Learn how to recognize attempts to steal your information
Phishing, vishing, smishing and pharming are all methods used by criminals to fraudulently obtain personal information such as a social security number, bank account information, or credit card information. Each method has its own distinguishing characteristics, but they all have the same goal: stealing your money.
Phishing is most commonly attempted through e-mail. A typical phishing message will appear to be from a well-recognized company that might have a need to know your personal information (i.e., a credit card or package delivery company). It generally contains a link to a web site that will either prompt you for your logon information for your account with that company (assuming you have one) or install malicious software on your computer without your knowledge. You may also be asked for financial information under the guise that a security compromise has occurred and the company wants to verify your records. Regardless of who the message appears to be from, you will notice a request for information or action on your part. Phishers will send the same message to hundreds or thousands of recipients knowing that many of them will blindly click any link and provide any requested information without a second thought.
Always use the following guidelines with your e-mail to avoid falling victim to a phishing attack.
- Look at the sender and the subject of the message. If either looks suspicious, delete it.
- Be cautious with links contained in any message, especially those from unknown senders. Hover the mouse over the link to check the URL. A link claiming to take you to ABC.com’s sign-in page should probably contain ABC.com somewhere in the URL. If it does not, beware.
- Do not reply to messages requesting personal, sensitive information.
- Watch for spelling and grammatical errors. These are very common in phishing e-mail.
- Be extremely cautious with attachments, regardless of the sender. Files that have extensions of .exe, .bat, .com, .vbs, .reg, .msi, .pif, .pl, .php and .zip can all install harmful files or software on your computer if you open them.
- Do not be intimidated or scared into giving up information. Some phishing attempts will try to convince you that you are at risk financially if you do not confirm your account information. The reality is that by providing that information, you are putting yourself at risk.
Vishing is the telephone version of phishing. Instead of e-mail messages with suspicious links or attachments, criminals attempt to fool you into giving them the same information in a phone call. Vishing uses social engineering techniques to trick you into providing information that can be used to access and use your financial accounts. For example, the fraudster may claim to be an employee of your bank who wants to warn you of some suspect charges on your credit card. In order to cancel those transactions, he needs you to verify your social security number and account number. This is information your bank should already have, so there is no need for you to provide it again. If you receive a call like this and feel uneasy about what you are being asked for, hang up and call the company back at a number known to be legitimate.
Sometimes criminals will become belligerent or threatening in an attempt to intimidate you into giving them the information they want. Do not be pressured into making this mistake.
To avoid becoming a vishing victim,
- If you receive an email or phone call asking you to call back and you suspect it might be a fraudulent request, look up the organization’s customer service number and call that number rather than the number provided in the solicitation email or phone call.
- Forward the solicitation email to the customer service or security email address of the organization, asking whether the email is legitimate.
Smishing is a form of phishing that uses cell phone text messages instead of e-mail messages. The text message will contain a URL or phone number and will prompt you to take immediate action. If you click the URL, you face all the same risks associated with links in a phishing e-mail. If you call a number in the text, you may get an automated voice response system that will prompt you for sensitive information. Always delete smishing text messages and never reply to them.
Pharming is a tactic used by criminals to redirect a legitimate web site to a fraudulent site. Unlike phishing and its variations, pharming does not try to trick you into clicking a URL or talk you into providing sensitive information. Instead, it uses malicious code to redirect you to the criminal’s site without your consent or knowledge, making it more difficult to detect. To help avoid pharming, follow the guidelines in Protect Your Computer. Also, be careful when entering financial information on a web site. Look for the key or lock symbol at the bottom of the browser. If the Web site looks different than when you last visited, be suspicious and don’t click unless you are absolutely certain the site is safe.