All of us know how annoying spam can be. Unfortunately, as internet consumers wise up to these deceptive marketing practices, spammers often resort to more underhanded—and more sophisticated—means to trick computer users into handing over their personal and financial information. One dangerous tactic spammers increasingly employ is called “phishing.” Derived from the terms “password harvesting” and “fishing,” phishing emails attempt to impersonate legitimate websites and businesses in an attempt to extract valuable information—such as passwords, credit card information and social security numbers—from their targets.

What is phishing?

Typically, phishing emails are designed to look like they came from a prominent financial institution—such as Citibank or Chase—or another popular e-commerce company—such as eBay or PayPal. In addition to using the fonts and layouts typical of those companies’ websites, “phishers” often possess the technology to forge the identity of the email’s sender. This process is called “spoofing,” and it results in a great deal of confusion about the actual source of much of the spam that travels around the web. While governments, internet service providers and other software companies are working hard to eliminate the “spoofing” of senders and email addresses, it is currently all too easy to deceive recipients about the actual source of an email message.

Phishing messages—sent in the guise of another company—often ask for personal or financial information from their recipients. Often, these requests are accompanied by dire warnings that if the requested information is not immediately provided, the user’s account will be suspended, or the user will be charged exorbitant fees. Thus, users are scared into providing valuable information to the phishers—who can then use that information to any number of illegitimate ends.


How to avoid phishing attacks

Here are a few helpful hints to remember to avoid falling prey to phishing scams:

Never give out personal or financial information in response to unsolicited emails. Unless you initiated the communication, you should never give out information about yourself in response to any email you receive—even if it looks like it came from a reputable source. Instead, you should telephone the institution yourself—using contact information from your files, the phone book or the company’s official web site. The same goes for unsolicited phone calls, faxes, instant messages or pop-up messages.

Look for phishing clues. While phishing emails are designed to look like they come from a reputable company, there are often telltale signs that the emails are false. Often, key words are slightly misspelled, either to closely simulate the name of an actual company, to avoid detection by spam filters, or, as is often the case, because the phishing email comes from a foreign country. Also, be wary of web addresses which contain the “@” symbol in the url. These addresses, such as http://www.ebay.com@phisher.com, will connect to the latter web address (phisher.com, in this example) instead of the first one listed.

Check your credit card and bank account statements regularly. Identity theft is a dangerous and growing threat to New York consumers. Most companies will refund customers for fraudulent transactions, but there is often a time limit to report the fraud. Always check all statements that are mailed to you—even if you do not expect any charges or transactions to be reported. Also, most financial institutions allow you to monitor your account status on-line, giving you more control and faster access to your financial information. If you do not receive an expected statement, make sure to contact your bank or credit card company to make sure no one has secretly changed your account information.

Don’t carry too many credit cards. If you do, you’re more likely to lose track of your accounts, making you more vulnerable to phishing and identity theft. Cancel credit cards you rarely use. Also, make sure that all your credit cards have your correct address and contact information.

Install anti-virus and firewall software. Some phishing emails may try to trick you into opening files contaminated with a computer virus, or some other sort of dangerous malware program. Many operating systems and internet service providers offer anti-virus and firewall software for free—just make sure those programs are kept current with the latest updates. Alternatively, many websites offer similar programs for free. A few options are listed below:

For free anti-virus software, visit:
http://www.grisoft.com

For free firewall software, visit: http://www.zonalarm.com


Report phishing attacks. If you receive what you believe is a phishing email, forward it to the Anti-Phishing Working Group at reportphishing@apwg.org. If you receive what you believe is a phishing text message, forward it to SPAM (7726).