THE BAIT HAS BEEN CAST. WILL YOUR IDENTITY BE PHISHED OUT?

INTRODUCTION

You open your computer's mailbox only to find an urgent email from your bank stating that it believes your account may have been tampered with. To ensure that the problem is remedied quickly, the bank requests that you verify your login and password, and it provides a link to its site for immediate access. You think to yourself, "Wow. This MUST be urgent." You respond at once, grateful for the update and relieved that the problem is being remedied.

Unbeknownst to you:

• there was no problem with your bank account,
• the site to which you were redirected merely LOOKED like your bank's sign in page, and
• the sender of the email was actually someone trying to steal your identity.

YOU HAVE JUST BEEN PHISHED.

I. What is Phishing?

What once described a common pastime with a pole and line, now refers to a new trend in identity theft. Phishing is t he act of sending you an e-mail, falsely claiming to be an established legitimate enterprise with whom you associate , in an attempt to scam you into divulging sensitive information. Once you have provided your credit card, social security, and bank account numbers, along with any corresponding logins and passwords, the "phisher" then reels in that information to steal your identity, clear your accounts, or even commit crimes in your name.

In essence, phishing is a twofold fraudulent attack. Phase I (creating the bait) is the "stealing" of the business's identity for impersonation purposes, and Phase II is the actual acquisition of the personal information "phished" from the recipient of the email.

In 2003, many eBay users fell victim to one such phishing scam. Phishers sent out an email posing as eBay and warned users that their accounts were going to be suspended unless immediate action was taken. The email recipients were instructed to click on the link provided (which took the user to a "look-alike" eBay site) and enter their credit card information so that the eBay account could be reactivated. The phishers figured if they cast a wide enough net—sending the email to millions of email addresses—a decent percentage of recipients would have eBay accounts and respond to the fraudulent notice. Unfortunately, they were right, and many unsuspecting people had their identities and accounts hooked.

II. Preventative measures you can take to ensure you don't get hooked!

Although phishers are growing increasingly clever, there are still many ways to protect yourself from becoming a victim of this form of identity theft.

Do not respond to email asking for your personal information, such as bank or credit account numbers, logins, or passwords.

The majority of reputable companies will not ask for this type of information via email. However, if you are still worried that your account may have been tampered with, call the organization and speak to someone directly. Remember, even if the link looks legitimate and takes you to an "official" looking site that you frequently access, the linked site can still be a fake. Typing the original address into your web browser's address bar to access the site vs. following the link contained in the body of the phisher's email will ensure that you get to the correct webpage—and not a phisher's look-alike. Other simple actions, such as using a firewall, installing antivirus software, staying on top of the software updates, and checking your credit and banking statements regularly for unauthorized transactions can also minimize the risk of becoming a victim of these phishing scams.

III. The Phished Catching the Phishers.

In addition to preventative measures, it is also important to report potentially fraudulent email to both the company specifically targeted by the phisher (most companies have addresses for this purpose specifically) and also to the following:

• reportphishing@antiphishing.com
• Federal Trade Commission at: SPAM@UCE.GOV.
• Internet Fraud Complaint Center of the FBI by filing a complaint on their website: www.ifccfbi.gov/

Phishers have not gone unpunished. Last year, an Ohio "phisher-woman" was sentenced to 46 months in prison for a phishing scam targeting AOL and its users. That same year, another phisher pleaded guilty to federal wire fraud after using fake email to obtain PayPal passwords and stealing thousands of dollars from a victim's account.

In February 2005, Senator Patrick Leahy (D-VT) proposed the Anti-Phishing Ac t of 2005, a bill that, if passed, would aid law enforcement efforts by criminalizing the acts of (1) sending a phishing email and (2) creating a fraudulent "phishing" website, regardless of whether any recipients of the email suffered any actual damages.

IV. CONCLUSION

Although recent legislative proposals and technological advances seek to minimize the damage caused by phishing scams, your best defense against fraud is good ol' fashioned consumer awareness. Knowing what to look out for and using common sense is the best way to ensure that your identity is not "hooked" by phishers.

For more information, visit www.nfpa.org or www.aaa.com.