Email users are being bombarded with authentic-looking messages that instruct them to provide sensitive personal information. It's called "phishing." Individuals who "bite" are exposed to identity theft.
Phishing occurs when a consumer receives a deceptively-legitimate looking email from what appears to be a reputable company. The email asks recipients to update their credit card information or their account will be promptly terminated. Or the message offers a service to protect their credit cards from possible fraud.
Often "phishing" spam messages will use legitimate 'From:' email addresses, logos, and links to reputable businesses such as AOL, PayPal, Best Buy, Earthlink and eBay in the message. But the message instructs you to click on a web link that sends you to a fake website where you are asked to provide personal information to the scam artists. Such sites will ask for information such as your name, address, phone number, date of birth, Social Security number (SSN), and bank or credit card account number. Providing this kind of information can leave consumers at risk for identity theft.
Ironically, many such bogus emails prey upon consumers' fears of being exposed to fraud. They ask for updated credit card account information or other pieces of personal financial information and state that the consumer's account will be terminated in the near future if the information requested is not provided. The following includes some of the tips that were offered in a recent CNN article:
- For a demonstration of how a real phishing scheme works, visit www.identitytheftsecrets.com.
- Don't trust e-mail headers, which can be forged easily.
- Avoid filling out forms in e-mail messages. You can't know with certainty where the data will be sent and the information can make several stops on the way to the recipient.
- If you click on a link in an e-mail message from a company be aware that many scam artists are making forgeries of company's sites that look like the real thing. Verify the legitimacy of a web address with the company directly before submitting your personal information.
- If you go to a link offered in an unsolicited e-mail, check to see if there is an 's' after the http in the address and a lock at the bottom of the screen that indicates the link is secure and encrypts data. Though this is not an indication that the site is legitimate, an online form that asks a consumer to submit sensitive personal information should always be encrypted. Scam artists are less likely to have encrypted forms, but if they are trying to elicit personal information, they may take every precaution to make consumers believe their site is secure and therefore, legitimate.
For an example of a "phishing" email, see the eBay example below. Mail Frontier has developed a Phishing IQ Test to see how good you are at discerning phishing emails from legitimate email requests for personal information at http://survey.mailfrontier.com/survey/quiztest.html.
Consumers who receive an email that fits the description of a phishing email should:
- Contact the legitimate company named in the email to confirm whether the request is from them. Most companies do not ask customers to confirm personal information by sending an email.
- If you have provided your personal information in response to a phishing email, you should assume that you will become a victim of identity theft. Follow the steps indicated in our identity theft victims guide, Fact Sheet 17a. If you gave your SSN to the web site, you should place fraud alerts on your 3 credit reports. If you provided your bank account or credit card number, you should cancel that account and open a new one. For more information about how to protect yourself, see our Fact Sheet 17a Identity Theft: What to do if It Happens to You at www.privacyrights.org/fs/fs17a.htm.
- Read the information and tips put out by the Federal Trade Commission about this scam at http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt127.shtm.
- Forward the suspicious email to the Federal Trade Commission's address for unsolicited commercial email, firstname.lastname@example.org
- You may also want to send the bogus email to the Anti-Phishing Working Group (www.antiphishing.org). Instructions for sending phishing emails to this organization are at http://www.antiphishing.org/report_phishing.html.
- Notify the Internet Fraud Complaint Center of the FBI by filing a complaint on their website: www.ic3.gov
Always be alert to phishing messages. Reputable companies DO NOT contact their customers and request that they update their files or verify their account or security settings.
If you are a business whose good name is being used in this manner, the following tips may be useful:
- Make it a company policy to immediately investigate any reports of phishing emails that may tarnish your company's reputation and make customers unsure about conducting business with you.
- If a phishing email using your company's name and logo is brought to your attention, clearly display a link on your website regarding the bogus email, the procedure for identifying whether suspected scam email is authentic or not, and instructions on how to forward the email to your company and law enforcement for investigation. Consumers who receive a phishing email that purports to be from your company will usually look for additional information on your website.
The following is an example of an eBay phishing email. It looks legitimate. But the web link included in the message sends the user to a fake eBay site where personal information is captured from the unsuspecting individual. The website mentioned has been shut down by law enforcement.
Subject: eBay Account Verification Date: Fri, 20 Jun 2003 07:38:39 -0700 From: "eBay" <email@example.com> Reply-To: firstname.lastname@example.org To:
Dear eBay member,
As part of our continuing commitment to protect your account and to reduce the instance of fraud on our website, we are undertaking a period review of our member accounts.
You are requested to visit our site by following the link given below
Please fill in the required information.
This is required for us to continue to offer you a safe and risk free environment to send and receive money online, and maintain the eBay Experience.
Copyright © 1995-2003 eBay Inc. All Rights Reserved.
Designated trademarks and brands are the property of their respective owners.
Update: The Privacy Rights Clearinghouse (PRC) is warning consumers about another form of fraud that can happen when online users reply to phishing emails. The personal information they provide might be used to register web site domains that bilk unwitting online users out of funds they believe are being used for legitimate transactions.
The PRC has received reports from those who have replied to phishing emails with their name, address and phone number who later learned that their personal information was used by the phisher to register web site domains. At times, if they also provided a legitimate credit card number, it may be used to pay for the web site registration, too. For more information about this aspect to phishing emails, see our alert, Phishing Emails Can Lead to Domain Registration for Scam Web Sites.