What is phishing? Any attempt to get you to divulge confidential or other valuable information about yourself, others, or organizations you work for or represent. Phishing is usually accomplished today through e-mail, but it can be done over the phone or face to face. These types of scams are nothing new but have evolved to take advantage of the electronic communication explosion.
Many times these attempts seem innocent and in fact may "appear" to come from a legitimate source. These criminals are hoping to lure you and hook you not unlike real fisherman using enticing bait with a nasty hook. The scams propagated often prey on your fears, compassion, greed, trust, and any other human emotion or response that can be manipulated.
Phishing emails are not all someone posing as a Nigerian prince needing to stash his inheritance in your bank account. Phishing attacks are becoming more sophisticated and targeted. Some criminals are after a particular piece of information and may target an individual our group of individuals. They will research well and then craft a very particular communication. This type of attack is often called spear phishing.
Indicators of a phishing e-mail
- May have bad grammar
- May have poor spelling
- Tone of the email is characterized by urgency ("Respond within 24 yours or your account will be cancelled.")
- The e-mail may ask for personally identifiable information, usernames, or passwords
- The communication may contain a web page link or phone number
- The e-mail may read like official communication, contain official logos, use legal jargon
- There may be an attachment in the email and you are being enticed to open it
- The e-mail is unexpected and is out of the norm of your normal communications
- Generic messages ("Dear Member/User", not signed by a specific person) may indicate a phishing attack
If you suspect an e-mail is a phishing scam, it probably is!
The e-mail address is not a good indication whether the e-mail is legitimate or not. Just because the email address says it is from your best friend, your mother, or your employer, doesn't mean that any of these folks actually sent you the email. E-mail addresses can be "spoofed". With the right knowledge, a "phisher" can put any e-mail address and/or name in the From field.
Even if you see your bank's logo in the email it does not mean that the communication is from your bank. When in doubt contact your financial institution with a phone number that your received when setting up the account or go directly to your bank's web site and login, NOT a phone number or link in the e-mail.
Any reputable organization will never ask you to verify your account by sending personal information via e-mail (username, password, SSN, credit card number, etc). When in doubt contact that organization directly using a trusted phone number, or visit the organizations web site and login as you normally would to check the status of your account and see if you have any new messages from the orgnanization.
Never click on links in a suspicious e-mail. Instead open a browser and type in the URL manually or use a Google search to find the correct web site for the organization.
Act immediately if you have been hooked by a phisher. Contact the FTC's ID Theft Clearinghouse http://www.consumer.gov/idtheft or 877-438-4338. Report fraud to the National Consumers League http://www.fraud.org. If you have logged in or provided any login information, immediately change those passwords.
If you've fallen for a phishing scam
- Contact the company who was targeted and inform them that you think you've fallen for a phishing scheme. If you still have the e-mail or web page used, report that to the company as well (forward the e-mail as an attachment so that all of the data is included).
- If you've given out your bank account number or credit card, report the incident to your bank or Credit Card Company and get the account closed. The sooner they know, the better they can protect you.
- Contact the credit bureaus and have them place a fraud alert on your account. This informs potential creditors they must take extra precaution when issuing credit in your name.
- Change any passwords associated with the phishing attack and any passwords that are the same.
- Visit the FTC's website on identity theft for more information
You do not need to contact the HelpDesk or forward e-mails that contain spam/junk:
- Requests for a response such as “I came across your profile and really want to chat.”
- Bounce messages for e-mails that you did not send
- Random or unsolicited job offers
- Messages that inform you that you have won a lottery or are inheriting a large sum from overseas
- Messages asking you to click on external links
- Messages with attachments
Please forward e-mails that contain a phishing attack by explicitly asking you to respond with the following information (please forward as an attachment to firstname.lastname@example.org):
- Username and password
- Social Security number
- Account number
Phishing simulation with education from Pacific Northwest National Laboratory (U.S. Dept of Energy) http://www.pnl.gov/coginformatics/showcase/simulation/phishing/phishing.html