All Fields Required

Identity thieves have gone high-tech, and if you are not careful you or one of your employees may be the next victim.

In a crime called "phishing," Internet con artists use hijacked corporate logos and deceptive spam emails to steal credit card numbers and other financial data from consumers.

To lure you into their trap, phishers send an email that appears to be from a business or organization that you do business with — such as a bank, e-retailer, online payment service, Internet service provider (ISP), or government agency.

The message will ask you to visit a Website to "update," "change," "validate," or "confirm" your account information by entering in your username and password. Here are a few sample phishing solicitations:

"We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity."

"During our regular verification of accounts, we couldn't verify your information. Please click here to update and verify your information."

Clicking on a link in the phishing email will then take you to a Website that looks just like a legitimate organization's site. But it isn't.

Instead, it's a clever counterfeit that looks exactly like the site you're used to seeing. When you enter in your username and password, you are actually giving it directly to the thieves.

Once your information is compromised, the crooks can then log in to the real online site and do significant damage. For example, a phishing criminal who tricks you into giving them access to an online credit card account might wire a cash advance into their own account and take the money and run.

Even Sophisticated Web Gurus Can Be Victimized
Maybe you've already heard of phishing and think you wouldn't be dumb enough to fall prey to a phishing email.

Think again. Phishing criminals are increasingly sophisticated — even highly experienced Internet users are now vulnerable.

Many phishing emails seem completely legit. The sophisticated ones no longer come from email addresses that seem suspect, such as

Instead, they come from an email address that is exactly right for the organization they are trying to crack. The crooks use a technique called email spoofing that lets them send you an email from whatever email they choose. In short, you cannot detect phishing by looking at the sender's email address.

While many amateurish phishing emails contain misspelled words or incorrect grammar, the new breed of phishing thieves are writing emails that appear to be perfectly legit. However, just because an email is well-written doesn't mean you should take it seriously.

Even the look and feel of the email can be nearly perfect, complete with company logos and trademarks. The links in the email can also look legitimate. It's easy, for example, to have a link that appears to go to but really takes you to

In this case, the destination URL may look legit but, in this destination Web address, "amazon" is a sub-domain of the site, a temporary site that might have been created by phishers to steal Amazon customers' login information.

When looking at URLs, remember that sub-domains are always listed before the domain. In other words, if you visit, you are visiting part of the site; if you visit, you are visiting part of the site. It pays to study the Web address at the destination site to see if it seems legit, but even that's not a cure-all.

In fact, Website addresses can be spoofed in a fashion that would fool even the most vigilant users. Using sophisticated techniques, a fraudulent site can detect the user's browser and run custom code that removes the real address bar and replaces it with a fake address bar at the top of the browser window. For example, you might see in the address bar (that's the correct address for Amazon login) but in fact you are really at a completely different Website.

An Educated Consumer is a Safe Consumer
It may seem like the odds are stacked against you. But by taking a few basic precautions, you can protect yourself from a sophisticated phishing attempt.