Protect Yourself from Online Fraud - Don't Get Caught in the Phisher's Net
Phishing, spamming, viruses, identity theft, data compromises - the list keeps growing. To help you protect your financial activity, we've put together some tips on how you can avoid becoming a victim from phishing e-mail scams.
What are phishing e-mails?
Phishing e-mails are fake e-mail messages sent for the purpose of tricking you into thinking they come from a legitimate company and getting you to provide sensitive personal or financial information. Typically, the criminals will "spoof" real financial services companies or online merchants where financial information can be acquired.
What do phishing e-mails look like?
Spotting phishing e-mails can sometimes be difficult, but generally you can look for a few clues.
1. E-mail address of the sender does not match the typical e-mail address you see in other messages from that company. For example, RealCompany.com always e-mails you from "@RealCompany.com" but the phishing e-mail uses "@RealCompanyCo.com". It's a slight change, but enough to be fake.
2. Urgent appeals for action. Criminals typically hack other web sites to set up an area where they can collect the data. They know they have little time until they are found out and the fake web site is shut down. They will typically state that you need to act within the next 24-48 hours, otherwise your account will be deactivated.
3. Generic message or no personalization. These criminals typically do not know who you are, they just have your e-mail address. Since they don't know you, they cannot put "Dear (Your Name)" at the top of the message.
4. Requests for personal or secure information. This is what criminals are really after. They request your user name and password or credit card number because they have lost it; are ensuring all of their customers are legitimate; or may state there's a security breach and you need to confirm your information.
5. Typos and errors throughout the message. A few typos and poor grammar occur even in legitimate communications. However, some criminals may not have a good command of English or may be in such a rush that they don't do quality assurance on the phishing e-mail. One of the most easily recognized clues will be poor verb conjugation.
6. Links to web sites that don't have the typical domain URL used by the legitimate company. In our example above, RealCompany.com may use domains like www.realcompany.com, secure.realcompany.com, mail.realcompany.com. A phisher does not have access to the server with the address of realcompany.com, so he must "spoof" the address. A phisher may use secure.realcompany.realcompany-confirm-update.com, or even a numeric IP address like 101.58.33.233/realcompany.com, all in the hope that if you see realcompany in the address bar you'll think it's okay. Phishers will also sometimes put links into the body of the e-mail that look legitimate, but actually go to a different address. Continuing with the RealCompany.com example, the text in the e-mail might state, "...go to https://www.realcompany.com to update your account information..." but the actual link might go to a different address altogether. Do note however, that a link to Realcompany.com from a legitimate e-mail message from RealCompany.com might actually take you to https://www.realcompany.com/productinfo.html where they want you to be able to go directly to the information pertaining to the subject of the e-mail.
7. Web sites that phishing e-mails link to are not secure. Phishers do not have time to set up sites with the right credentials for Secure Sockets Layers (SSL), so they won't have a secure web site. A legitimate company that practices sound security will ask for your personal information using SSL. You can check for SSL by making sure the web address starts with "https", not just "http", looking for the lock or key icon at the bottom, double clicking the icon to review the web site's certificate. Clicking the lock or key icon is probably the most important as the more advanced criminals can "spoof" the lock or key icon and address bar. When you click on that icon the web site's certificate will appear. You'll want to make sure that the domain (www.RealCompany.com) of the web address indicated in the certificate matches the one in the address bar.
Where can you see samples of phishing e-mails?
A non-profit organization called the Anti-Phishing Working Group hosts a web site full of information about phishing as well as samples of select reported phishing e-mails in their Phishing Archive at Anti-Phishing Working Group.
What should you do if you receive a phishing e-mail?
Do not respond by either replying or clicking the links. The sender's address is usually fake and responding could let the criminals know they have a valid e-mail address they can use for further fraudulent activity. If you click through the links you will go to the phisher's fake web site where they may be able to download viruses and other software used by criminals onto your computer.
1. If you receive a phishing e-mail, report the it to the legitimate company that has been "spoofed" in the e-mail. Most have online mechanismsto communicate this, either as forms or e-mail addresses.
2. File a complaint with The Internet Crime Complaint Center. They will probably not be able to address your specific incident, but providing this information allows them to warn others and investigate the crime.
This information was provided by the Pentagon Federal Credit Union to its members and is not meant to be an exhaustive, comprehensive, or authoritative voice on the subject.