How can I protect myself from 'phishing' scams?
Phishing, also called "carding," is a high-tech scam that uses spam to deceive consumers into disclosing their credit card numbers, bank account information, Social Security numbers, passwords, and other sensitive information.
According to the Federal Trade Commission (FTC), the emails pretend to be from businesses the potential victims deal with - for example, their Internet service provider (ISP), online payment service or bank. The fraudsters tell recipients that they need to "update" or "validate" their billing information to keep their accounts active, and direct them to a "look-alike" Web site of the legitimate business, further tricking consumers into thinking they are responding to a bona fide request. Unknowingly, consumers submit their financial information - not to the businesses - but the scammers, who use it to order goods and services and obtain credit.
To avoid getting caught by one of these scams, the FTC, the nation's consumer protection agency, offers this guidance:
- If you get an email that warns you, with little or no notice, that an account of yours will be shut down unless you reconfirm your billing information, do not reply or click on the link in the email. Instead, contact the company cited in the email using a telephone number or Web site address you know to be genuine.
- Avoid emailing personal and financial information. Before submitting financial information through a Web site, look for the "lock" icon on the browser's status bar. It signals that your information is secure during transmission.
- Review credit card and bank account statements as soon as you receive them to determine whether there are any unauthorized charges. If your statement is late by more than a couple of days, call your credit card company or bank to confirm your billing address and account balances.
- Report suspicious activity to the FTC. Send the actual spam to firstname.lastname@example.org . If you believe you've been scammed, file your complaint at www.ftc.gov , and then visit the FTC's Identity Theft Web site to learn how to minimize your risk of damage from identity theft.
In one version of a "vishing" scam, you get an e-mail, like a traditional phishing scam. But instead of being directed to an Internet site, you're asked to provide the information over the phone and given a number to call. Those who call the "customer service" number (a VoIP account, not a real financial institution) are led through a series of voice-prompted menus that ask for account numbers, passwords, and other critical information.
In another version you're contacted over the phone instead of by e-mail. The call could either be a "live" person or a recorded message directing you to take action to protect your account. Often, the criminal already has some personal information on you, including your account or credit card numbers. That can create a false sense of security. The call came from a VoIP account as well.
SMiShing SMiShing is a form of criminal activity using social engineering techniques similar to phishing. Smishing victims receive SMS (text) messages along these lines: "We're confirming you've signed up for our dating service. You will be charged $2/day unless you cancel your order on this URL: www.?????.com." When visiting the URL, victims are prompted to download a program which turns out to be a Trojan horse.