Real or Fake--Can You Tell Phish From Foul?

by Kellie Halder

Logging on to the Internet connects you to millions of people around the world, including scammers phishing for your personal information. As phishing gets more sophisticated it's becoming harder to tell the real from the fake in your inbox. While nothing is foolproof, you'll avoid getting hooked if you make sure your computer is secure and practice caution on the Internet. And if you've been caught, there are steps you can take to lessen your loss.

Phishing--A brief history

Phishers use spam to lure people into fake Web sites to obtain personal information to commit identity theft. These criminals create and use e-mails and Web sites--designed to look like e-mails and Web sites of well-known legitimate businesses, financial institutions, and government agencies--to deceive Internet users into disclosing their financial institution and account information or other personal data such as usernames and passwords.

During the beginning stages of phishing it was easy to detect phony messages. Phishers often used text-heavy e-mails laced with spelling and grammar errors. But phishers have done their homework and improved their writing and design skills, making it harder for you to make the call.

In fall 2003, phishers sent e-mails containing logos and Web site designs stolen from the targeted companies. The spoofed e-mails led consumers to believe the message came from the company and divulge their information. At the same time, virus writers also started targeting PayPal^® and eBay^® users. E-mail recipients were asked to update their billing and account information and to give their Social Security number, date of birth, and mother's maiden name on a spoofed Web site closely mimicking the company's member services page.

The next wave of phishing came in January 2004. Scammers designed Web sites redirecting victims to the real home page of the targeted company, after the consumers had divulged their information on a phishing site. This is a common tactic still used today.

By April 2004 phishers discovered a new way to trick victims using authentic-looking Internet addresses. The new programming replaced the URL of the phishing site with the one from the real site in the address bar. What had been one of the easiest ways to detect phishing became much harder.

After sending phishing messages via AOL's Instant Messenger, scammers started opening fake online businesses by fall 2004. Fake online pharmacies, banks, and mortgage-and-loan firms phished thousands of credit card numbers.

The most recent type of attack involves keylogging. Once the phisher is inside your computer, he implements code that records--logs--keystrokes when you visit predetermined Web sites, often those of financial institutions. The phisher then uses the key logger information to steal your identity.

Protecting yourself

Financial institutions and other online businesses risk financial loss from a drop in business due to customer insecurity. That loss of confidence is a shame, because identity theft is less likely to occur to users of electronic services than conventional ones.

According to the Anti-Phishing Working Group (APWG), 78% of attacks target financial institution customers. See examples of phishing messages in the Phishing Archive at the APWG Web site.

Many companies now have "spoof teams" dedicated solely to handling reports of phony e-mails and spoofed Web sites. These teams have been successful in removing fake sites bearing their company's name before they reel in victims. However, it's still up to you to protect yourself. "These things [phishing attacks] are changing all the time," says Patti Poss, attorney with the FTC's Bureau of Consumer Protection. "It's best to protect yourself for the long haul," Poss adds. Here are some tips to keep you safe:

Get your computer ready
• Install a firewall as your first line of defense. This is the primary block between you and other computers on the network. Also install, run, and update antivirus and antispyware programs.
• Ensure your browser is up-to-date with security patches, especially if you're a Microsoft^® Internet Explorer user.
• Install a Web browser tool bar to alert you to known phishing Web sites. EarthLink^® ScamBlocker^TM is a free browser toolbar that warns you before you visit a site on Earthlink's list of known phisher Web sites.

Be a cautious Internet user

• Never use e-mail links to visit a Web site. Open a new browser window and type the URL in the address bar.
• Avoid filling out e-mailed forms that ask for personal information. The only way you should send credit card or account information is via a secure Web site or by phone.
  Even the most tech-savvy people are victims of phishing attacks.
• Be cautious of urgent e-mails requesting personal information. Phony e-mails usually include upsetting or exciting statements to get people to respond. Phishers most often request user names, passwords, credit card numbers, and Social Security numbers.
• Review statements closely. Report any suspicious activity immediately. Most financial institutions and online companies will reimburse customers for any phishing activity. If your statement is late, Poss advises you call the company to make sure your address has not been changed.
• Change your passwords often. If your information is caught your passwords will be out-of-date by the time they are sold to other phishers. Experts recommend using passwords with a combination of letters (upper and lowercase), numbers, and symbols.
• Look for clues you are connected to a secure site. An "https"--"s" meaning secure--and a padlock indicate a secure connection. Click on the lock to view the security certificate.

You've been phished--Now what?

Even the most tech-savvy people are victims of phishing attacks. Despite being educated and prepared, you still may be fooled into giving out your personal information. "People often don't know it's phishing--they see the unauthorized charge on their statement but don't relate it back to their Internet activity," Poss says. If you've been phished, you should assume that you'll probably become a victim of credit card fraud, bank fraud, or identity theft. The following advice will help you if you've given out sensitive information:

• Credit, debit, or ATM (automated teller machine) card information
  • Report the theft of this information to the card issuer immediately using the toll-free, 24-hour service number.
  • Cancel your account and open a new one.
  • Check your statements closely after the attack.
  • Federal law limits your liability to $50 for any unauthorized use of your credit card. You have zero liability if your credit card number has been stolen but not the card itself.
  • Liability for ATM or debit card charges depends on how quickly you report the loss. If you report the loss before a thief uses it, your liability is zero. If you don't report it within 60 days after your bank statement containing the unauthorized use is mailed to you, you risk unlimited loss.
  Phishers have done their homework and improved their writing and design skills, making it harder for you to make the call.

• Account information
  • Call your affected financial institution to report the loss right away.
  • Cancel your account and open a new one.

• eBay account
  • If someone is using your account to bid, leave feedback, or list auctions, contact eBay using the Hijacked Accounts link.
  • If there are fraudulent auctions you can use the hotline options to request an investigation of a current listing for possible fraudulent activity.
  • You also can try to sign in and change your password. If you can sign in, change your password and hint. Also, delete any auctions, and contact bidders and sellers that the hacker set up.

• Personal identification information
  • Contact the three major credit reporting agencies--Experian, Equifax, and TransUnion Corporation--and request they place a fraud alert and a victim's statement in your file. Also ask that they remove inquiries and fraudulent accounts opened after the theft. At the same time, Poss suggests requesting a free copy of your credit report. The Fair and Accurate Credit Transactions Act (FACT Act) of 2003 requires each major credit bureau to provide one free credit report annually, phased in by region, to consumers who request a copy.
  • Contact your financial institution and have it flag your account so you are notified if there is any unusual activity.
  • File a criminal report with your local police.
  • Report the theft to the Social Security Administration's Fraud Hotline.
  • Alert the passport office to watch for someone ordering a passport in your name.
  • File a complaint with the Internet Fraud Complaint Center.

In any of these cases, Poss advises victims to fill out a fraud report, close the account, file a police report, and file a complaint with the FTC.

Published July 11, 2005

Printed Sunday, September 7, 2008

  Home & Family Finance® Resource Center
  Copyright © 2008 - Credit Union National Association, Inc.