words "issued to," you should see the name of the website. If the site is legitimate, the name of the website should be the actual name of the company you're dealing with. If it says anything else, again, you may have been deceived. Now would be a good idea to call the company directly and notify them about what's going on.
Also, on sites that ask for personal information, you should be able to notice the heading "https" in the online address. The "s" here stands for secure and indicates that the site has an extra level of security. If you don't see an "s," don't give up your personal information.
While you're looking at the website address, check to make sure that the address is what it should be. Some phishers are able to cover up their false website's actual address and display the address of the company they are imitating, but some less sophisticated phishers don't take that extra measure to deceive the public. Observant would-be phish can protect themselves and later others by taking notice of the web address whenever they are asked to give up their personal information.
Phishing via Snail Mail and the Telephone
Most phishing scams operate via the Internet, but they can come through your regular mail as well. Official-looking letters may arrive in your mailbox requiring you to call a number and verify something, usually your credit card number, your PIN or your Social Security number, along with a polite threat that your accounts will be closed or locked if you don't comply within a certain number of hours. Don't be fooled. Call your bank or the company purported to have sent the letter. Again, don't use the number provided-instead, look up the company's number yourself in the phonebook.
You may receive a phone call of the same nature asking for your personal information. Most of the time, you'll be greeted with a recording, but sometimes a live person could be making the calls. If you receive a call like this, be cautious and call the company directly just as you would if you were to receive a letter or email of the same nature.
Do Your Part
If you stumble upon a site created by phishers, do yourself and the company involved a favor and alert the following authorities.
- The company being spoofed: They need to know what's going on so that they can take steps to shut down the scam and warn their other customers; most websites have a specific email address they'd like you to forward your email or letter to. If you don't know of one, call the company involved and ask them where they'd like you to forward what you've received.
- The Federal Trade Commission (FTC): They want you to forward all phishy emails you receive to email@example.com.
- The FBI: In order to make things safer for us when we're online, the FBI has asked that complaints regarding phishing be filed at http://www.ic3.gov/complaint/.
- Antiphishing.org: They're trying to keep on top of online scammers and want you to forward any fraudulent emails to firstname.lastname@example.org.
You really can play a part in catching the criminals who set out phishing nets by forwarding on any evidence you are sent. Knowledge is power, and in the case of phishing, shared knowledge can protect you and others from future phishing episodes.
If the Worst Has Already Happened
If you're reading this because you know you've given out your information on a spoofed website or you suspect you may have, here is a list of things to do right away:
- Report all stolen information as soon as possible. If you gave up your credit card number, cancel the account. If you shared you bank account number, close your bank account. If you don't, you may be held responsible for charges or withdrawals made by the thief who stole your information.
- Go to the bank-check to see if any odd checks or withdrawals have been written or made. Check your monthly statements very carefully. Put an alert on your account.
- Get copies of your credit reports, and if you wish, put a fraud alert on them. If you put a fraud alert on your reports, you're entitled to a free copy of your report from each of the three agencies. Go over them carefully and dispute all inaccurate information. A handy website authorized to handle all three reporting agencies is www.annualcreditreport.com.
- Update your firewall, antispyware programs and antivirus protection because phishers sometimes secretly install "key loggers" onto your computer. These hidden programs send everything you type to the phishers, which can allow them to get your passwords, PINs and account numbers without your knowledge. If your system has been compromised, update your programs and change all of your passwords.
- File a police report.
- The Social Security Fraud Hotline wants to know about your phishing experience. They can be contacted by phone at 1-800-269-0271 and at their website, .
- Notify the Department of Motor Vehicles (DMV) and the passport office. Have them check to see if any licenses or passports have been issued using your name.
- Of course, file a complaint with the FTC. Either call them at 1-877-ID-THEFT (1-877-438-4338) or visit www.ftc.gov/bcp/edu/microsites/idtheft/
- File a complaint at http://www.ic3.gov/complaint/.
- Remember to document everything you do so that you don't forget or get confused later about what has and hasn't been done. List the names of the people you talk to, the dates and times of communication, where you are in the issue process, and what has been resolved.
Use the knowledge you have now to prevent yourself and others from getting phished in the future. These scams are serious. They can cause immediate damage to your financial situation while leaving scars on your credit report that can make future endeavors difficult for you. If you've been victimized, you can now take steps to minimize the damage done and protect yourself in the future.