Don’t Get Caught by Phishing Scams

NOTE: This article was originally published in CIT Information newsletter, Spring 2005 issue. However, following these tips is always important, as pointed out by the October 2008, FTC Consumer Alert: Bank Failures, Mergers and Takeovers: A "Phish-erman's Special".

Phishing is a high-tech scam that uses spam or pop-up messages to deceive you into disclosing your credit card numbers, bank account information, Social Security number, passwords, or other sensitive information. According to the 2004 annual report from security firm MessageLabs, the number of phishing attacks rose exponentially during 2004 — phishing messages in January 2004 numbered 337,050, but in November they totaled 4.5 million.*

As phishing scams become more sophisticated they present a more serious risk for businesses or individuals who conduct business online. The MessageLabs report stated that some scams are able to access online banking information even when users do not click on any links. Therefore, if you have no dealings with the purported company, do NOT open the email message — simply delete it! (NOTE: These spams are also being sent to UNL organizational email accounts.)

Follow these additional tips to avoid being hooked by a phishing scam and becoming a victim of identity theft.

• If you open a message that asks for personal or financial information, DO NOT reply, fill out any form, or click on any link in the message. Legitimate companies don’t ask for this information via email.
  • If you are concerned about your account, contact the organization using a telephone number you know to be genuine, or open a new browser window and type in the company’s correct Web address.
• DO NOT email personal or financial information. Email is not a secure method of transmitting personal information.
• If you initiate a transaction and want to provide your personal or financial information through an organization’s website, look for indicators that the site is secure, like a lock icon on the browser’s status bar or a URL for a website that begins with “https:” (the “s” stands for “secure”). Unfortunately, no indicator is foolproof; some phishers have forged security icons.
• Ensure that your browser and anti-virus software are up-to-date and all browser and operating system security patches have been applied.
• Regularly log into your online accounts.
• Review credit card and bank account statements as soon as you receive them to determine whether there are any unauthorized charges. If your statement is late by more than a couple of days, call your credit card company or bank to confirm your billing address and account balances.

For more information on phishing (and pharming), including how to report it, please see the Anti-Phishing Working Group (APWG) website.

For information on additional security concerns, please see these articles.

• Are You Receiving More Spam? Well, Stop It! (Summer 2004)
• Personal Computer Security Beyond Viruses (November 2007 update)

* “Phishing attacks skyrocket in 2004,” CNET, 6 December 2004.