Don’t Fall for Phishing Scams

March 2009

Identity thieves phish in the virtual and the real world

Online, it’s pretty simple to masquerade as somebody you’re not. It’s a cinch to create fake web sites, set up a fake e-mail address, even establish bogus social networking profiles.  For the experienced identity thief, subdomain registries, proxy servers and voice over internet protocol (VoIP) can make fraudulent online activity very hard to trace.

This is part of what makes “phishing” attacks so appealing. Phishers obtain their marks’ trust by pretending to be something they’re not, their goal being to get victims to part with something of value—a Social Security number, financial account information, an online password or any other potentially lucrative bit of information.

Like many types of criminal fraud, phishing has adapted to technological changes. While a classic phishing attack might involve someone posing as, say, an AOL representative looking to elicit password information from an unsuspecting consumer, a more contemporary version of the scam might involve a crook posing as a trusted institution. The institution doesn’t seek to coax out sensitive information directly but to appropriate it with password-stealing programs that the victim unwittingly installs on his or her computer by downloading a file or visiting an infected web site.

The growing popularity of “crimeware” has resulted in a more understated, automated type of phishing attack, with victims unaware that their data is being stolen right underneath their noses by malware. Last year, the Anti-Phishing Working Group, a collective of industry and law enforcement professionals, reported that the number of crimeware-spreading sites had zoomed from 6,500 to 9,529 between March and June 2008.

Nevertheless, good-old-fashioned phishing attacks—those that involve scammers who induce victims to voluntarily give up information through e-mails, instant messages, and forms set up on fake web pages—are still abundant (a recent example involved scammers creating e-mails and instant messages purporting to come from Google).

In today’s ailing economy, opportunities for these types of crimes abound. Cash-strapped individuals may be more likely to fall for scams promising “free government grants” or various IRS-related scams in which victims are asked to provide the “agency” with bank account information or other personal data, often in exchange for some sort of purported tax relief.   Symantec says in its February 2009 MessageLabs Intelligence report that phishers are utilizing the credit crisis as an opportunity for forging messages under the guise of various financial institutions.

With so much to worry about online, we almost forgot about the other threats that are out there—the ones in real world. These phishing scams actually involve living, breathing individuals. As the Federal Trade Commission points out, some con artists phish for information in person, putting a human touch on a crime typically associated with electronic communications. Check out these FTC videos to get an idea of how scammers operate when they’re face-to-face with their intended victims.

Don’t want to get snagged by a phishing attack? The FTC recommends the following:

•    Don't reply to email or pop-up messages that ask for personal or financial information, and don't click on links in such messages. Don't cut and paste a link from the message into your Web browser — phishers can make links look as though they go one place but actually send you to a different site.
•    Some scammers send an email that appears to be from a legitimate business and ask you to call a phone number to update your account or access a "refund." Because they use Voice over Internet Protocol technology, the area code you call does not reflect where the scammers really are. If you need to reach an organization you do business with, call the number on your financial statements or on the back of your credit card.
•    Use anti-virus and anti-spyware software, as well as a firewall, and update them all regularly.
•    Don't email personal or financial information.
•    Review credit card and bank account statements as soon as you receive them to check for unauthorized charges.
•    Be cautious about opening any attachment or downloading any files from emails you receive, regardless of who sent them.
•    Forward phishing emails to spam@uce.gov – and to the company, bank, or organization impersonated in the phishing email. You also can report phishing email to reportphishing@antiphishing.org. The Anti-Phishing Working Group, a consortium of ISPs, security vendors, financial institutions and law enforcement agencies, uses these reports to fight phishing.
•    If you've been scammed, visit the Federal Trade Commission's Identity Theft website at ftc.gov/idtheft.