Scammers love to use current events to dupe consumers, and today's ongoing financial turmoil offers the perfect opportunity for one of the most popular forms of fraud -- phishing.
A phishing scam typically uses a phony e-mail to collect your personal or financial information under false pretenses. Its recent growth prompted the Federal Trade Commission to issue a warning in October that electronic thieves may be using Wall Street's woes for their Internet trickery.
"We've become aware of various phishing ploys preying upon consumers who may be financially vulnerable and looking for solutions," FTC spokesman Frank Dorman wrote in an e-mail.
Phishing attacks increased 16 percent from August to September and surged 103 percent from September to October, according to Web security vendor MessageLabs. Bank consolidations have provided the back stories for some of those phishing messages.
When Citigroup announced plans to buy Wachovia's banking operations, scam e-mails urged people to click on a link and update their data because of the merger, says Paul Wood, a senior analyst with MessageLabs, which is now part of Cupertino, Calif.-based Symantec. He said copycat e-mails emerged when talks of a Wachovia-Wells Fargo merger later commenced.
Wood says his company also has noticed a rise in financial spam, including those relating to mortgages, debt consolidation and credit counseling.
"They're really capitalizing on the uncertainty at this time," Wood says. "Particularly anyone who may be concerned or perhaps feeling vulnerable or anxious may be inclined to fall for these types of attacks."
Anatomy of a phishWith phishing, the e-mail sender poses as a legitimate business or institution, such as a bank, and transmits e-mails to large numbers of people, directing them to a Web site where they are asked for personal and financial information.
Even though the technique is often associated with the Internet and e-mail, phishing scams can occur over other mediums, including snail mail, the telephone and other phony Web sites as well as instant messaging and pop-up boxes on your computer. The messages will vary, but will usually entice you to respond with a reward or threat.
It may ask you to verify or update your account information or log in to resolve a problem. It also may ask you to take a survey in exchange for a small payment in return. Check out the Bankrate story "Scammers still phishing" for a few examples.
Thanks to rumors and news stories about bank consolidations, scammers have plenty of fodder for content.
"You'll see more of these phishing attacks saying, 'Hey, you might have read about the bank buyout, or the consolidation or the merger. Click here so we can reauthorize your accounts,'" says Peter Cassidy, secretary general of the Anti-Phishing Working Group, an industry association that fights Internet crime.
Red flagsPhishing e-mails aren't always easy to identify. Watch out for these red flags.
Fraudulent messages usually have an urgent tone and may threaten dire consequences -- usually account closure or suspension, or monetary loss -- if you don't click on the link. Don't be fooled. The link will redirect your browser to a fraudulent Web site where any information you provide will go straight to criminals.
Sometimes, clicking on a link will activate malicious software such as programs that log your key strokes and send them to computer crooks.
Phishing done over the phone is called vishing, for voice phishing. In this version of the scheme, fraudsters use Voice over Internet Protocol (VoIP) technology, which allows users to choose any area code when making a call. It can be used to spoof business phone numbers while masking the thief's real phone number.
In a vishing scam, consumers get phone calls that appear to be from legitimate companies. The consumer is told some alarming message and then is prompted to provide personal or financial information to resolve the issue. These calls can be live or automated.
Alternatively, an e-mail message might direct you to call a phone number.
Regardless of the method, the scammer desires your information, either to commit fraud with it or to sell it to a third party.
Avoid the phish hook
- Use caution when opening e-mail attachments. Opening an attachment could expose your computer to viruses. Think twice about opening attachments you weren't expecting or those from strangers.
- When in doubt, check with the institution. If you're concerned that the message may be legitimate, check with the business. Call a trusted number, such as one from a monthly statement or payment card. Do not call the phone number provided in the message.
- Keep your anti-virus and anti-spam software up to date. Use a firewall, too.
- Check financial statements and credit reports. Review account statements each month and pull a different credit report every four months. The Fair Credit Reporting Act entitles you to one free credit report every 12 months from TransUnion, Equifax and Experian. They can be obtained at www.annualcreditreport.com.
- Take action if you've given out information. If you have revealed sensitive information to a scammer, act fast to protect your money and identity. The APWG offers a comprehensive checklist for victims.
- Don't trust appearances. Bad grammar and a generic "dear customer" greeting are tip-offs, but other phishing e-mails may not look phony at first glance. Using specialized software, scammers can spoof the "from" address to make it look like one your bank might use. The message may include copied logos and content from the financial institution's Web site.
To personalize the message, Wood says, some scammers may use information culled from the Internet. For instance, they might grab your name from an online profile or social networking site such as MySpace
- Don't click on links that look suspicious. Even if you have anti-virus software on your computer, it may not protect you from malicious programs if you open a hyperlink in an e-mail. "Certainly it plays a valuable part, but it's not going to be able to protect you against the very latest threat," MessageLabs' Wood says.
Use bookmarked log-in pages or type the Web address into your browser. If you click through an e-mail or copy and paste the link, you risk surrendering your username and password to a thief.
Links in instant messages can contain viruses, so use caution if a stranger sends you a link. If a friend sends you a strange link, reply and ask why it was sent.
- Don't reply to the e-mail. All that does is confirm your e-mail address works.
- Don't divulge data to unknown callers. Con artists can spoof caller ID using VoIP. Even if the caller appears to know some of your information, it could mean that scammers accessed some of it but still need a few more pieces to complete their fraud or theft.
When in doubt, hang up. Call the business using a verified number from a payment card or monthly statement, and not the number on the Caller ID or the one provided by the caller. You can feel safe about supplying sensitive information when you're the one initiating the call.