Phishing FAQs...common electronic scam tactics
The term phishing (FISH-ing) refers to a scam thieves attempt to undertake to steal victims’ personal financial information. Most often the scammer sends an e-mail to thousands of people asking for information such as Social Security numbers, credit card numbers, bank account numbers, and personal identification numbers (PINs). Although it seems obvious, the trick to phishing is creating a counterfeit Web site of a trusted financial or other company Web site to which the unsuspecting consumers are directed. The subjects of these e-mails are often “Account Information Update Required” or other phrasing that suggests that the account with the “spoofed” company has been compromised or will be canceled. The counterfeit Web sites register the data entered by the victim and scammers can then use this information to commit fraud and steal the victim’s identity by charging purchases and opening new accounts.
The term phishing (FISH-ing) was coined because thieves are fishing for your personal financial information. They send out thousands of lures and hook only a few victims. The “ph” comes from a common hacking term. The first type of hacking was called “phreaking.” in the rnid-1990s, America Online accounts were some of the first hacked accounts and were called “phish.” These phish were treated as a form of currency where scammers could trade phish for hacking software.
Spoofing is something pretending to be something it is not, on the Internet, usually an e-mail or Web site. Typically, it is a technique used to gain unauthorized access to computers, whereby the intruder hijacks a target’s root Internet address (known as an Internet Provider or IP address) to make it appear fraudulent e-mails are from a trusted source. To engage in IP spooling, a hacker must first use a variety of techniques to find an IP address of a trusted host and then modify its identifying information on the Internet. Once criminals have your customer’s password, they can use your bank’s online banking site to withdraw or transfer funds. Spoofers can be anyone. They can be ordinary criminals out to steal money, competitors trying to cripple your business, disgruntled employees or irate customers. Attacks can be personally motivated or simply random. Spoofing of a bank Web site is nothing more than just another attempt to rob that bank.
Because, most people have grown increasingly aware of this scam, most phishing e-mails are deleted. However, the sheer quantity of attacks has increased, thus reaching more victims - and the technology the criminals employ has become more sophisticated. Overall, the number of successful attacks is small in comparison to the number of e-mails that are sent out each day as lures. Yet, it’s still important to note that roughly 3 percent to 5 percent of people who receive phishing scams take the bait.
If the e-mail you receive is unsolicited and from a company with which you do no business, you know it is a scam. If you receive an unsolicited e-mail from a company you do hold an account with, you know it’s a scam if it asks for personal information the company should already have on file about you: These companies will NEVER ask for personal data by e-mail. If you’re still not sure about the legitimacy of an e-mail, call the company at a phone number you know to be accurate.
Act immediately. Contact your bank and the companies you deal with and make them aware of the problem as well. Check your bank and credit card statements and contact all credit reporting agencies, such as Experian, Equifax and TransUnion if appropriate. Change all of your online user names and passwords associated with personal accounts.
How do phishers get your e-mail address?
Phishing e-mails are essentially dangerous spam. Spammers utilize a variety of techniques to gather e-mail addresses — Web sites, newsgroups, guesswork and list trading. These are the same methods used by phishers. Phishers do not gather e-mail addresses from bank records; unfortunately, one common misconception by consumers is that their bank actually provided the criminals with their names and e-mail addresses. This is simply not the case.
How do I report a phishing attack?
Many companies that have been spoofed have an e-mail address to which you can send e-mails you receive, for example, abuse@mybank.com or Phishing@mybank.com. The Internet Crime Complaint Center and the Anti-Phishing Working Group also register phishing scams and are a good resource for more information on what to do if you’re a victim of phishing.
At Chemical Bank the e-mail address for reporting incidents is fraudalert@chemicalbankmi.com.
Pharming is a scam that often relies on infected, hacked, or otherwise compromised computers. Once a computer has been compromised, customers attempting to navigate to a legitimate bank’s Web site by a customer will be re-directed to a spoofed Web site. This can be accomplished in a number of ways. A virus or malware on a PC can re-route a customer to a spoofed Web site even when the customer has directly entered the address on their browser. Domain Name System (“DNS”) cache poisoning (altering DNS re-routing) by phishers causes customers to be re-directed by the Domain Name System. DNS addresses are text, such as www.google.com but these are translated into numeric IP addresses. Pharmers attack the translation process and redirect your computer to the scamming IP address and Web site. The sites will likely look similar and the information you enter will be sent to the scammer, not to your trusted company.
Malware (malicious software) is software that is surreptitiously installed on a private computer’s hard drive that is designed to harm or take unauthorized control over a computer system or to steal the data it contains. Malware is often distributed as an attachment to spam and phishing e-mails. When a customer reads the e-mail, they unknowingly install the malware on their computer. Numerous terms are used for different types of malware, usually based upon how they spread and what they are intended to do. Computer viruses, Trojans, and worms can all be used to install malware on a vulnerable computer. Monikers such as spyware, adware, key loggers, and back doors refer to the goal of the malware. Some malware attacks attempt to capture the actual keystrokes entered by an individual on their computer’s keyboard. Your institution may employ sophisticated protections against malware — such as powerful anti-virus programs and firewalls — but often customers’ personal computers are not as highly guarded. Once again, the primary purpose of malware is to steal private information that can be exploited in some way.
What is being done to stop phishing?
Banks combat phishing schemes by educating their customers, installing fraud detection software and working with industry coalitions. These coalitions, along with law enforcement agencies at local, state, federal and international levels, are working together to find phishers, shut down their Web sites and prosecute them to the full extent of the law. Since these anonymous scammers are so elusive — and often based outside of the United States — consumer education is extremely important. That is why most banks have posted anti-phishing tips on their Web sites and have mailed fraud and identity theft prevention information to their customers. The more people know about phishing and other identity theft scams, the fewer victims will be affected by these schemes.
Is online banking still safe despite phishing and pharming?
Online banking is a safe and effective way to manage your money; however, just as you would not share your financial information with a stranger who knocked at your front door, so should you be guarded when online. Treat unsolicited c-mails asking for information with extreme caution and do not click on links within e-mails. Go to the Web addresses you know to be accurate and confirm that the sites you are viewing are secure — shown by a padlock in the bottom right corner or “https” at the beginning of the Web address. Also, make sure your computer’s security software is current and that you have downloaded the most recent updates.