Gone Phishing

Updated: April 30, 2009

Bad news. The email says your bank account will be suspended unless you visit the bank's Web site and immediately re-enter your Social Security number, phone number, several credit card numbers, library card number and maybe even the name of the presidential candidate you voted for in the 2004 election.

Hey, wait a minute. Do you think that message could be part of a scam to steal your cash and identity? Quite probably, yes. The Anti-Phishing Working Group, an association of retailers and financial institutions focused on eliminating Web-based fraud, reports that it finds about 20,000 to 30,000 unique "phishing" Web sites each month.

Each day, most Internet users are assaulted by "important" emails that require "immediate attention" about some type of banking or e-commerce matter. The email urges you to click a link to go to the company's site to straighten out the problem. The catch is that the link takes you to a site that has been designed to look exactly like the real company's site, but is instead just a front for gathering personal information.

Most financial or commercial crisis messages are bogus, but a few might not be. So how do you sort out the real email from the garbage? These tips from the Anti-Phishing Working Group can keep you from getting hooked as another phishing victim:

  • Be automatically suspicious of any email with urgent requests for personal financial information.
  • Unless the email is digitally signed , you can't be sure it wasn't forged or "spoofed."
  • Phishers typically include upsetting or exciting (but false) statements in their emails to get people to react immediately.
  • Once you get to the phisher's site, it will typically ask for information such as usernames, passwords, credit card numbers, Social Security numbers, date of birth and so on. This should be a red flag — a real site would never ask for more than a log in before addressing the problem.
  • Phisher emails usually aren't personalized, but they can be. Valid messages from your bank or e-commerce company generally are personalized, but always call to check if you are unsure.
  • Don't use the links in an email, instant message or chat to get to any Web page if you suspect the message might not be authentic or you don't know the sender or user's name.
  • Call the company on the telephone or log onto the Web site directly by typing the Web address in your browser.
  • Avoid filling out forms in email messages that ask for personal financial information.
  • You should only communicate information such as credit card numbers or account information via a secure Web site (one that begins in "https") or the telephone.
  • Always ensure that you're using a secure Web site when submitting credit card or other sensitive information via your Web browser.
  • Phishers are now able to "spoof," or forge the "https://" that you normally see when you're on a secure Web server and a legitimate-looking address. You may even see both in the link of a scam email. Make it a habit to enter the address of any banking, shopping, auction or financial transaction Web site yourself and not depend on displayed links.
  • Phishers may also forge the yellow lock you would normally see near the bottom of your screen on a secure site. The lock has usually been considered as another indicator that you are visiting a "safe" site. The lock, when double-clicked, displays the security certificate for the site. If you get any warnings displayed that the address of the site you have displayed does not match the certificate, do not continue.
  • Not all scam sites will try to show the "https://" and/or the security lock. Get in the habit of looking at the address line, too.
  • Consider installing a Web-browser toolbar to help protect you from known fraudulent Web sites. These toolbars match where you are going with lists of known phisher Web sites and will alert you.
  • The newest release of Internet Explorer version 7 includes this toolbar, as does Firefox version 2 .
  • EarthLink ScamBlocker is part of a browser toolbar that is free to all Internet users. You can download it here .
  • Regularly log in to your online accounts to check that transactions and balances look OK.
  • Regularly check your bank, credit- and debit-card statements to ensure that all transactions are legitimate.
  • If anything is suspicious or you don't recognize the transaction, contact your bank and all card issuers to follow up.
  • Ensure that your browser is up-to-date and that all security patches have been applied.
  • Forward "phishing" or "spoofed" emails to the following groups:
  • reportphishing@antiphishing.org, the Federal Trade Commission at spam@uce.gov and to the company that's being spoofed (for instance, "spoof@ebay.com").
  • When forwarding spoofed messages, always include the entire original email with its original header information intact.
  • Notify The Internet Crime Complaint Center of the FBI by filing a complaint on its Web site.
Related Categories
Featured Research
  • Securing Enterprise Information Technology

    In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more

  • Office365 Adoption eGuide

    Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more

  • Okta Directory Integration

    For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more

  • Top 8 Identity and Access Management Challenges with Your SaaS Applications

    With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more

  • Better BYOD with Pulse Secure and MDM Partners

    Learn how Pulse Secure and leading MDM product partners are transforming the way employees and IT benefit from the productivity and flexibility of BYOD — without compromising security or increasing management complexity. more