Frequently Asked Questions

Phishing attacks involve the mass distribution of 'spoofed' e-mail messages with return addresses, links, and branding which appear to come from banks, insurance agencies, retailers or credit card companies. These fraudulent messages are designed to fool the recipients into divulging personal data such as account usernames and passwords, credit card numbers, social security numbers, etc. Because these emails look "official," up to 20% of recipients may respond to them, resulting in financial losses, identity theft, and other fraudulent activity.

Phishers use any number of different social engineering and e-mail spoofing ploys to try to trick their victims. In a recent case before the Federal Trade Commission (FTC), a 17-year-old male sent out messages purporting to be from America Online that said there had been a billing problem with recipients' AOL accounts. The perpetrator's e-mail used AOL logos and contained legitimate links. If recipients clicked on the "AOL Billing Center" link, however, they were taken to a spoofed AOL Web page that asked for personal information, including credit card numbers, personal identification numbers (PINs), social security numbers, banking numbers, and passwords. Some recent phishing scams even play off of victims' fear of identity theft, asking them to login to learn more about recent attempts to steal personal information.

Phishing is a variation on the word fishing. Criminals "phish" for personal information by setting out hooks and hoping that some recipients of their fraudulent emails will take the bait.

By all accounts, phishing attacks are increasingly prevalent and are accelerating in quantity and sophistication. In July 2003, the FBI called phishing the "hottest, and most troubling, new scam on the Internet." The Anti-Phishing Working Group currently estimates that 75 million to 150 million phishing emails are sent every day.

According to a May 2004 report by research analyst firm Gartner, phishing attacks by hackers against online consumers have become so widespread that an estimated 57 million Americans likely have received these fraudulent e-mails. Direct losses from identity theft fraud against these phishing attack victims cost U.S. banks and credit card issuers about $1.2 billion last year.

According to the Gartner survey, 76 percent of the known or suspected attacks occurred within the six months preceding the report, and another 16 percent occurred during the six months before then.

The number and sophistication of phishing scams sent out to consumers is continuing to increase dramatically. While online banking and e-commerce is very safe, as a general rule you should be careful about giving out your personal financial information over the Internet. A list of recommendations below can help you avoid becoming a victim of these scams.

• Be suspicious of any email with urgent requests for personal financial information
  • unless the email is digitally signed, you can't be sure it wasn't forged or 'spoofed'
  • phishers typically include upsetting or exciting (but false) statements in their emails to get people to react immediately
  • they typically ask for information such as usernames, passwords, credit card numbers, social security numbers, etc.
  • phisher emails are typically NOT personalised, while valid messages from your bank or e-commerce company generally are
• Don't use the links in an email to get to any web page, if you suspect the message might not be authentic
  • instead, call the company on the telephone, or log onto the website directly by typing in the Web adress in your browser
• Avoid filling out forms in email messages that ask for personal financial information
  • you should only communicate information such as credit card numbers or account information via a secure website or the telephone
• Always ensure that you're using a secure website when submitting credit card or other ensitive information via your Web browser
  • to make sure you're on a secure Web server, check the beginning of the Web address in your browsers address bar - it should be "https://" rather than just "http://"
• Consider installing a Web browser tool bar to help protect you from known phishing fraud websites
  • EarthLink ScamBlocker is part of a free browser toolbar that alerts you before you visit a page that's on Earthlink's list of known fraudulent phisher Web sites.
  • Its free to all Internet users - download at http://www.earthlink.net/earthlinktoolbar
• Regularly log into your online accounts
  • don't leave it for as long as a month before you check each account
• Regularly check your bank, credit and debit card satements to ensure that all transactions are legitimate
  • if anything is suspicious, contact your bank and all card issuers
• Ensure that your browser is up to date and security patches applied
  • in particular, people who use the Microsoft Internet Explorer browser should immediately go to the Microsoft Security home page -- http://www.microsoft.com/security/ -- to download a special patch relating to certain phishing schemes
• If you are in the USA, report "phishing" or "spoofed" e-mails to the following groups:
  • forward the email to reportphishing@antiphishing.com
  • forward the email to the Federal Trade Commission at spam@uce.gov
  • forward the email to the "abuse" email address at the company that is being spoofed (e.g. "spoof@ebay.com")
  • when forwarding spoofed messages, always include the entire original email with its original header information intact
  • notify the Internet Fraud Complaint Center of the FBI by filing a complaint on their website: www.ifccfbi.gov/

The pages below represent valuable anti-phishing resources:

• http://www.phishreport.net/


• http://www.antiphishing.org/


• http://www.consumer.gov/idtheft


• http://safety.msn.com/phishing


• http://www.microsoft.com/presspass/safety


• http://pages.ebay.com/securitycenter/stop_spoof_websites.html


• http://www.paypal.com/security


• http://www.visa.com/emailphishing