Crooks use official-looking e-mails
and fake Web sites to get your personal data, then steal from
you. Here's how to protect yourself from phishing frauds, the
Net's biggest scam.
The number of reported
incidents of the scam climbed 800% in the first six months of
2004, and a staggering 4000% in the six months between November
2003 and May 2004. By June there was an average of almost 50 unique attacks
(attacks from different sources) per day. With mass e-mailings,
each of those unique attacks can potentially hit thousands, if
not millions, of people.
Watch for the telltale signs
The big
problem is that the fake "phishing" e-mails look so official, so
real:
-
They appear to be from trusted credit unions, banks,
retailers or other companies. Citibank is targeted more
than any other business; its name was used in almost 500 of
the 1,422 unique attacks reported to APWG in June. PayPal,
US Bank and eBay names are also used as fronts.
-
The
e-mail often says the company needs to verify your
information, such as account numbers or passwords, for
supposed security purpose.
-
They're slick and well-designed, using official-sounding
language and real company logos to make them look and feel
authentic.
-
They try to fool you with an address "spoof." In more
than 90% of cases, the e-mail address looks like one from a
real company. Although the address in the “From” line of the
e-mail may contain a legitimate address, it conceals a
scammer's address. (Your e-mail program can be set to
display "headers" so you can see a false address.
Here are some other giveaways:
-
Scare tactics. Most
phishing scams play on security fears.
-
No name. The mail doesn't
address you by name but with a generic greeting, such as
“Dear CreditUnion.com Customer.”
-
It offers forms to fill out
with your personal financial information.
-
It points to links in the
e-mail, urging you to click to "validate" or "confirm"
your account.
Once you're on the hook . . .
What
happens after you inadvertently click on one of these links in a
phishing lure? Here are some ways the crooks try to trick you:
-
You
may be directed to a legitimate company's Web site. But a
crook's pop-up window -- not part of the real site --
will open and ask for your account information.
-
The
site itself may be fake, but it will have a similar URL
to the real site, fooling you into using it.
-
The
site may be fake, but the address window showing its URL
will be hidden by a floating window displaying the
legitimate company's URL to fool you. (Most of these are
static images, so if you can’t click on the window or type
anything in it, it’s a good tip-off that the address
displayed is a decoy.)
-
The
link may trigger the download of a "key logger" to
your computer. It's a program that records what you type
into legitimate sites, including your passwords and account
numbers, then passes them on to the swindlers.
How to avoid
the hook, line and sinker
The
Federal Trade Commission’s No. 1 tip for avoiding this ripoff:
DON'T provide any personal financial information via e-mail.
-
Be
extremely suspicious of any e-mail with urgent requests
for personal financial information.
-
Don't fill out forms in e-mail messages that ask for
personal financial information.
-
Don't use the links in an e-mail to get to any Web page
if you suspect the message might not be authentic. Instead,
telephone the company or log onto the Web site directly by
typing its Web address in your browser.
-
Don't give your credit card numbers or account information
unless you're using a secure Web site or the telephone.
Check the beginning of the Web address in your browser's
address bar. A secure site should show as "https://" rather
than just "http://" (You may also want to click on the
window containing the secure address, to make sure you’re
not dealing with a floating window.)
-
Beware of e-mail attachments. Don't open them or
download any files, regardless of who sent them.
-
Check your bank and credit card statements online on a
regular basis. Make sure the transactions are legitimate.
Don't wait for a mailed paper statement, which can take up
to a month. If you see something suspicious, contact your
bank and all card issuers using a phone number you know to
be legitimate or by typing in a secure Web site URL into the
Internet browser address bar.
-
Use
anti-virus software and keep it up to date. Anti-virus
software and a firewall can protect you from inadvertently
accepting unwanted key-logger files. Look for anti-virus
software that recognizes current viruses as well as older
ones; that can effectively reverse the damage; and that
updates automatically.
-
Keep your computer's operating system up to date and
download security patches. These free software patches for
your operating system close holes that hackers or phishers
could exploit. (You can check for Microsoft patches here:
http://www.microsoft.com/security/.)
-
Consider installing a Web browser tool bar to help
protect you from known phishing fraud Web sites.
EarthLink ScamBlocker alerts you before you visit a page
that's on Earthlink's list of known phisher Web sites. Ebay
offers a
free toolbar that warns you when you might be on a
spoofed eBay site.
-
Report the attacks by forwarding the phishing e-mail to
the following addresses:
spam@uce.gov,
reportphishing@antiphishing.org.
What to do
if you’ve divulged sensitive info
If you
think you’ve been scammed, you can file a complaint with the
FTC and the
Internet Fraud Complaint Center. But the most important
thing is to notify the bank or credit card issuer of the account
that has been compromised. You’ll probably want to close the
account and open a new one.
If you’ve given away your Social Security number, you should
also notify the big three credit reporting agencies -- Experian,
Equifax and TransUnion -- so that a fraud alert can be placed on
your file. That way, if anyone applies for new accounts with
your Social Security number, you should be notified at home. You
should also start regularly monitoring your credit reports, if
you don’t already.
Resource:
Jennifer Mulrean - MSN Money
