Phishing and ID Theft

Article ID: 727

While the Internet and email are tools that can bring people together, they have also become tools that con artists and other criminals can use to trick people into revealing credit card and bank account numbers, as well as other personal information. This information and Identity Theft costs users and companies over $1 Billion per year, and is increasing. This FAQ will provide you with information that will help you to protect yourself from ID Theft and other fraud.

What is "Phishing"?

Phishing is a scheme where a 'fraudster' will try to trick a person into revealing personal information in order to steal their identity. This information can include Social Security Numbers, bank account numbers and online banking passwords or PIN numbers, and usernames. The fraudster will send out email disguised to look like an official email from a bank, company, or government agency. This message will say that there is some problem with the recipient's account and that they need to go to a particular web site to verify their personal account information. Often, the message will threaten that the person's account will be closed if the information is not provided. The message will contain a link that appears to point to that organization's web site. This web site will look like the bank's or online business's web site, but will really be a fraud. Any information that the person enters on that site can be used to to steal that person's ID and money.

These phishing emails and spam can look just like the real company's email, and will include all that logos and graphics that you might expect to see in an email from your bank, for example. The web site that the phishing email sends you to will also look just like the real bank's web site. The link in the email that would send you to the fake site will say that you are going to the bank's web site, but the coding in the link will actually take you to the fraud site.

How can I protect myself from phishing and ID theft?

The first line of defense against phishing is to be skeptical of any email that you receive asking for personal information. Most reputable companies will never ask their customers to provide this type of information through email or web sites. You should never respond to these requests or go to the sites these messages link to. If you do have any questions or concerns about your account information, contact the company either by phoning them with a phone number that you know is valid (such as those found on any statements or billings from that company) or by typing a known good web site address directly into your web browser's address bar. NEVER use the contact information given in the suspicious email.

While spam filters, anti-virus programs, and anti-spyware programs are useful and good to have installed on your computer, no technological solution will ever be 100% effective. These programs can help protect you, but you still need to exercise caution on the Internet. Phishing scam web sites usually are online only about 5 to 6 days, and then they move on to a new server. This makes filtering difficult.

What does a 'phishing' email and web site look like?

A phishing email and the associated web site that will gather the personal information will look just like those of the bank or other organization that the messages are impersonating. You cannot judge by appearance only. The first line of defense is a healthy sense of skepticism. Even so, there are a few signs that you can look for to be more certain that an email or a web site is a scam.

Many emails will contain links to web sites. When you are suspicious of the message, you should look to see where that link will take you before you click on it. The link may display http://secure.yourbank.com/ in the message. But, if you hold your mouse pointer over the link for a few second, either a small tip box will pop up with the real address of the link, or your email program will show the address in the Status bar of the email window, usually in the lower left corner.

If you did click on the link, look at the address bar of the web browser, such as Internet Explorer. First, look at the type of page it is. Does it say 'https://www.yourbank.com/....' or 'http://198.255.206.4/yourbank/verify/....' If it's similar to the second, this is a good indication that this is a fraudulent web site. The actual fake address could be almost anything, but it it isn't what you would expect from a reputable business or organization, do not give out any information on that site.

What should I do if I receive what I suspect is a phishing email?

There are several things that you can do if you receive an email that you suspect is a phishing scheme.

What should I do if I suspect I have been a victim of phishing or ID theft?

Here are a few things that you should to as quickly as possible in order to minimize your risk.

If there is a specific bank or company for which your account information may have been compromised, contact them to notify them and ask that your account information be changed, such as credit card numbers, bank account number, and so forth. You should do this as quickly as possible. Unlike credit card transactions where you are responsible for only the first $50 of loss, most banks will not cover any losses due to Identity Theft.

Contact the three major credit reporting agencies and ask that a Fraud Alert be placed on your credit information. This will make it harder for fraudsters to open new credit accounts using your personal information. You can contact these agencies here for fraud alerts:

Also, you can file a complaint with the Federal Trade Commission at the ID Theft Complaint form. The FTC will initiate an investigation and start any possible legal actions at the federal level.

You may also file a complaint with the Federal Bureau of Investigation at the Internet Crime Complaint Center or your the local FBI Field Office nearest you. You may also file a report with any local or state police organizations in your area.

Where to find more information

The following is a list of organizations, businesses, and government agencies that will have more information about Phishing and other Internet Fraud.