The steps you normally take to protect your computer, like using a firewall and anti-virus software, can help protect you from phishing. You can review Web sites' SSL certificates and your own bankand credit card statements for an extra measure of safety.
In addition, phishers tend to leave some telltale signs in their e-mail messages and Web pages. When you read your e-mail, you should be on the lookout for:
- Generic greetings, like "Dear Customer." If your bank sends you an official correspondence, it should have your full name on it. (Some phishers have moved on to spear phishing, which can include personalized information.)
- Threats to your account and requests for immediate action, such as "Please reply within five business days or we will cancel your account." Most companies want you as a customer and are not likely to be so quick to lose your business.
- Requests for personal information. Most businesses didn't ask for personal information by phone or through e-mail even before phishing became a widespread practice.
- Suspicious links. Links that are longer than normal, contain the @ symbol or are misspelled could be signs of phishing. It's safer to type the business's URL into your browser than to click on any link sent in e-mail.
- Misspellings and poor grammar.
Fortunately, businesses and governments are fighting phishing. The United States government has instructed banks to start using two methods of security that include both passwords and physical objects, like tokens or biometric scanners, for online transactions by the end of 2006 [Source: Wired]. Many Internet service providers (ISP) and software developers offer phishing toolbars that verify security certificates, tell you the location where the site you visit is registered and analyze links. They also provide tools for reporting phishing attempts. Other programs use visual cues to confirm that you've reached a legitimate site.
Responding to Phishing
If you get an e-mail that you believe is a phishing attempt, you should not reply to it, click on the links or provide your personal information. Instead, you should report the attempt to the business being spoofed. Use their Web site or phone number rather than following links in the suspect e-mail. You can also inform the National Fraud Information Center and the Anti-Phishing Working Group.
If you believe you may have given your personal information to a phisher, you should report the incident to:
- The company that was spoofed.
- Any bank, lending or credit institution for which you have disclosed your personal information.
- At least one of the three major credit reporting companies (Equifax, Experian and TransUnion).
- Your local police department.
- The Federal Trade Commission.
- The Federal Trade CommissionThe Federal Bureau of Investigation (FBI) via the Internet Crime Complaint Center
You should also change your passwords for the site you believe was spoofed. If you use the same password at other sites, you should change your passwords there, too.
See the links on the next page for more information about phishing and related topics.