Phishing is an identity-theft scam that uses "spoofed" or fake emails and Web sites to trick people into giving out personal information, such as credit card numbers, usernames and passwords, or social security numbers. Phishing is usually done by hijacking the brand identity of a bank or an online store in a spoofed email that is sent to large numbers of people. The email will usually contain a link to a Web page designed to look just like a legitimate company's site. A phishing scam will use this page to capture any information that you provide, then sell or use the information for malicious purposes.
Following are some ways to avoid becoming a victim of a phishing scam:
- Always be suspicious of e-mails asking for sensitive information.
Remember that e-mail is not a secure form of communication. Organizations you do business with already know your account information and will never request it from you in an e-mail. Phishers will usually include false statements that are designed to increase urgency and try to make you give up your information more quickly, such as "Your account is going to be terminated unless you respond immediately."
- Never respond to an e-mail request for personal information.
Always err on the side of caution. Look at the “From:” field in the e-mail. If the organization name does not match the “Reply To:” organization name, the message is probably spoofed (falsified). For example, a message from a local credit union or bank would not have a reply e-mail address ending in "yahoo.com". If you ever need to provide personal information like a credit card number, make sure you are using a secure, trusted web site or, if on a phone call, be sure your are the one that initiated the call to the company and not the other way around.
- Never follow the links in an e-mail you suspect might be phishing.
If you unsure about a link to a site you receive in an e-mail, “hover” your cursor over it. If the link text in the e-mail doesn't match the link address, do NOT click it. Log directly onto the company’s web site or call the company. Most companies will know if there is a phishing scam involving their company and be able to verify if the information in the e-mail is real or not.
- Consider installing a toolbar that blocks scam sites.
Some browser tools are available that can alert you if you are accessing a page that is a known fraudulent phisher or block the site altogether. Perform and Internet search for "phishing toolbar blocker" for different tools and options.
- Always make sure your operating system, antivirus software, and browser are up to date.
Some scams use viruses or holes in the security of operating systems like Windows and browsers like Internet Explorer. You should always make sure you have the latest security updates installed on your computer. The ITS Help Desk Security Center has more information on not only how you can keep your computer and data protected but examples on current and past scams.
- More information about phishing and how to avoid phishing scams can be found here: http://education.apwg.org/r/en/index.htm.