Q&A: Phishing Victim Falls Hook, Line and Sinker

By Ronald Pacchiano | Posted September 16, 2005

I recently became the victim of identity theft. One evening, I received an e-mail from eBay (or so I thought) stating that my account would be suspended, possibly permanently terminated, if I didn't update my account information within 24 hours. Using the link included in the e-mail, I proceeded to the site and updated my personal information. That was the last I had thought of it until the other day when I was discussing it with my girlfriend. She uses eBay as well and as never received anything like this. This got us thinking that it might be a scam. After a bit of research, we discovered that it was.

Now I'm not sure exactly what to do. I reported it to eBay and canceled the credit card I used on the site, but that's about it. What really troubles me, though, is that the e-mail had looked very official. So much so, that I didn't even bother to second guess it. This brings me to my question: Since these scammer messages look so legit, how am I supposed to tell the difference between a valid request for information from a vendor, and a fraudulent one?

Identity theft is one of the biggest problems facing computer users. Malicious users gain access to your personal information and then use that information to impersonate you while shopping for goods and services, leaving you with the bill and a diminished credit rating. One of the most common techniques used to collect this information is called phishing. As in fishing, a phisher, attempts to hook its prey either through e-mail or over the phone, pretending to be from a legitimate institution like a bank or online service. You're then asked to provide updated personal and/or financial information.

Typically, they'll ask for things like credit card numbers, personal identification numbers (PINs), social security numbers, bank accounts and passwords. The reason why so many people fall for these ploys is simple: They appear to be legitimate. Through e-mail, phishers direct users to a phony Web site that looks just like the company's actual Web site. Following the instructions, you enter your personal information on the Web site — and into the hands of identity thieves. Phishers use numerous ploys to lure you. According to AOL, currently the top 5 phishing scams are the following:

  • eBay Scam
  • PayPal Scam
  • You've Got Pictures Scam
  • AOL Billing Scam
  • SunTrust Bank Scam

To answer your question, though, it's not always easy to tell the difference between a fake site and legitimate requests for information. Fortunately, though, there are usually clues to help you identify fakes. Let's review a bogus e-mail (below) to highlight the tell-tale signs:

  1. Even though it appears to be a legitimate e-mail, this message doesn't actually contain any text. The whole e-mail is an image.
  2. The entire picture is a hyperlink to the phoney site. eBay doesn't send e-mails this way.
  3. When you click on the link, it takes you to a site that isn't secure (i.e., it uses http instead of https). It was also not an ebay address, just an IP address (http://218.4.140.130).
  4. Once you logged into the site your directed to another, insecure eBay page, asking for your credit card and 4-digit ATM PIN number. No one, except a scammer, would ask for a card's 4-digit ATM PIN number.
  5. Also, the e-mail stated that there was a problem with your account and that it may be suspended if you don't act right away. For the record, every important message and alert regarding your account is displayed when you sign onto eBay. To verify this, all you would've needed to do was to actually login to your account. DO NOT use links contained in an e-mail for this.
Even if the request for information looks professional and seems to link to the correct Web site, keep a healthy dose of skepticism and remember that your vendors have your credit card and other personal information and will never request it from you directly — particularly via e-mail.

Since it appears that you have, in fact, been the victim of identity theft, here are the steps you should take to try and get this issue resolved according to the Federal Trade Commission (FTC).

  1. Contact the fraud departments of any one of the three major credit bureaus to place a fraud alert on your credit file. The fraud alert requests creditors to contact you before opening any new accounts or making any changes to your existing accounts. As soon as the credit bureau confirms your fraud alert, the other two credit bureaus will be automatically notified to place fraud alerts. Once the alert is placed, you may order a free copy of your credit report from all three major credit bureaus.
  2. Close the accounts that you know or believe have been tampered with or opened fraudulently. Use the ID Theft Affidavit located at the FTC Web site when disputing new unauthorized accounts.
  3. File a police report. Get a copy of the report to submit to your creditors and others that may require proof of the crime.
  4. File your complaint with the FTC here. The FTC maintains a database of identity theft cases used by law enforcement agencies for investigations. Filing a complaint also helps us learn more about identity theft and the problems victims are having so that we can better assist you.
In the future, you can minimize your chances of becoming a phishing victim again by following these basic guidelines:

Don't click on the link in an email that asks for your personal information.
Legitimate companies don't work this way. To check whether the message is really from the company or agency, call it directly or go to its Web site. If you don't have the telephone number, get it from the phone book, the Internet or directory assistance. Use a search engine to find the official Web site.

Always look for "https" and a padlock on a site that requests personal information
Information entered on an Internet Web Site can be intercepted by a third party. Web sites that are secure protect against this activity. Look for a locked padlock on the Internet browser's status bar or the "https://" at the start of the URL in the address bar. Although there is no guarantee of the site's legitimacy, the absence of these indicates that the Web site is definitely not secure.

Be aware of what you're downloading
Be cautious about opening any attachment or downloading any files from e-mails you receive regardless of who sent them. These files can contain viruses or other software that can weaken your computer's security.

Pay attention to your statements
Review credit card and bank account statements as soon as you receive them to check for unauthorized charges. If your statement is late by more than a couple of days, call your credit card company or bank to confirm your billing address and account balances.

Phishing can also happen by phone
You may get a call from someone pretending to be from a company or government agency, making the same kinds of false claims and asking for your personal information. If someone contacts you and says you've been a victim of fraud, verify the person's identity before you provide any personal information. Be suspicious of anyone who contacts you unexpectedly and asks for your personal information.

People looking for employment should also be careful
Pretending to be potential employers, phishers ask for your social security number and other personal information. There is no need to give anyone your social security number without actually having been offered the job. Regardless, verify the person's identity before providing any personal information. For more information or assistance with any of the above mentioned procedures, try calling the FTC help line at 1-877-FTC-HELP.

Best of Luck.

Article originally appeared on PracticallyNetworked.com


Comment and Contribute


     

    Get free tips, news and advice on how to make technology work harder for your business.

    Submit
    Learn more
     
    You have successfuly registered to
    Enterprise Apps Daily Newsletter
    Thanks for your registration, follow us on our social networks to keep up-to-date