Avoid Being a Victim of a Phishing Scam

Internet scammers hunting for people's financial and personal information have a new way to lure unsuspecting victims: they go "phishing." Individuals who "bite" are exposed to some type of theft such as identity theft.

What Is Phishing?

Phishing is a high-tech scam that uses spam and fiendishly clever e-mails to deceive consumers into disclosing their credit card numbers, bank account information, Social Security numbers, passwords, and other sensitive information. Phishing attacks involve the mass distribution of spoofed e-mail messages with return addresses, links, and branding that appear to come from legitimate businesses the potential victims deal with—for example, banks, insurance agencies, retailers, credit card companies, or Internet service providers (ISP).

The scammers tell recipients that they need to "update" or "validate" their billing information to keep their accounts active, and then direct them to a web site that looks like that of the legitimate business, further tricking consumers into thinking they are responding to a bona fide request. The unsuspecting consumers submit their financial authentication information to what they believe to be their legitimate business contact, but in fact it is going to the scammers who use it to order goods, services, and obtain credit leading to identity theft.

How to Avoid Becoming a Phishing Victim

Be aware that many scam artists are making forgeries of company sites that look like the real thing. They may take every precaution to make consumers believe their site is secure and, therefore, legitimate. Following are some tips on avoiding the trap.

•     Don't trust e-mail headers.
      They can easily be forged.

•     Avoid filling out forms in e-mail messages.
      One can't know with certainty where the data will be sent, and the information can make several
      stops on the way to the recipient.

•     Verify the legitimacy of a web address with the company directly before submitting
      any personal information.
      Don't click on a link in an e-mail message from a company until you check.

•     Protect yourself through education and thorough evaluation.
      Don't trust everything you read.

•     Verify the legitimacy of the company first before acting.
      What’s the rush? A simple phone call may make all the difference.

•     Be alert to phishing messages.
      Reputable companies do not contact their customers via e-mail to request that they update their files
      or to verify an account or security setting.

If you do go to a link offered in an unsolicited e-mail, check to see if there are two things at the site:

an https—with an "s" after the http in the address

a lock at the bottom of the screen

These indicate the link is secure and encrypts data. An on-line form that asks a consumer to submit sensitive personal information should always be encrypted. Although this is not an indication that the site is legitimate, scam artists are less likely to have encrypted forms.

What If You Have Taken the Bait?

If you have been phished—that is, given your SSN to a web site—immediately place fraud alerts on the three major credit reports (Equifax, Experian, and Trans Union).

If you provided your bank account or credit card number, call the institutions, report the fraud, cancel the account(s), and open a new account.

More Information

If you would like more information on computer security, check out the security web site, or contact the NIH Help Desk at 301-496-4357.