What is phishing?
Phishing uses legitimate-looking email or fraudulent websites to encourage you to give up your personal data or information, such as social security number, credit card numbers, passwords, etc. It is an attempt to acquire sensitive information about you and could lead to identity theft.
It is important to keep in mind that reputable organizations do not normally contact their customers asking for personal information.
Typically, the phisher sends an email message to a large group of individuals whose addresses he has captured from address books and websites across the internet. The message, usually well-crafted and official-looking, may claim to be from a financial institution, a service provider, or any other organization known by the recipient. It may offer a benefit, such as "click here for more free hard drive space" or offer other enticements. Many messages include threats like, "failure to comply will result in canceling your account," or "if you don't confirm your information, your email won't work." The email message asks the recipient to confirm or provide some personal information. Often, the recipient is asked to provide the information by clicking a website link in the email. But while the link to the website may look legitimate, the link that is displayed is not necessarily the actual site you visit when you click on it.
The link that appears to be to your bank's homepage (e.g., www.mybank.com) can actually point to a different site (e.g., www.nastyIDthieves.xyz) that is designed to look exactly like the official "mybank" website with spaces for you to enter whatever pieces of personal information they are hoping you'll provide, such as your password, credit card number, PIN, social security number, or date of birth. When you click the "submit" button, all the personal information that you entered is now sent to individuals who can use that information to make purchases, open new credit accounts, or take out loans - all in your name.
What you can do about phishing
- If you ever receive an email or phone call from any organization asking you to provide them with personal information, such as your social security number, password, or account numbers, do not respond.
- If you ever receive an email that appears to be from a friend but seems out of context, contact that person and ask if they meant to send that email.
- Before you click on any links, hover your cursor over the link first to see where the link really goes. Always practice the skeptical hover technique to tell where a web link really goes. When you put your cursor over a link without clicking, your web browser will display (usually on the bottom of the screen) the actual address that it will go to.
- Type addresses directly into your browser.
- Check the site's security certificate before you enter personal or financial information into a website.
- Don't enter personal or financial information into pop-up windows.
- Keep your computer software current with the latest security updates.
Email links and attachments
Always be a bit suspicious of the email messages that you receive, especially those that include attachments or links. The sender's name can be forged, so it's not good enough to just know who the sender is. Call the sender of the email if you are unsure. Ask yourself if the content of the email message is written the way you expect the sender to write. And even if the source looks legitimate, avoid clicking any attachment or link contained within the email message unless you know what it is and why you received it.
View our phishing handout: Phishing - Don't Take the Bait!