Real or Fake--Can You Tell Phish From Foul?
Logging on to the Internet connects you to millions of people around the world, including scammers phishing for your personal information. As phishing gets more sophisticated it's becoming harder to tell the real from the fake in your inbox. While nothing is foolproof, you'll avoid getting hooked if you make sure your computer is secure and practice caution on the Internet. And if you've been caught, there are steps you can take to lessen your loss.
Phishing--A brief history
Phishers use spam to lure people into fake Web sites to obtain personal information to commit identity theft. These criminals create and use e-mails and Web sites--designed to look like e-mails and Web sites of well-known legitimate businesses, financial institutions, and government agencies--to deceive Internet users into disclosing their financial institution and account information or other personal data such as usernames and passwords.
During the beginning stages of phishing it was easy to detect phony messages. Phishers often used text-heavy e-mails laced with spelling and grammar errors. But phishers have done their homework and improved their writing and design skills, making it harder for you to make the call.
In fall 2003, phishers sent e-mails containing logos and Web site designs stolen from the targeted companies. The spoofed e-mails led consumers to believe the message came from the company and divulge their information. At the same time, virus writers also started targeting PayPal® and eBay® users. E-mail recipients were asked to update their billing and account information and to give their Social Security number, date of birth, and mother's maiden name on a spoofed Web site closely mimicking the company's member services page.
The next wave of phishing came in January 2004. Scammers designed Web sites redirecting victims to the real home page of the targeted company, after the consumers had divulged their information on a phishing site. This is a common tactic still used today.
By April 2004 phishers discovered a new way to trick victims using authentic-looking Internet addresses. The new programming replaced the URL of the phishing site with the one from the real site in the address bar. What had been one of the easiest ways to detect phishing became much harder.
After sending phishing messages via AOL's Instant Messenger, scammers started opening fake online businesses by fall 2004. Fake online pharmacies, banks, and mortgage-and-loan firms phished thousands of credit card numbers.
It's best to protect yourself--and your computer--for the long haul.
The most recent type of attack involves keylogging. Once the phisher is inside your computer, he implements code that records--logs--keystrokes when you visit predetermined Web sites, often those of financial institutions. The phisher then uses the key logger information to steal your identity.
Financial institutions and other online businesses risk financial loss from a drop in business due to customer insecurity. That loss of confidence is a shame, because identity theft is less likely to occur to users of electronic services than conventional ones.
According to the Anti-Phishing Working Group (APWG), 78% of attacks target financial institution customers. See examples of phishing messages in the Phishing Archive at the APWG Web site.
Many companies now have "spoof teams" dedicated solely to handling reports of phony e-mails and spoofed Web sites. These teams have been successful in removing fake sites bearing their company's name before they reel in victims. However, it's still up to you to protect yourself. "These things [phishing attacks] are changing all the time," says Patti Poss, attorney with the FTC's Bureau of Consumer Protection. "It's best to protect yourself for the long haul," Poss adds. Here are some tips to keep you safe:
Be a cautious Internet user
You've been phished--Now what?Even the most tech-savvy people are victims of phishing attacks. Despite being educated and prepared, you still may be fooled into giving out your personal information. "People often don't know it's phishing--they see the unauthorized charge on their statement but don't relate it back to their Internet activity," Poss says. If you've been phished, you should assume that you'll probably become a victim of credit card fraud, bank fraud, or identity theft. The following advice will help you if you've given out sensitive information:
In any of these cases, Poss advises victims to fill out a fraud report, close the account, file a police report, and file a complaint with the FTC.
Home & Family FinanceŽ Resource Center