For the past several years, online scam artists have been using a clever email technique to trick people into giving away sensitive information. The technique is called “phishing,” and it works like this:

The scam artist sends an email that appears to be from a bank, online auction site, or other online merchant. The email says that the recipient’s account information has been compromised (or needs to be confirmed or verified), and that the recipient must click a link and enter all of his or her account information to update the records. The email might suggest that an account will be disabled or frozen if the recipient doesn’t respond. The email appears to be legitimate and official (complete with artwork and logos from the company’s actual site), and if the recipient clicks the link, the account information page appears to be legit, as well. The well-known logos or brands lend credibility to the email. The problem is, the page is a fake, and any information entered into the system becomes a way for someone to steal the recipient’s identity.

Phishing scams have been around long enough for many people to recognize them when they show up in an email inbox. The scammers are becoming increasingly sophisticated, though, and as new users (many of whom are elderly or unfamiliar with the pitfalls of the web) sign up for internet service, the potential continues for the scams to work on at least a few hapless individuals. It is important to know what to look for in scam emails and how to protect oneself from phishing attempts. 

Microsoft offers some examples of phrases that suggest an email is fraudulent:

“Verify your account.” - Banks and businesses don’t ask for this information by email.

“If you don’t respond within 48 hours, your account wil be closed.” - This statement sounds urgent, which makes people click on it without questioning it.

“Dear Valued Customer” - The lack of a name means the email was sent in bulk, not specifically to the recipient.

“Click the link below to access your account” - Links don’t always lead where they appear to lead. Consider the link that looks like this: Click here to visit Wells Fargo but actually leads elsewhere (if you click this link, it leads to Google, not Wells Fargo). This is called “masking” the link. Resting (but not clicking) the cursor over the link will show where the link ACTUALLY goes. Sometimes, the scammers will use URLs that look similar to the real thing, but are just a tiny bit off. For example, a link that claims to go to bankofamerica.com might actually go to “bankoffamerica.com” or “account-bankofamerica.com,” neither of which is an authentic banking site.

The criminals conducting phishing scams are prolific; the antiphishing.org website notes that in January 2008, 29,284 unique phishing reports were made, with 131 brands hijacked by phishing scams in that month alone. You might receive the next phishing scam in your inbox, or your brand may be the next one hijacked. 

The Federal Trade Commission (FTC) recommends these steps to protect yourself from a phishing scam:

1. Do not reply to emails that ask for personal or financial information. Legit companies will never ask for this information via email. Don’t click on links in these emails, either. Call a genuine customer service number if you are concerned about your account.

2. Don’t call numbers that are in these questionable emails, since area codes can be misleading, and the helpful service rep you reach might be a scammer. Call the number on the back of your financial statement instead.

3. Use anti-virus and anti-spyware software and a firewall, and keep them updated.

4. Don’t send personal or financial information via email, even if you’re sending it somewhere legitimate. Email is not a secure method of sending information, and emails can be intercepted by criminals.

5. Review your credit card and bank statements as soon as you receive them. Check for any unauthorized charges.

6. Be careful about opening email attachments or downloading files from emails, and NEVER open attachments from a sender you don’t recognize.

7. Forward phishing emails to spam@uce.gov and report the scam to the company being impersonated, if possible (some companies have a means to report scams on their websites).

8. Check your credit report periodically to see if anyone is opening new lines of credit in your name.

Please be sure to share these tips with any friends or family members who may fall victim to phishing, especially anyone who is new to email. If you think you’ve been scammed, the FTC recommends filing a complaint at ftc.gov, then visiting their identity theft website at www.consumer.gov/idtheft.

If you have a business and you are concerned that your pages and logos could be “spoofed” in a phishing scam, be prepared. Create a page on your site where customers can report phishing scams that involve your company, and pass along any reports you receive to the FTC. Request details from customers such as copies of the text from the phishing email and links to the spoof sites. Be understanding and supportive when speaking with customers who have fallen victim to this scam, as they will probably be extremely frustrated and angry. Maintain the highest possible level of security with your own website so that the sensitive data you hold will remain safe and customers will be confident in that safety.

Sources: www.ftc.gov, www.antiphishing.org, www.microsoft.com