Phishing and Identity Theft
What is Phishing?
Phishing refers to online scams designed to trick their victims into revealing personal information.
The term is a play on the word "fishing", because the scammers are fishing for compromising personal details, such as credit card numbers and dates of birth, which could be used to commit identity theft, steal money from bank accounts, run up false credit card charges and so on. Other phishing attacks may be designed to steal email or website logins and password information, or other sensitive information.
How does phishing work?
First, the scammers send out a spam email that's been designed to look as if it was sent from a legitimate company such as a bank or other financial organization.
The criminals behind the phishing email will have worked hard to make the email appear to have come from a legitimate company or organization. They may use the same wording as official emails, have a similar design, make use of the same graphics, include links to the "real" official site, and so on.
The email will contain a link to a fake site that has been built to look similar or identical to the legitimate site it's masquerading as.
Somewhere on the fake site, often on the first page you get to from the link in the phishing email, there may be a form asking for personal details. Or the spoof site may contain keylogger software that will spy on the keystrokes typed from then on, and relay them remotely to the criminals, enabling them to watch passwords, financial details and other sensitive information being entered.
Some consumers will be tricked by the email and the website into giving up personal information. From the details they gather in this way, the criminals behind the phishing attack can buy goods or services using the victim's financial credentials, drain funds from their bank account, or commit all kinds of other mischief.
How does the scammer "know" that I bank at a particular bank, or use a particular website or online service?
The short answer: they don't. They got lucky.
Email is so cheap to send, it's practically free. So phishers can (and do) send out millions of identical emails targeting customers of a particular company such as a bank or an internet service provider. Get hold of a large enough fishing net, and at some point you're bound to catch some fish. Similarly, if a phisher emails enough people, chance dictates that at least some of the people receiving the email will happen to be customers of the real company the phishing attack is passing itself off as.
How to protect yourself from phishing attacks and online identity theft
Phishing emails are effective because the senders have worked hard to make them appear to be from a legitimate company or organization. They may use the same wording as official emails, have a similar design, make use of the same graphics, include links to the "real" official site, and so on.
Stage 1: Be Aware
Here are some telltale signs to look for in phishing emails:
- A request for personal information
Banks and financial institutions, and other reputable companies, will never ask you for personally identifying information by email. Phishing emails, on the other hand, may target your credit card number, social security information, your mother's maiden name, your date of birth and other sensitive details.
- Poor grammar or spelling, or a strange choice of words
One sign of a phishing email is an unusual turn of phrase or evidence of poor spelling or bad grammar. Many phishing scams originate in countries where the first language isn't English. Reputable companies on the other hand will generally have professional, polished form emails they use to communicate with clients.
- A sense of panic or urgency
One common phishing tactic is to tell you that the security of your bank account has been compromised, and that you have to provide some personal details in order to identify yourself. Or the email may include a warning about a purchase that you didn't make, and a short deadline for you to cancel the order or dispute the charges. No reputable bank or other financial institution, for example, would choose email as the first way to let their customers know that their bank account has been compromised.
- A lack of specific personal details
Your bank account and other businesses that deal with you already know your name, your account number and other information that's specific to you. Phishing emails or the other hand will often be very generally worded, since the sender rarely knows much about you.
Stage 2: Be Cautious
If you're in any doubt about the origin of an email message, or it looks suspicious in any way, then contact the business that allegedly sent it via a different route.
Don't reply to the initial email, or click on any of the links embedded in it.
If you want to check something that's mentioned in the email, for example if you want to log into your bank account and look at recent transactions, then go directly to the homepage of the company in question by typing their web address into your browser or by navigating using a bookmark you know is safe. That way, you'll know you're always starting at a legitimate site.
- MasterCard's guide to E-Mail Fraud
- HSBC's guide to Phishing scams
- Wells Fargo information about Fraudulent Emails and Websites
- Examples of Phishing scam emails aimed at Charter Communications customers