Victims are lured to fake but legitimate-looking websites, under the pretense of updating their personal or account information. The goal of this is twofold:
These may be identity theft attacks. Identity thieves can rack up bills and commit crimes -- in your name. The resulting damages of identity fraud can be financially devastating and your privacy could be seriously compromised. The best defense from identity theft fraud is to recognize phishing attacks (online and off), do not respond, and report them.
Phishers use emails, instant messages, or popups, that look like they are from an official trusted source, but really contain linkages to malicious sites.
Be skeptical, be suspicious, and if you are not sure, always contact the company being impersonated directly and immediately!
If you get an email claiming to be from a reputable business but asking for private information:
The greeting line of a phishing email is typically generic, such as "Dear (Company) Member". Legitimate emails are usually personalized, such as "Dear Isaac Newton". If you have done business with the real company, they know your name. But beware, a phisher may have found your real name by some other means.
The sender's email address is not a good indicator of the origin of an email. Phishers typically (and easily) forge this field.
Phishers ask you to update, validate, or confirm your information, often with a false sense of urgency and dire consequences if you ignore it.
Legitimate companies will usually ask you to call them at a verifiable phone number or ask you to login to their website independently of the email.
Phishers use deception to try to give the appearance of legitimacy. Look carefully at the link. Forms of trickery include:
Your browser might ignore all characters preceding the @ symbol in determining the actual web address; the real web address follows the @, which may be hidden at the end of a very long URL.
http://www.company.com:crafty... ...long... ...string@www.scammer.com
You see the company.com part. This URL really goes to www.scammer.com, which you can't see because the URL string is so long it goes out of the display. Check the URLs without clicking.
Legitimate companies use secure domain names (such as https://www.company.com) whenever sensitive information must be transfered. Never log into a company through a link in an email unless you are expecting a verification notice and you are sure it is from that company. Before submitting any information on a website, always verify the security certificate first.
Clicking on a fraudulent link can net the Phisher his catch, and you and your computer are the phish.
Phishing emails may look like websites and try to get you to enter your personal information. Legitimate companies will never ask you to enter personal information in an email.
Phishers often use poor spelling, bad grammar, missing words and logic gaps, in an attempt to get around spam filters. Legitimate businesses use proper business communication, and while they may not be perfect, the writing is generally far superior to that found in phishing emails.
When you enter information in a web session, make sure "https://" (a secure connection) begins the URL. Be sure to verify the security certificate. This is not foolproof. Some phishers have forged security icons.
Legitimate companies do not (or should not) use popups in email, as popups may not be secure
Attachments in phishing emails are very dangerous; they may be virus- or spyware-laden. Do not open these and delete them immediately after reporting the scam.
Above all, if you are not sure, always contact the company directly!
Look for the lock icon on the lower frame of your browser; on a secure site it should appear locked. If you click on this, you can verify the security certificate. In general, browsers recognize only trustworthy Certificate Authorities, but be aware that untrustworthy Certificate Authorities can be added manually by anyone who has access to your computer.
You can check the URL of a link, without clicking:
Forward the entire email, with full headers turned on (for tracking), to the legitimate organization being impersonated in the message. Most organizations have information on their websites about where to report problems. Access the company through a web address that you know to be genuine, not from a link in the email. Do not click on the email thinking you are going to get to the legitimate site.
You may also report phishing scams to local law enforcement authorities or as directed in the following websites.
In Canada:
In the United States:
It is an unfortunate fact that many of these scams originate from parts of the world where cooperation in enforcement is difficult -- if not impossible -- to obtain.
These sites provide additional information about phishing, how to recognize it and what to do about it.
EBay -- Spoof Email TutorialKnowledge is power. The Bitmill Inc. encourages links to our site. To link to this page, please cut and paste the following HTML code into your web page source file.
<a href="http://www.thebitmill.com/articles/phishing.html">Protect Yourself From Phishing 101</a>
Your link will look like this:
Protect Yourself From Phishing 101
Thank you for your interest and support.