Phishing

Ask Yourself

• Have you ever clicked on a link in an unsolicited email that you thought might be legitimate just to give your personal/account information?
• Have you ever responded (by clicking "reply") to an unsolicited email and given your personal/account information?
• Have you ever called a phone number from inside an unsolicited emai and given your personal/account information to the person on the other end of the line?
• You've never reviewed your credit card or bank statements?
• You've opened email attachment or files from the Internet that didn't appear to do anything when clicked?

If you answered yes to one of these questions you could be the victim of a phishing scam.

Did You Know?

• The numbers of crimeware-spreading URLs infecting PCs with password- stealing code rose 93 percent in Q1 in 2008 to 6,500 sites, nearly double the previous high of November 2007--and an increase of 337 percent from the number detected at the end of Q1 2007. (APWG)
• The number of unique Keyloggers and malicious code applications detected rose to a record 430 in the period Q1 2008. (APWG)
• The two most popular phishing targets, according to PhishTank, are PayPal and eBay, Inc.

How to Stay Safe

• Never provide your personal information to an unsolicited request, whether it is over the phone or over the Internet.
• If you believe the contact may be legitimate, contact the financial institution yourself.  Use old statements/correspondence for their phone number.
• Never provide your password or PIN number over the phone or in an email or online form.
• Review bank, credit card and any other types of financial statements monthly.
• Never open an email attachment unless you verify over the phone that the attachment is legitimate.
• Don't download and install files from the Internet that are not from trusted sites.  For example, don't search for screensavers and just download and install one from a random site.

10 Ways to Recognize Fake (Spoof) Emails

• Generic greetings.  Many spoof emails begin with a general generic greeting, such as "Dear Company member."  If you do not see your first and last name, be suspicious and do not click on any links or buttons or hit reply.

• A fake sender's address.  A spoof email may include a forged email address in the "From" field.  This field is easily altered.
• A false sense of urgency.  Many spoof emails try to deceive you with the threat that your account is in jeopardy if you don't update ASAP.  They may also state that an unauthorized transaction has recently occurred on your account, or claim they are updating accounts and need your information fast.
• Fake links.  Always check where a link is going before you click.  Move your mouse over it and look at the URL in the browser or email status bar.  A fraudulent link is dangerous.  If you click on one, it could: (a) direct you to a spoof website that tries to collect your data; (b) install spyware on your system so that hackers can monitor your actions and steal passwords or credit card numbers you type online; and/or (c) cause you to download a virus that could disable your computer.

• Emails that appear to be websites.  Some emails will look like a website in order to get you to enter personal information.  Legitimate companies never ask for your personal/account information in an email.

• Deceptive URLs.  If you see an @ sign in the middle of a URL, there's a good change this is a spoof.  Legitimate companies use a domain name (e.g., https://www.company.com).  Even if the URL contains the name of the company somewhere in it, it may not be a real site.  Examples of deceptive URLs include: www.ebaysecure.com or www.paypa1.com or www.secure-paypal.com, or www.ebaypalnet.com.  Always login to a company's site by opening a new brower window and typing the address you know.  And NEVER login into a site from a link in an email.

• Misspellings and bad grammar.  Spoof emails often contain misspellings, incorrect grammar, missing words, and gaps in logic.  Mistakes also help fraudsters avoid spam filters.

• Unsafe  sites.  The term "https" should always proceed a website address where you enter personal information.  The "s" stands for secure.  If you don't see "https," you're not in a secure web session, and you should not enter information.
  

• Pop-up boxes.  Legitimate companies will never use pop-ups as they are not secure.
• Attachments.  Like fake emails and links, attachments are frequently used in spoof emails and are dangerous.  Never click on an attachment if you are unsure of its origin.  It could cause you to download spyware or a virus.