If you’ve been swatting away warnings of phishing scams for the last couple years, it may be time to finally stop and pay attention.
Why? It's running rampant, and nearly all of us are targets. In this scam, crooks use official-looking but fake e-mails and Web sites to lure you into revealing personal financial information. Then they can drain your bank accounts, charge up your credit cards or steal your identity. And according to some industry experts, it’s the biggest fraud on the Internet.
The Anti-Phishing Working Group (APWG) says the number of reported incidents of the scam climbed 800% in the first six months of 2004, and a staggering 4000% in the six months between November 2003 and May 2004. By June, the latest month for which data is available, the APWG reports an average of almost 50 unique attacks (attacks from different sources) per day. With mass e-mailings, each of those unique attacks can potentially hit thousands, if not millions, of people.
Who's taking the bait? As many as 3% to 5% of people who get the e-mails, the experts say. And the sheer numbers of people being targeted mean big payoffs for swindlers.
Watch for the telltale signs
The big problem is that the fake "phishing" e-mails look so official, so real:
They appear to be from trusted banks, retailers or other companies. Citibank is targeted more than any other business; its name was used in almost 500 of the 1,422 unique attacks reported to APWG in June. PayPal, US Bank and eBay names are also used as fronts.
The e-mail often says the company needs to verify your information, such as account numbers or passwords, for supposed security purposes.
They're slick and well-designed, using official-sounding language and real company logos to make them look and feel authentic.
They try to fool you with an address "spoof." In more than 90% of cases, the e-mail address looks like one from a real company. Although the address in the “From” line of the e-mail may contain a legitimate address, it conceals a scammer's address. (Your e-mail program can be set to display "headers" so you can see a false address. Read more in this Slate article on how to detect spoofed e-mails.)
While working on this story, I received a phishing e-mail that used the SunTrust bank brand. It said my SunTrust account (something I’ve never had) had possibly been “compromised by outside parties.” It instructed me to verify my identity by clicking on a link and then said not to access my account online for the next 48-72 hours. Now the e-mail sticks out as an obvious ploy, but if I’d really had a SunTrust account and had been less aware of phishing, I might have clicked the link -- if only to try to get a better idea of what the fuss was all about.
Here are some other giveaways:
Scare tactics. Like the SunTrust phish above, it may play on security fears.
No name. The mail doesn't address you by name but with a generic greeting, such as “Dear Suntrust.com Customer.”
It offers forms to fill out with your personal financial information.
It points to links in the e-mail, urging you to click to "validate" or "confirm" your account.
Once you're on the hook . . .
What happens after you inadvertently click on one of these links in a phishing lure? Here are some ways the crooks try to trick you:
You may be directed to a legitimate company's Web site. But a crook's pop-up window -- not part of the real site -- will open and ask for your account information.
The site itself may be fake, but it will have a similar URL to the real site, fooling you into using it.
The site may be fake, but the address window showing its URL will be hidden by a floating window displaying the legitimate company's URL to fool you. (Most of these are static images, so if you can’t click on the window or type anything in it, it’s a good tip-off that the address displayed is a decoy.)
The link may trigger the download of a "key logger" to your computer. It's a program that records what you type into legitimate sites, including your passwords and account numbers, then passes them on to the swindlers.
How to avoid the hook, line and sinker
The Federal Trade Commission’s No. 1 tip for avoiding this ripoff: DON'T provide any personal financial information via e-mail. (Banks and other companies frequently remind customers that they don't ever ask for sensitive financial data via e-mail.) Other tips from the FTC and the APWG:
Be extremely suspicious of any e-mail with urgent requests for personal financial information.
Don't fill out forms in e-mail messages that ask for personal financial information.
Don't use the links in an e-mail to get to any Web page if you suspect the message might not be authentic. Instead, telephone the company or log onto the Web site directly by typing its Web address in your browser.
Don't give your credit card numbers or account information unless you're using a secure Web site or the telephone. Check the beginning of the Web address in your browser's address bar. A secure site should show as "https://" rather than just "http://" (You may also want to click on the window containing the secure address, to make sure you’re not dealing with a floating window.)
Beware of e-mail attachments. Don't open them or download any files, regardless of who sent them.
Check your bank and credit card statements online on a regular basis. Make sure the transactions are legitimate. Don't wait for a mailed paper statement, which can take up to a month. If you see something suspicious, contact your bank and all card issuers using a phone number you know to be legitimate or by typing in a secure Web site URL into the Internet browser address bar.
Use anti-virus software and keep it up to date. Anti-virus software and a firewall can protect you from inadvertently accepting unwanted key-logger files. Look for anti-virus software that recognizes current viruses as well as older ones; that can effectively reverse the damage; and that updates automatically.
Keep your computer's operating system up to date and download security patches. These free software patches for your operating system close holes that hackers or phishers could exploit. (You can check for Microsoft patches here: http://www.microsoft.com/security/.)
Consider installing a Web browser tool bar to help protect you from known phishing fraud Web sites. EarthLink ScamBlocker alerts you before you visit a page that's on Earthlink's list of known phisher Web sites. Ebay offers a free toolbar that warns you when you might be on a spoofed eBay site.
Report the attacks by forwarding the phishing e-mail to the following addresses: email@example.com, firstname.lastname@example.org and to the "abuse" e-mail address at the company that is being spoofed (e.g. "email@example.com").
What to do if you’ve divulged sensitive info
If you think you’ve been scammed, you can file a complaint with the FTC and the Internet Fraud Complaint Center. But the most important thing is to notify the bank or credit card issuer of the account that has been compromised. You’ll probably want to close the account and open a new one.
If you’ve given away your Social Security number, you should also notify the big three credit reporting agencies -- Experian, Equifax and TransUnion -- so that a fraud alert can be placed on your file. That way, if anyone applies for new accounts with your Social Security number, you should be notified at home. You should also start regularly monitoring your credit reports, if you don’t already.