Hook, Line, and Sinker
Con artists are betting that you will buy their email solicitations hook, line, and sinker. An email scam called “phishing” is fast becoming the number one threat to consumers.
This is how phishing works:
The hook— An email is sent to you from what appears to be a legitimate source. For example, you receive an email that appears to be from your credit card company.
The line—The email from the credit card company tells you that there have been major reports of identity theft and you may have been a victim. To verify that your account is OK, they will need you to visit the company website and provide your name, social security number, account number, and mother’s maiden name. The email provides a link to the company website at the bottom of the email. All you have to do is click on that link to take you directly to the webpage where you will give them your information.
The sinker—You click on the company link at the bottom of the email, which takes you to a counterfeit website. Once on the website, you enter your name, social security number, account number, and mother’s maiden name. You then submit your information to the company. You have just been the victim of a phishing scam.
Casting a Lure
The email you received from the credit card company was a fake. Someone (the phisher) created an email that appeared to be from the credit card company. These emails are very sophisticated. They use company logos, company colors, and company slogans to make the email appear authentic. They even use the names of real people who work at the company so you will be fooled into believing the email is really from the CEO or an employee of the company.
Take a look at the email below and decide if it is a real email or a phishing email.
While this email may look like the real thing, you can bet it is not. This is an actual email that was sent to thousands of unsuspecting recipients. Many of those recipients fell victim to this scam.
Most phishing emails try to create a sense of urgency in the email by telling you that if you do not respond immediately, your services will be terminated or suspended. When you click on the link in the email, it then directs you to a phony website created by the phisher. The tricky thing about these phony websites is that they look like the real thing! The phishers re-create the company’s website, imitating as much detail as they can to fool you into believing it is the official company website.
Once you enter your personal information, the phisher has enough information to empty your checking account and make online purchases with your credit cards. The phisher can also create new bank, credit card, insurance, and other online accounts in your name, using your identity, and you will not know that it has happened until the bills start coming in.
Sniffing Out Those Phishy Emails
Phishers don’t use only your credit cards to lure you in; they also will use your insurance company, email service provider, Internet auction accounts (like eBay), and government (Secret Service, FDIC, Homeland Security) organizations to reel you in.
In order to protect yourself from these phishing scams, it is important to know what to look for in a suspicious email. Following is a list of warning signs to look for:
- Statements that are meant to excite or upset you based on false information.
- A request to respond to the email immediately.
- An offer for a prize or special deal, but only after you give your personal information.
- A general greeting, such as “Dear Customer,” instead of a specific greeting, like “Dear Jane Doe.”
- A link to the company’s “secure” website with “http” at the beginning. All secure websites begin with “https” (remember, “s” is for security). For example, https://company-security.com.
- An attempt to get you to enter your financial account information. Stop and think, “Why would my financial institution that already has my account number need me to enter that particular piece of information?”
- A request for multiple pieces of personal information.
If you notice any of these signs, you are likely dealing with a phishy email. If you suspect an email might be phishy, trust your instinct. Phishers can send hundreds of thousands of emails out every day, so it is important to be on your guard.
According to the Anti-Phishing Working Group, the U.S. hosts the most phishing websites in the world. On average, 6.1 billion phishing emails are sent each month. Those who fall victim to phishing lose, on average, $1,200 per person (www.sonicwall.com/furl/phishing).
So why do so many people take the bait? Many people take the bait because the email appears to be from a legitimate source, whether it is a company or a person, that they know and trust. This is called “spoofing.”
Spoofing works by stealing legitimate email usernames. The phishers then turn around and use the stolen usernames to send out emails that appear to be from a legitimate person or company. So, even if the email appears to be from your mother, if it asks you for any personal information (financial information, passwords, and so forth—not why you don’t come to see her more often…), you should automatically assume it is an imposter.
Frequently Phished Companies
While there are millions of phony emails sent out every day, there are a handful of companies that are targeted more frequently than others. If you believe you have received a suspicious email from a company you do business with, you should email or call the company to verify the authenticity of the email.
But do not reply to the email directly. Instead, verify the company contact information on your own (from mailed bill statements or official records) and then contact the company. If the company asks for the email, forward it to them. You can report the phishy email to www.antiphishing.org/report-phishing.
Don’t Take the Bait: 9 Steps to Avoid Being Phished
Follow these simple steps to swim free of the phishing lures bobbing in your inbox:
- Always keep your Internet up to date with the latest security patches. If you are using Microsoft Windows 7, left-click the Start button, then All Programs, then Windows Update to get the latest security updates for your computer.
- Always keep your Antivirus software (Symantec, MacAfee) current with the latest virus definitions.
- Never click on a website link in an email.
- When trying to verify an email, never copy and paste the link contained in an email into your Internet browser’s address bar. If you copy and paste an address into the address bar, it is just like clicking on the link in an email.
- Don’t be intimidated into acting hastily just because an email warns of dire consequences if you do not respond immediately.
- Do not, under any circumstances, give personal information out to an email, webpage, or pop-up window. A legitimate company will never ask you for personal information.
- Always make sure that you are using a secure website (a secure website should begin with the URL “https”— remember, “s” is for security) when entering personal information.
- Check your bank statements, bills, and other financial materials monthly for irregularities.
- Check your credit report at least once a year. Beginning June 1, 2005, as a citizen of the United States, you are entitled to a free credit report from each of the three national consumer-reporting companies: Equifax, Experian, and TransUnion. For more information on how to receive your free credit report, visit the Federal Trade Commission.
What to Do if You Swallowed the Bait
If you have disclosed personal information and think that you have been the victim of phishing, there are several things you need to do immediately:
- Contact the company directly and ask them to monitor your accounts for suspicious activity.
- Notify your financial institutions so that they can place fraud alerts on your credit files.
- Monitor all financial statements carefully, looking for irregularities.
- Contact each of the three national consumer- reporting companies and discuss your situation with a representative. Together, you and the representative can decide if a fraud alert needs to be placed on your file. Placing an alert on your file will prevent phishers from opening new accounts in your name. Here is the contact information for each credit bureau’s fraud division:
Resources You Can Use
Publication 2423 (POD-01-15)
By Dr. Mariah Smith Morgan, Assistant Extension Professor, Extension Center for Technology Outreach.