| DollarWise |
Don't be hooked by the Internet's
biggest fraud
|
They call it 'phishing:'
Crooks use official-looking e-mails and fake Web sites to get your
personal data, then steal from you. Here's how to protect
yourself.
By Jennifer
Mulrean
If you’ve been
swatting away warnings of phishing scams for the last couple years,
it may be time to finally stop and pay attention.
Why? It's
running rampant, and nearly all of us are targets. In this scam,
crooks use official-looking but fake e-mails and Web sites to lure
you into revealing personal financial information. Then they can
drain your bank accounts, charge up your credit cards or steal your
identity. And according to some industry experts, it’s the biggest
fraud on the Internet.
The Anti-Phishing Working Group
(APWG) says the number of reported incidents of the scam climbed
800% in the first six months of 2004, and a staggering 4000% in the
six months between November 2003 and May 2004. By June, the latest
month for which data is available, the APWG reports an average of
almost 50 unique attacks (attacks from different sources) per day.
With mass e-mailings, each of those unique attacks can potentially
hit thousands, if not millions, of people.
Who's taking the
bait? As many as 3% to 5% of people who get the e-mails, the experts
say. And the sheer numbers of people being targeted mean big payoffs
for swindlers.
Watch for the telltale
signs
The big problem is that the fake "phishing" e-mails
look so official, so real:
- They appear to be from trusted banks, retailers or
other companies. Citibank is targeted more than any other
business; its name was used in almost 500 of the 1,422 unique
attacks reported to APWG in June. PayPal, US Bank and eBay names
are also used as fronts.
- The e-mail often says the company needs to verify your
information, such as account numbers or passwords, for
supposed security purposes.
- They're slick and well-designed, using
official-sounding language and real company logos to make them
look and feel authentic.
- They try to fool you with an address "spoof." In more
than 90% of cases, the e-mail address looks like one from a real
company. Although the address in the “From” line of the e-mail may
contain a legitimate address, it conceals a scammer's address.
(Your e-mail program can be set to display "headers" so you can
see a false address. Read more in this Slate article on how
to detect spoofed e-mails.)
While working on this story, I
received a phishing e-mail that used the SunTrust bank brand. It
said my SunTrust account (something I’ve never had) had possibly
been “compromised by outside parties.” It instructed me to verify my
identity by clicking on a link and then said not to access my
account online for the next 48-72 hours. Now the e-mail sticks out
as an obvious ploy, but if I’d really had a SunTrust account and had
been less aware of phishing, I might have clicked the link -- if
only to try to get a better idea of what the fuss was all about.
Here are some other giveaways:
- Scare tactics. Like the SunTrust phish above, it may
play on security fears.
- No name. The mail doesn't address you by name but with
a generic greeting, such as “Dear Suntrust.com Customer.”
- It offers forms to fill out with your personal
financial information.
- It points to links in the e-mail, urging you to click
to "validate" or "confirm" your account.
Once you're on the hook . . .
What
happens after you inadvertently click on one of these links in a
phishing lure? Here are some ways the crooks try to trick you:
- You may be directed to a legitimate company's Web site. But a
crook's pop-up window -- not part of the real site -- will
open and ask for your account information.
- The site itself may be fake, but it will have a similar
URL to the real site, fooling you into using it.
- The site may be fake, but the address window showing its URL
will be hidden by a floating window displaying the
legitimate company's URL to fool you. (Most of these are static
images, so if you can’t click on the window or type anything in
it, it’s a good tip-off that the address displayed is a
decoy.)
- The link may trigger the download of a "key logger" to
your computer. It's a program that records what you type into
legitimate sites, including your passwords and account numbers,
then passes them on to the swindlers.
How to avoid the hook, line and
sinker
The Federal Trade Commission’s No. 1 tip for
avoiding this ripoff: DON'T provide any personal financial
information via e-mail. (Banks and other companies frequently remind
customers that they don't ever ask for sensitive financial data via
e-mail.) Other tips from the FTC and the APWG:
- Be extremely suspicious of any e-mail with urgent
requests for personal financial information.
- Don't fill out forms in e-mail messages that ask for
personal financial information.
- Don't use the links in an e-mail to get to any Web page
if you suspect the message might not be authentic. Instead,
telephone the company or log onto the Web site directly by typing
its Web address in your browser.
- Don't give your credit card numbers or account information
unless you're using a secure Web site or the telephone. Check
the beginning of the Web address in your browser's address bar. A
secure site should show as "https://" rather than just "http://"
(You may also want to click on the window containing the secure
address, to make sure you’re not dealing with a floating
window.)
- Beware of e-mail attachments. Don't open them or
download any files, regardless of who sent them.
- Check your bank and credit card statements online on a
regular basis. Make sure the transactions are legitimate. Don't
wait for a mailed paper statement, which can take up to a month.
If you see something suspicious, contact your bank and all card
issuers using a phone number you know to be legitimate or by
typing in a secure Web site URL into the Internet browser address
bar.
- Use anti-virus software and keep it up to date.
Anti-virus software and a firewall can protect you from
inadvertently accepting unwanted key-logger files. Look for
anti-virus software that recognizes current viruses as well as
older ones; that can effectively reverse the damage; and that
updates automatically.
- Keep your computer's operating system up to date and
download security patches. These free software patches for your
operating system close holes that hackers or phishers could
exploit. (You can check for Microsoft patches here: http://www.microsoft.com/security/.)
- Consider installing a Web browser tool bar to help
protect you from known phishing fraud Web sites. EarthLink
ScamBlocker alerts you before you visit a page that's on
Earthlink's list of known phisher Web sites. Ebay offers a free toolbar that
warns you when you might be on a spoofed eBay site.
- Report the attacks by forwarding the phishing e-mail to
the following addresses: spam@uce.gov, reportphishing@antiphishing.org
and to the "abuse" e-mail address at the company that is being
spoofed (e.g. "spoof@ebay.com").
What to do if you’ve divulged sensitive
info
If you think you’ve been scammed, you can file a
complaint with the FTC and the Internet Fraud Complaint Center.
But the most important thing is to notify the bank or credit card
issuer of the account that has been compromised. You’ll probably
want to close the account and open a new one.
If you’ve
given away your Social Security number, you should also notify the
big three credit reporting agencies -- Experian, Equifax and
TransUnion -- so that a fraud alert can be placed on your file. That
way, if anyone applies for new accounts with your Social Security
number, you should be notified at home. You should also start
regularly monitoring your credit reports, if you don’t already.
For more tips, go to the FTC’s Identity Theft site
and MSN Money’s Decision Center on Guarding
Your Financial Privacy.
|
|
