Don't get lured by a phishing scam

By Meryl K. Evans

Print Story | Email Story
Add to My Digital Landing

Related Articles

• Classrooms Get a Tech Edge
• Apple's Sweet Deal: Discounted Macs, Free iPods
• Twitter tackles the story of your life in 140 characters
• Amazon's Kindle ignites reader interest
• FAQ: Windows Vista

A fisherman puts an enticement at the end of the fishing line in hopes of luring fish to the hook to catch it. Phishers, also known as scam artists, use emails for their lures with the aim of catching people's personal and sensitive information. That criminal activity is called phishing.

Phishing emails look like they come from a well-known business, site or agency such as eBay, PayPal, Amazon, the IRS or a bank. They often say you have qualified for a program or that you need to verify your account information. The email sender's address could contain "aw-confirm@ebay.com" or "service@paypal.com," both of which look like legitimate email addresses. The email might also use the company's logo to convince the recipient they're the real thing. The contents of the email typically contain a link that, on the surface, looks like an official Web site address. However, the link goes to a Web site that mimics the real company's Web site to trick the unsuspecting victim into providing personal information, such as account login information, bank account numbers, social security numbers and credit card numbers.

So, in a way, phishing emails work like the lure on a fishing line. It looks tasty, but the consequences of taking the bait can be devastating. Users tricked into taking the bait not only give up sensitive information, but also put themselves at risk for identity theft. Carding and spoofing are other names for phishing.

Spotting a trap

Spotting the phisher’s lure is a challenge, but you can be alert to giveaway clues. For example, you can identify an email as phony when it comes from a company, bank or service that you don't use. However, you have to be careful with companies with which you do conduct business as well. Anytime you receive an email resembling a company or Web site that you use and it requests personal information, don't click the link in the email.

Here's an example. You receive an email from eBay claiming you qualify as a Silver PowerSeller as shown in Figure 1. Do you use eBay? If not, that's your first clue that you've caught a phisher. But if you do use eBay, ask yourself whether the message applies to you: Do you sell enough through eBay to qualify for "Power Seller?" Type www.ebay.com into your browser (do not click on a link within the message; if the email is a spoof, then the link will be bogus as well) and check the Help section to learn the definition of an eBay Power Seller: "Power Sellers are eBay top sellers who have sustained a consistent high volume of monthly sales and who have a high level of Feedback (98% positive or better)."

Let's say you are a PowerSeller. Remember, legitimate companies will never ask for your personal information through an unsolicited email. To check the validity of the email, you can either contact the organization (in this example, eBay) or open your Web browser and type in www.ebay.com, sign in and check your messages there. If the email is from eBay, the message will be in your eBay messages inbox. In this example, you see the email is from an address at powersellers.com. Enter www.powerseller.com in your web browser. It takes you to a software consultant company's Web site. The link in the email doesn't go to eBay or a Power Seller Web site. If you click of the link in the email, however, the link takes you to a copycat site (see Figure 2). Lured users thinking they're on eBay, enter their eBay login and ID. The phisher captures your eBay account information and can take advantage of your account.

Notice the Web address in Figure 2 has numbers (62.48.234.67) instead of www.ebay.com. The address also begins with "http://." Legitimate sites provide a secure login screen and you identify them when the Web address begins with "https://." Notice the "s" on the end, which represents a secure site. 

Protect yourself

Protect your computer from phishers by having the latest anti-virus, anti-spyware and spam filter software. Ensure the software's files or definitions stay updated. Since scammers continuously evolve, so do the definitions. The definitions in your anti-virus software look for and identify anything resembling viruses, spyware and other scumware.

Using a spam filter also lowers your risk of receiving emails phishing for your information. Web browsers such as Internet Explorer 7, FireFox 2.0 and Opera contain built-in anti-phishing tools. FireFox 2.0, for example, comes with Phishing Protection that tells you when FireFox suspects a site is a fake Internet Explorer's Phishing Filter warns you about phishing sites and blocks them.

If an email comes with a file attached to it, don't open the attachment unless you expected it. Scammers have ways of sending email from people you know in the "From" header. Just because you know the person doesn't mean the email came from that person or the attachment is safe to open.

Credit card companies usually contact you when they see unusual activity on your account. Legitimate credit card companies do not ask for your account numbers or any personal information through email. When they contact you, it is by phone, and they only ask about a specific transaction. Protect yourself by asking for the person's name, phone number, address and the agency's name. Look up the agency's contact information in a phone book or another legitimate resource, and call to find out if the person is legitimate.

Before completing a form or entering personal information, look for the lock in your browser's lower-right corner. This lets you know you're on a secure connection. In Figure 3, PayPal not only has a secure lock icon in the lower-right corner of the browser, but also uses "https://" to indicate a secure connection.

Yikes, I fell for it

If you think you are a victim of phishing, and gave out your PIN, account numbers, credit card numbers and other personal information, then immediately contact the companies from the affected accounts and have them put a "fraud alert" on your account. Close any accounts to which you've given information or know they're compromised.

Also contact one of the credit bureaus to add a fraud alert to your credit report. AnnualCreditReport.com provides information on the bureaus and provides a means for viewing your free credit report.

When you contact a credit bureau, the company will contact the other two reporting companies to have them add a fraud alert. Also, request a free copy of your credit report from the three credit reporting companies. Review the report for accounts you don't know about, companies you didn't contact and unknown debts.

Even if you avoid a phishing scam, help fight phishing and identity theft by reporting the incident to the company whose name appears in the email, submitting a report online at www.fraud.org or calling the Fraud Center at (800) 876-7060. The National Fraud Information Center and Internet Fraud Watch programs have information on Internet scams.

Resources on Phishing:

Anti-Phishing Working Group

Federal Trade Commission

Companies such as Microsoft and sites including eBay and Yahoo have information available on phishing.