Phishing Scams

Phishing scams involve the distribution of "spoofed" email messages with return addresses, links, and branding which appear to come from banks, insurance agencies, retailers, credit card companies, and other legitimate businesses.

These fraudulent messages are designed to trick the recipients into disclosing personal information such as account usernames, passwords, credit card numbers, social security numbers, and home addresses. Most of these emails look "official," and as a result, recipients often respond to them, resulting in financial losses, identity theft, and other fraudulent activity.

14,191 unique phishing scams were discovered in the month of July 2006 alone.

—Anti-Phishing Working Group

Phishers use various social engineering and spoofing techniques to try to trick their victims. Recently, a 17-year-old sent out messages that appeared to be from America Online that said there had been a billing problem with recipients' AOL accounts. The fraudulent email used AOL logos and contained legitimate links.

If recipients clicked on the "AOL Billing Center" link, however, they were taken to a spoofed AOL Web page that asked for personal information, including credit card numbers, personal identification numbers (PINs), social security numbers, banking numbers, and passwords.

In 2003, Floridians reported a combined loss of $25 million to online fraud.

—Federal Trade Commission

Phishing is a variation on the word fishing: fishers (and phishers) set out hooks, knowing that although most of their prey won't take the bait, they just might entice some to bite.

Spear Phishing

In addition to mass mailings, scam artists have started using a more targeted method of phishing called "Spear Phishing." In a spear phishing attack, the only recipients of the email are known members of the bank or institution that the email is targeting.

These email addresses are acquired through a number of means for example:

  • The scammer could join a mailing list and use the "to:" field to create a list of targets
  • The scammer could buy a list from a hacker that has somehow infiltrated a system where the email addresses are stored
  • The scammer could simply guess a series of email addresses based on what is known about the general format of the address. (Many universities or businesses have a formula for creating an email address: "xyz123@univerity.edu" for instance.)

What to do:

The FTC warns users to be suspicious of any official-looking email message that asks for updates on personal or financial information and urges recipients to go directly to the website of the company to find out whether the request is legitimate. If you suspect you have been phished, forward the e-mail to uce@ftc.gov or call the FTC help line, 1-877-FTC-HELP.

Tips to Avoid being hooked:

  • Be skeptical of email that asks for personal information
  • DO NOT click on the link provided
  • Access your user information only through the company's homepage
  • If a web address is spoofed, it is likely to have an excessively long URL
  • Contact law enforcement if you've been a victim
  • Always report fraudulent or suspicious e-mail to your ISP

For more information, and to find archived phishing scams, please visit www.antiphishing.org.