“Phishing” is a form of identity theft that used to be done over the telephone. Now, however, the crooks have gone high-tech and are using the Internet for their con games. Most commonly this consists of sending out emails purporting to be from a legitimate source such as a financial institution. Under some false pretense, such as the claim that your account needs verifying, an email will ask that you go to a Web site by clicking on a link in the email. When you go to the Web site, you are asked to “update” or “confirm” personal information such as account numbers and passwords. The Web sites may look just like a legitimate page but they are bogus sites designed to steal from your accounts. The link in the email may read like it leads to an authentic site but actually takes you to a fake page.

The first large-scale example of “phishing” was several years ago when many AOL users were tricked into divulging their passwords. Their accounts were then used for the scammer’s purposes. Since then, many other institutions have been attacked. For example, in 2003 many people received emails supposedly from eBay claiming that the user’s account was about to be suspended unless they clicked on the provided link and updated their credit card information. The scammers use mass-mailing methods and many of the recipients did not even have an eBay account. However, all it takes is 1 or 2 per cent responses for the con to result in a nice haul.

Recently, banks have been a favorite target of “phishing”. An example of a scam email that I recently received is shown below.

phishexample

Note the psychological tricks known as social engineering in the email. The very problem that we are concerned with- identity theft- is brazenly used as a way to induce you to allow identity theft. It plays on your fears. Moreover, the email looks like a real Citicorp email. Also, note that although the link in the email contains the name “Citibank”, it has nothing to do with Citibank. In fact, the link that appears in the text of the message is likely to have little relation to the actual link contained in the underlying HTML code. To see the real link in an email message, right-click on the text and choose “Properties” from the context menu. To see an example of a faked link, try this one that seems to be from a familiar company (but isn’t): http://www.microsoft.com.

Another trick that is used is to take you to a page that uses JavaScript to generate a pop-up form and then redirect you to the actual bank site. What then appears on your screen is a fake form on top of a legitimate page.

Here is another example of “phishing”:
phishexample2

ISPs, banks, etc. do not ask for passwords and the like to be entered by email. Be suspicious of any email message that asks for personal information. Don’t ever follow a link in an email that asks you to update or verify sensitive information. If you want to contact a company, go to their Web site by using a link from your records or telephone them.

If you would like to test how good you are at recognizing “phishing” messages go to this quiz site where examples of actual “phishing” are mixed with legitimate mail.

The sidebar lists a number of references on “phishing”, including what to do if you think you have been scammed. You should also report scam efforts to your bank or other account.