“Phishing” Avoid Getting Fried

You’ve probably heard about identity theft – when people steal personal information to use for illegal purposes.  It was once thought that this form of fraudulent activity was limited to lost credit cards or thieves obtaining old bank statements from the garbage.  However, this threat has evolved and is now an even greater danger in an e-mail (or instant messaging, social networking, etc.) scheme called “Phishing.”

In a Phishing scam, someone will attempt to deceive or fool you into submitting personal information by posing as a bank or other trusted organization.  The scammer will send an e-mail resembling a trusted organization’s common e-mail format and will most likely even use the logo of the company they are fraudulently posing as.  The e-mail message often has a message asking for some sort of account authorization or urgent payment needed.  Here are a few of the most common Phishing lines according to According to Microsoft:

  • “Verify your account.”
    • A legitimate business will never ask for sensitive information such as passwords, login names, or social security numbers via email.
  • “You have won the lottery.”
    • “Advanced fee” scams ask for bank information in advance to deposit the winnings on a contest that you supposedly just won.
  • “If you don’t respond within 48 hours, your account will be closed.”
    • The urgent message approach asks that you respond immediately or one of your services will be disconnected. These types of campaigns also typically ask for login information.

(source: http://www.microsoft.com/protect/yourself/phishing/identify.mspx)

Phishing been running rampant through the Internet and occurrences increase as we continue to use the Internet as an interface for our common daily services.  In December 2008 the Anti-Phishing Work Group (APWG – www.antiphishing.org) recorded over 15,000 unique phishing websites that were actively sending out e-mails soliciting information from users.  Gartner (see release) reported in 2007 that a total of 3.2 million people fell victim to phishing scams; the average dollar loss per Phishing victim was $886.

You’ve seen that Phishing is a credible threat and even the most credible organizations are susceptible to an imposter illegally soliciting information from customers.  Even at PEAK we have seen the effects this with several fraudulent e-mails being circulated over the past 12 months.  In general, be aware that a credible business would never ask for information they already should have within their customer database.  That is the best baseline rule for steering clear of any Phishing threat; here are a few other recommended items you can do to safeguard yourself from these threats:

  • Don’t click on links within e-mails that ask for your personal information.
  • Never enter personal information in a pop-up screen.
  • Ensure that your computer Anti-Virus and Spam Filters are up-to-date.
  • Only open e-mail attachments from trusted and known sources.
  • Always look for a padlock icon and the address bar to start with “https://” in the browser window when typing sensitive information.
  • Manually type the URL of secure web pages that you are accessing, do not follow links from e-mails.

(source: http://www.sec.gov/investor/pubs/phishing.htm)


Phishing Example

What happens if you accidently fall into a scam?  First, contact your banks and service providers that may have been affected, inform them of the breach and change your account access information.  Second, you can report your case to the Federal Trade Commission if you fear that identity theft may happen (FTC Identity Theft site).   The site will also have resources on limiting any damages that may occur.

The best way to avoid becoming a phishing scam victim is to use your best judgment. No organization with any sense will e-mail you and ask you to input all of your sensitive information.  Most credible organizations will constantly inform customers that “We will never ask you for your personal information in an email”.

These sites have good information on phishing and reporting phishing scams: