How to Avoid Phishing Scams

Watch out for these sneaky scams that try to trick you into giving your personal information to crooks

One of the most dangerous internet scams is the one commonly referred to as Phishing. Phishing scams come in all shapes and sizes, ranging from crude to highly sophisticated schemes with phony websites resembling those of Pay Pal, AOL, eBay, Amazon and other familiar names.

They trick you into visiting these websites by sending out official looking emails indicating a problem with your account and provide a link for you to click in order to clear up the issue or verify your account.

Once the email link is clicked, you're taken to a login page or you're presented with a form in which you're instructed to enter personal details like Social Security numbers, password, credit card numbers and even banking PIN or routing numbers. If you fall for this scam, it's game over. The crooks have everything they need to steal your identity, rack up charges on your credit card or empty your bank account!

It's easy to see why Phishing scams are so dangerous.

High Tech Phishing Schemes

The high tech con artists have now kicked it up a notch. The latest phishing scam loads a program on your computer that steals information just by opening the e-mail. It's called a "Trojan Horse" virus, and it causes a mirror site to show up and replace the legitimate site when you call it up. People enter their information, thinking it is the legitimate site, and the crooks steal the information and more. So, anytime you go to the Web site of your bank or other site and you see the address suddenly switch to another site, do not enter any information. You have a Trojan horse virus.

The best thing to remember here is that legitimate commerce companies will never ask you for information they already have with the exception of your ID and password when signing on. Do not open emails that are unsolicited.

Email Phishing Scam Methods

1. Subject Lines
   
   Phishing email messages always have genuine looking subject lines. It will seem to be really legitimate as it will relate to who the sender is and the content of the email will tend to corroborate it. The more interesting they can make the subject line the better. Their goal is to get you to open the message and read it. Examples include subject lines like this: !Important notice to all PayPal users!. Numerals and other letters used to replace characters are often put in email message subject lines as a way to outsmart SPAM filters. While at the same time, they try to keep the subject lines close enough to the real thing so that most people would overlook the character changes when quickly looking at the subject line.
   
   
2. Disguised return email address
   
   It's extremely simple for experienced internet scammers to fake an email message sender's address. It's best to assume that no sending addresses listed on the email messages you receive are real. Emails used in phishing scams always have fake addresses for the sender field. They try to make it look like the message is coming from the company they claim to represent, like eBay or PayPal.
   
   
3. Website Content and Layout is copied
   
   Don't feel bad if you've been tricked into thinking an email is real because it had a company's logo in it. Just keep that in mind the next time. Phishing scammers go to great lengths to make their emails look genuine. Some even include real links to the company's legitimate website and/or privacy policies. Phishing emails always seem to use copied images and text styles used on the legitimate web site fool the consumer into believing that their email is genuine.
   
   
4. Hyperlink Manipulation
   
   In attempts to trick email message recipients, con artists will intentionally cloak links in their email messages. URLs in HTML emails may look real; however, when clicked on by an unsuspecting reader, they actually take the reader to a completely different location. For example: http://www.win-big-bucks.com may actually take the user to the web site the scam artist wants you to go.
   
   The consumer needs to be very careful with these hyperlinks. Even if the legitimate companies URL seems to be in the web address it may not go to that site. These new hi-tech outlaws are very manipulative and are experts at deception.
   
   
5. Forms (Surveys, etc.)
   
   The email may contain a questionnaire asking you to enter some personal data and send it to them. It can take on many different forms to try to entice the consumer into giving them sign on ID's and pass words or worse yet a person's date of birth, social security number, mother maiden name or account numbers. Be alert to poor spelling and grammar, as well as an absence of images and undisguised URLs.

Web Site Phishing Scam Methods

The phishing scam will most often than not have a fake web site to add to the smoke and mirror magic they need to fool the consumer into believing they have been directed to a legitimate web site. The purpose of the web site is to trick consumers into thinking they are at the company's genuine web site, and giving their personal information to the trusted company they think they are dealing with. This is very easy to do and if they accomplish what the goal is they will be able to garnish lots of information. The deceptive methods used to disguise a web site are numerous and here are some of them:

1. Genuine Looking web site
   
   The fake web site will have copied text and images from the genuine site and the scam artist has no trouble doing this as it is an easily accomplished procedure. It is very easy to manipulate the web site to their advantage. Who wouldn't sign into their normal legitimate third party payment web site, or on-line banking web site? This is a scary situation if a consumer falls for this trick and furnishes personal information.
   
   
2. Similar looking URL
   
   Some fraudulent web sites can have similar but different domain names that are similar to the genuine site they want the consumer to believe they are at. Scam artists can manipulate the web browser to not reveal the URL line so you will not even be able to see what site you have signed onto. This is smoke and mirror deception in the hi-tech world and is easily accomplished.
   
   
3. Web Forms
   
   The easiest way to collect information in web site phishing scams is to use forms on the fraudulent site. In many cases it will be the same form that is normally displayed on the genuine web site. This may be an at a third party payment site, or a detailed form for verification of personal details such as date of birth, social security number, mother's maiden name or an account number.
   
   
4. More on URL manipulation
   
   Some phishing scams web will display only an I.P addresses in the URL field of the internet browser, the consumer will only see numbers in the URL address bar. The hi-tech world today is so complex that most consumers do not realize that there are a lot of methods that can be used to deceive them and these can include JavaScript, HTA and some HTML which can easily disguise address bars and even construct one that looks real but it only showing the consumer what they want to see. Those are just some of the techniques that can mislead the unsuspecting and trustful individual. The consumer can disable active X and java script in the internet browser setting but this will lead to a less enhanced experience on the World Wide Web and many web sites are using JavaScript and other active X functions.
   
   
5. Pop up Windows
   
   The web site that the consumer was routed to could also just be a bare pop up window with no address bar, tool bars, status bar or scrollbars. It will be opened in the foreground to display the fake webpage. This, of course, is designed as an attempt to mislead the consumer into think it is directly associated to the genuine page.
   
   
6. Address bar manipulation
   
   This involves the placement of a text object with a white background over the URL in the address bar. The text object contains the fake URL, and this covers the real URL the consumer was directed to. Again, you can stop this by disabling Active X and JavaScript in browser settings. Most web pages utilize these tools and it could be impractical to disable them.
   
   
7. Pop up Window
   
   This form of deception involves the use of script to open a genuine webpage in the background while a bare pop up window (without address bar, tool bars, status bar and scrollbars) is opened in the foreground to display the fake webpage, in an attempt to mislead the user to think it is directly associated to the genuine page. This method also utilizes scripts, and can be stopped by disabling Active X and JavaScript in your browser settings.
   
   
8. Spy Ware and Trojan Horses
   
   Trojan Horses and worm viruses are sent as an email attachment, and if opened will install an attached software program. The attachment is a program that exploits vulnerabilities in Internet Browsing software that can force a download from the Internet. This file will download other files and codes, which when installed will run a fully functional Trojan virus.
   
   The Trojan horse is designed to search for personal information, ID's and passwords, which many people keep on their computer. This information is then sent to a database to be use at any time by the scam artists.
   
   Spy ware, such as keyboard loggers, capture information entered at legitimate web sites, such as third party payment sites and then it sends this information to the scam artists.

How to Avoid Phishing Scams

• Any email messages urgently requesting personal financial information should be met with a healthy dose of skepticism. The goal of these types of messages is to get you to respond immediately. So this type of email will often contain immediate, knee-jerk reaction seeking type statements. Data requested is usually items like credit card numbers, passwords, social security numbers, usernames, etc.
  
  
• Never click on the links in an email to get to any web page, if you think the email message isn't real. Instead, go directly to the website by opening your browser and typing in the Web address.
  
  
• Stay away from completing any documents in email messages that request for personal financial information. Account information and/or credit card data should only be sent using secure websites. To ensure you're using a secure Web server, check the beginning of the Web address in your browsers address bar - it should be "https://" rather than just "http://"
  
  
• Check your online accounts frequently by logging into them. In this case, frequently is a minimum of monthly.
  
  
• Make it a habit to always review your bank, credit and debit card statements to make certain all of the transactions listed are accurate. If you see any suspicious charges or transactions, get in touch with your bank and all card issuers immediately for more information and guidance to correct the situation.
  
  
• Make sure you're using the most up to date internet browser and that all security patches have been installed.
  
  
• Every time you receive a "phishing" or "spoofed" e-mail, please report it to the following groups:
  
  
  • Send the email to the Federal Trade Commission at spam@uce.gov
    
    
  • Send the email to the "abuse" reporting email address at the company that is being spoofed (e.g. "spoof@ebay.com")

It's critical to include the original e-mail in its entirety, with its original header information in one piece, when forwarding to the above entities. Additionally, you can alert the Internet Fraud Complaint Center of the FBI by completing a complaint form on their website: www.ifccfbi.gov/

More Fraud Guides Phishing Information