How to Avoid Phishing Scams

Identity thieves have gone high-tech, and if you are not careful you or one of your employees may be the next victim.

In a crime called "phishing," Internet con artists use hijacked corporate logos and deceptive spam emails to steal credit card numbers and other financial data from consumers.

To lure you into their trap, phishers send an email that appears to be from a business or organization that you do business with — such as a bank, e-retailer, online payment service, Internet service provider (ISP), or government agency.

The message will ask you to visit a Website to "update," "change," "validate," or "confirm" your account information by entering in your username and password. Here are a few sample phishing solicitations:

"We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity."

"During our regular verification of accounts, we couldn't verify your information. Please click here to update and verify your information."

Clicking on a link in the phishing email will then take you to a Website that looks just like a legitimate organization's site. But it isn't.

Instead, it's a clever counterfeit that looks exactly like the site you're used to seeing. When you enter in your username and password, you are actually giving it directly to the thieves.

Once your information is compromised, the crooks can then log in to the real online site and do significant damage. For example, a phishing criminal who tricks you into giving them access to an online credit card account might wire a cash advance into their own account and take the money and run.

Even Sophisticated Web Gurus Can Be Victimized
Maybe you've already heard of phishing and think you wouldn't be dumb enough to fall prey to a phishing email.

Think again. Phishing criminals are increasingly sophisticated — even highly experienced Internet users are now vulnerable.

Many phishing emails seem completely legit. The sophisticated ones no longer come from email addresses that seem suspect, such as banksecurity@hotmail.com.

Instead, they come from an email address that is exactly right for the organization they are trying to crack. The crooks use a technique called email spoofing that lets them send you an email from whatever email they choose. In short, you cannot detect phishing by looking at the sender’s email address.

While many amateurish phishing emails contain misspelled words or incorrect grammar, the new breed of phishing thieves are writing emails that appear to be perfectly legit. However, just because an email is well-written doesn’t mean you should take it seriously.

Even the look and feel of the email can be nearly perfect, complete with company logos and trademarks. The links in the email can also look legitimate. It's easy, for example, to have a link that appears to go to http://www.amazon.com/gp/sign-in.html but really takes you to http://www.amazon.securelogin.com/sign-in.html.

In this case, the destination URL may look legit but, in this destination Web address, "amazon" is a sub-domain of the securelogin.com site, a temporary site that might have been created by phishers to steal Amazon customers' login information.

When looking at URLs, remember that sub-domains are always listed before the domain. In other words, if you visit http://www.amazon.securelogin.com, you are visiting part of the securelogin.com site; if you visit http://www.securelogin.amazon.com, you are visiting part of the Amazon.com site. It pays to study the Web address at the destination site to see if it seems legit, but even that’s not a cure-all.

In fact, Website addresses can be spoofed in a fashion that would fool even the most vigilant users. Using sophisticated techniques, a fraudulent site can detect the user's browser and run custom code that removes the real address bar and replaces it with a fake address bar at the top of the browser window. For example, you might see http://www.amazon.com/gp/sign-in.html in the address bar (that’s the correct address for Amazon login) but in fact you are really at a completely different Website.

An Educated Consumer is a Safe Consumer
It may seem like the odds are stacked against you. Is there anything that can be done to stop a sophisticated phishing attempt?

Fortunately, there are a few basic precautions you can take to protect yourself from phishing scams. Click on the links below to learn what you can do to keep your sensitive information out of the hands of the bad guys:

Final Words of Wisdom
Beyond simply avoiding becoming a victim, it's important that you report suspicious emails to the proper authorities.

In doing so, you may be closing down a phishing scheme that would otherwise victimize a friend or acquaintance of yours. The Internet desperately needs "neighborhood policing" and it's important that you do your part.

For example, if a phishing email attempts to get your eBay account information, alert eBay so they can shut down the phishing Web site linked to in the spoof email. Most organizations have information on their web sites about where to report problems.

You might also want to notify the United States Computer Emergency Readiness Team (US-CERT), a partnership between the Department of Homeland Security and the public and private sectors. US-CERT is collecting phishing email messages and Web site locations so they can help people avoid becoming victims of phishing scams. You can report phishing to US-CERT by sending email to phishing-report@us-cert.gov.

Last but not least, if you believe your financial accounts have been compromised by a phishing scheme, be sure to contact your financial institution immediately and close any accounts that may have been compromised. In addition, watch for any unexplainable charges to your account and take steps to investigate them as they occur.