(Don't) Go Phish!

Do you know how to spot a "phish" out of water? It looks like an email from Washington Mutual, informing you that your bank account will be closed if you don't respond immediately. Phishing scams such as this target Internet users of all ages and skill levels, and ruthless con artists dedicate themselves to acquiring personal information such as credit card, bank account, PIN, and social security numbers. But if you learn how to identify phishing scams, you should be able to avoid the stress involved in undoing identity theft.

What Is Phishing?
The term "phishing," first coined by hackers in 1996, refers to the process by which hustlers use email or other "lures," such as instant messages and chat-rooms, to fish for personal information from unsuspecting computer users. Recent businesses targeted by phishers include America Online, eBay, Paypal, Earthlink, U.S. Bank, and the aforementioned Washington Mutual.

Identifying a Phishing Scam
Phishing messages often share characteristics, so you can protect yourself by learning to recognize some of the features of a typical phishing email:

Authentic-Looking Graphics: Appropriate graphics are easily duplicated and their presence does not mean the email originates from a trusted business.

Threatening Tone: Stirring statements--claiming, for instance, that your account will be closed unless you act right now--should ring an alarm of a different sort; a legitimate business is unlikely to conduct such business over email. Call the established business telephone number to confirm the email's authenticity.

Personal Information Request: Most legitimate businesses will not ask you to provide information such as passwords, account numbers, or PIN numbers via email or Web form. Again, rather than responding to the email, call the established business telephone number to confirm that the message is official.

Misleading Links: Using a proc ess called "masking," phishers create a legitimate-looking link (e.g., Paypal.com) that actually takes you to a different address (e.g., auth.BestDealsMarketBanking.tk/paypal). To avoid "masked" links, open your Web browser and type the legitimate link yourself.

Grammar and Spelling Errors: Spelling mistakes can be part of a strategy used by phishers to avoid spam filters or can indicate that the lure originates outside the country and the phishers don't fully understand the grammar standards used by the business they're mimicking.

False Web Sites
Most phishers will direct you to a Web site designed to collect your personal information--a site not authorized by the mimicked business. There are a number of warning signs that will help you spot a phisher's site before accidentally disclosing private data:

Make sure the site is secure.
A Web page graphic that simply tells you it's "secure" is not enough, especially when you're submitting personal information. Secure sites most often contain a small image of a lock in the bottom right corner of the browser window frame.

Pay close attention to the URL of the site you are visiting.
Here is an example of a phishing URL: http://visa.com/?rDirl=http://200.251.251.10/ The initial part of the address makes it appear the link connects to Visa, a legitimate credit card company. If you look at the last half of the link, however, you'll see that the second "http" will redirect you to a different site. Also, look for an "s" for "secure" following the introductory "http"; that is, it will read "https" instead of the un-secure "http."

Avoid Web sites that don't have domain names.
When you see a Web site address containing an IP address--four sets of numbers separated by periods (e.g., 200.251.251.10)--you should be wary. Most scammers mask their identity by giving these numbers instead of an actual domain name, such as "www.google.com."

Watch out for browser errors and rendering errors.
If your browser notifies you that a site contains "rendering errors," you should be skeptical. It is very rare that a legitimate site will have such errors.

Keep your computer up to date.
Swindlers find new ways to exploit computer programs every day. As vendors uncover such scams, they release updated "patches" designed to fix vulnerabilities in your system. Use these. Many new operating systems will check for and download updates automatically.

If You Think You've Been Taken...
If you think you have been hoodwinked, take action as quickly as possible. Whether you've shared your credit card, ATM, eBay account, or bank account number, you'll be able to find the proper actions to take at www.antiphishing.org/consumer_recs2.htm.

If you have received fraudulent emails, but have not given away personal information, you can still help in the fight against phishing by reporting fraudulent sites on the FBI's Internet Fraud Complaint Center at their Web site. Click on the "File a Complaint" link.

For specific examples of phishing fraud, including an explanation of the tactics used, visit the UC Davis security site phishing Web page or the industry-based Anti-Phishing Working Group.