Tips & Tricks
Internet is Phishing for YOU.
This happened to Tom Merritt, CNET
One day, a few minutes after making
a purchase on eBay, I
got e-mail thanking me for winning the auction and asking me
to update my credit card info. I had just gotten a new card from
my bank, and I realized that I hadn't updated it. It was very
late in the evening. I clicked a link and got to a page that
asked me for my eBay username and password as well as my address
and some other info. Before I started to fill it in, I realized
that eBay should already have all that info and I shouldn't have
to enter it until after I logged in.
I quickly navigated away from the page and typed in the eBay
address by hand. I logged in and found out that there was absolutely
no trouble. I did need to update my card info, but it wasn't
yet noted. I had almost fallen for a phishing scam. In fact,
just clicking the link could have had worse consequences than
it did. In light of that, here are a few of the biggest things
to be aware of so that you don't fall for phishing scams.
Stay alert and be cautious with e-mail and on Web sites
Most successful scams
rely on you, not on technology. While some technical vulnerabilities
out there can help phishers along, no scam can work without your
cooperation. This is a con game, not an example of masterful
technical skills. If they can con you into thinking you're doing
something legit, then the scam will work.
Don't get scared by the content
If they really want to foreclose on you or close your account,
you'll get a paper letter by snail mail. Be suspicious of any
e-mail that contains urgent requests for personal financial information.
Read it over several times. Think about it. Does this institution
even have this e-mail address? Does it usually contact you by
e-mail? Phishers try to get you excited or upset so that you
won't think things through.
Don't give out information
they should have
Phishers will ask
for sensitive information that the real company would already
have, such as usernames, passwords, credit card numbers, and
so on. Phisher e-mail is generally not personalized, or if it
is, contains only the same name you use in your e-mail address.
Your real financial institution will most likely have your real
Never fill out forms in e-mail that ask for personal information.
Give sensitive info only over a secure Web site or by telephone.
Never use links in e-mail to
get to any page on the Web
Call the company
directly, use a bookmark, or type the address manually into the
address bar if, after careful consideration, you think the e-mail
might possibly be legit. Phisher e-mail can make a link look
like it's legit but still take you to a false Web site. Our security
expert, Robert Vamosi, recommends right-clicking and going to
View Source for HTML e-mail--usually you can see some weird URL
stuff. That Web site can also look exactly like the real thing,
so look for awkward English or bad grammar as a tip-off.
They can just steal the HTML code and images from your bank.
Phishers can make e-mail links do any of the following nasty
* Take you to the legit site but sneak in a pop-up window from
a phisher's site that asks for personal info.
* Take you to a fake site that has a very similar URL to the
* Cover up the address window in your browser with an image that
makes it look as if you're at the real site. If you can't click
into the window, it's fake.
* Make the link download a key-logger program that will record
and report back every keystroke you make, including passwords
and credit card numbers. You'll think nothing happened or that
the link was broken.
Make sure the Web site you're on
is truly secure
Usually, you can
tell if you're on a secure server if the URL begins with https:
instead of http: and if you see the security symbol locked
in your browser. But phishers can get legitimate-looking certificates
and fool people, as happened recently to a credit union in Utah.
If you get a warning about a site's security certificate, read
it. If the certificate isn't valid, don't go there. Don't rely
entirely on the fact that a URL begins with https:.
Check your accounts regularly
Back to Top
Don't go more than
a month without logging in to an online account to check activity.
Pay attention if the account tells you when the last time you
logged in was. Does it jibe with when you really did last log
in? The more you check, the better. Check your statements from
financial institutions, too. If you ever see suspicious activity,
contact your bank and card issuers immediately. Clear your browser's
cache or personal information after each bank session; cached
pages can be used to reconstruct online sessions.
Keep your software secure
Keep your browsers and operating system up-to-date with the latest
security patches. Windows XP can automatically patch your system,
if you set it. If you use Internet Explorer, you should download
this patch immediately if you haven't already. Use antivirus
and antispyware apps and firewalls and keep them current.
The antiphishing working group recommends reporting
phishing scams here:
* Forward the e-mail to email@example.com.
* Forward the e-mail to the Federal Trade Commission at firstname.lastname@example.org.
* Forward the e-mail to the abused e-mail address of the company
that is being spoofed (such as email@example.com). When forwarding
spoofed messages, always include the entire original e-mail with
its original header information intact.
* Notify the Internet
Fraud Complaint Center of the FBI by filing a complaint on its