Scam Email: What is Phishing? What do I do about it?
This FAQ is organized into 5 parts:
A. What is Phishing?
Phishing involves using email and websites that impersonate the email and websites of organizations the target victim already deals with. The goal is to gather information in order to impersonate the target victim while a committing crime.
The impersonating email ("phishing email" or "phish-mail") lures target victims to the impersonating website ("phishing site" or "phish-site").
At the phishing site, target victims are asked to divulge confidential information such as their account name or number, password, mailing address, credit card number, social security number, mother's maiden name and so on.
The information obtained may be used to impersonate the victim while committing fraud, identity theft, theft of services, spamming, corporate espionage and other crimes.
1. Conventional phishing involves sending mass amounts of unpersonalized phishing email. The small percentage of phishing email recipients who already deal with the impersonated organization are the target victims.
2. Targeted phishing ("spear-phishing") involves sending the target victim a personalized email. At the phishing site, the target may be greeted by name.
The inclusion of a few personal details in a targeted phishing email, and on the targeted phishing site, greatly increase the likelihood the target can be lured into divulging additional confidential information.
B. How You Can Protect Yourself From Phishing
No web browser or email tool provides total protection against phishing because phishing relies on fooling people.
1. Be suspicious of any urgent requests.
Phishing email will try to convey a sense of urgency so that you will act before you think. Common techniques are to say that your account will be frozen, terminated or billed unless you take immediate action.
2. Be suspicious of unpersonalized email concerning an existing account.
However, personalization does not guarantee email is legitimate. Targeted phishing uses personalized email.
3. Avoid filling out forms in emails. The security of email is low.
4. If an email or postal letter asks you to visit your account, visit your account the way you normally would. Open your web browser and click on the "Favorite" or "Bookmark" that you normally use to access your account.
Do not click on or type a URL (web address) in an email or postal letter.
5. Only enter confidential information on web pages that appear secure.
(a) If a pop-up appears saying that the certificate for a website was issued by an untrusted authority, click "no" to the question asking if you want to trust the certificate or the site. Do not trust untrusted authorities.
(b) In the URL box, it will say https instead of http.
(c) With the FireFox browser, the URL will change color.
(d) Make sure the domain name in the URL is what you expect.
Even though these domain names look similar, they are all different domain names that could be owned by different phishers:
www.worthybankllc .com (a non-displayable character follows the "llc")
www.vvorthybankllc.com ("vv" replaces "w")
www.w0rthybankllc.com (the digit "0" replaces the second letter "O")
www.worthbank11c.com (the digit "1" replaces the letter "l")
(e) At the bottom of the window frame you would be entering your information on, look for a padlock (lock). You are looking for a padlock in the window frame itself. Padlocks and security seals on the web page mean nothing.
Double-click the padlock icon in the browser window frame. A security certificate will pop up. On the "General" tab of the certificate, verify that the domain and company name are what you expect.
* In MSIE (MS Internet Explorer), right-click on the web page you would enter your information on, and select "Properties." Or, from the "File" pull-down menu (at the top of the page), select "Properties." On the Properties pop-up, you can examine the domain name and the security certificate.
* In FireFox, right-click on the web page you would enter your information on and select "View Page Info." Here you can examine the domain name and the security certificate.
6. Do not depend on spelling mistakes or grammar to spot phishing websites.
The phisher may flawlessly copy the wording, styles, graphics, animation and favicon (the icon to the left of the URL in the URL box of your web browser) from the organization's real site.
7. After the victim has entered the information requested, the victim may be smoothly linked from the phishing site to the impersonated organization's real site.
If an account name and password were entered on the phishing site, the phishing site may even sign the victim onto the impersonated organization's real site.
Even if the victim is suspicious at this point, all they see is the organization's real site. There is no clue that confidential information was just stolen.
8. If something doesn't quite appear correct, telephone the organization using the phone number on a recent account statement or the phone number in the telephone book. (Directory assistance for the 800 area code is 1-800-555-1212.)
9. Add one of these anti-phishing tools to your web browser:
Be sure to read the tutorial on how to recognize a phishing site using the tool.
10. Only use credit cards to make online purchases. Most jurisdictions have legislation to limit consumer liability from fraudulent credit card use. Similar protective legislation does not exist for checking accounts or debit cards.
11. Regularly check your bank, credit and debit card statements to ensure that all transactions are legitimate. If anything is suspicious, contact your bank and all card issuers immediately.
Some companies offer an option to send an email or cell phone text message within a few minutes of account activity occurring. Check with your bank and credit card company to see if they offer this service.
The more time crooks have to use your personal information, the longer it will take you to clean up the mess they create.
12. If you work for a company that has a website that may be phished, register with PhishRegistry.org. This free service of CipherTrust will email your company a report if it detects elements of your logon pages elsewhere on the Internet.
13. Keep your personal information personal. Phishers may seek personal information for targeted phishing by:
a) Searching the Internet for the target's name and email address.
b) Searching the target's garbage for discarded credit card slips, financial statements, pay slips, magazines and paperwork.
c) Searching a garbage dump, looking for papers containing personal information, and selecting a target based on what they find.
14. To further reduce your exposure to targeted phishing:
(a) Use a different form of your name for business than you use casually. For example, if you normally go by "Keith Smith," use "Keith A. Smith" or "Keith Adam Smith" for business.
(b) Only use nicknames when posting in forums and newsgroups.
(c) Use at least 3 separate email addresses. Use a different email addresses for work, personal business and casually.
(d) Shred old bills, credit card statements and other paper work, before you discard them.
14. Before disclosing personal information on the telephone, make sure that it is you who dialed the telephone call.
Telephone Caller ID information can be faked.
If they phoned you, take down the caller's name and phone number and extension. Use the phone number on a recent statement or in the phone book to call the company back and then ask for that person.
There are illustrated and explained examples of actual phishing pages and emails in the links in Part E below.
C. What To Do If You Gave Information To A Phishing Site:
1. If you have disclosed personal information to a phishing site you may become a victim of identity theft.
The more time crooks have to play with your personal information, the longer it will take you to clean up the mess.
Reporting identify theft early reduces the amount of work you'll have to do later to restore your credit. Do not wait for credit companies to contact you. Do not wait for monthly statements.
If you gave out a credit card number, call the issuing company's 24/7 phone number to report the card number as stolen right now. Do this now, before reading further. (If you gave out a debit card number or checking account number, contact your bank.)
Carry out the remaining credit protection steps no later than the next business day. The credit protection steps are here: What Do I Do About Possible Identify Theft?
2. Immediately change the passwords of any accounts whose passwords you disclosed.
Notify the organizations concerned that the earlier passwords had been disclosed on a phishing site, and ask if there has been any abnormal account activity.
3. If you merely visited a phishing site, you should scan your computer for malware that may have been downloaded through your web browser ("drive-by downloading").
a) Update your anti-virus software and run a virus scan of your computer.
b) Run the Ad-aware step here.
D. What Can You Do About Phishing? Report it!
Promptly report attempted and suspected phishing. It only takes a minute to report suspected phishing email.
Trained investigators will determine if the email or website is an actual attempt at crime. Merely visiting a phishing website can lead to malware being loaded onto your computer without your permission. Leave the investigation to the experts.
1. Report the suspected phishing email by simply forwarding the email as an attachment.
Forwarding the phishing email as an attachment allows semi-automated processing to eliminate duplicate reports, and it preserves the internal email headers needed to trace back the actual source of the email.
Do not add a subject line or comments; just forward the email as an attachment.
- For Outlook Express: Go to the inbox, right-click on the phishing email in the email selection list and select "Forward as Attachment."
- For Outlook or Netscape: Create a new email. Drag and drop the phishing email on the new email (with Netscape, drop it in the attachment area).
- Instructions for sending the full header information of an email using other email tools are here Spamcop.net: How do I get my email program to reveal the full, unmodified email? Follow the instructions for "web submission" but instead paste the full unmodified email in a new email.
2. Cut and paste this set of email addresses into the TO: box of your email.
- or, with commas -
3. Send the email.
4. Forward the email to the DSLR PhishTracker. Your personal DSLR PhishTracker contact email address is at the top of this page (at the end of the line that begins "Got Phish??")
Note that many examples display fluent business English, flawless graphics and professional layouts.