What is a phishing scam?

Just when you thought it was safe to go back into your Inbox, there's a new form of spam e-mail. This spam is more than just unwanted and annoying. It could lead to the theft of your credit card numbers, passwords, account information, or other personal data. Read on to find out more about this new identity theft scam and to learn how to help protect your privacy.

What is phishing?

Phishing is a type of deception designed to steal your identity. In phishing scams, scam artists try to get you to disclose valuable personal data—like credit card numbers, passwords, account data, or other information—by convincing you to provide it under false pretenses. Phishing schemes can be carried out in person or over the phone, and are delivered online through spam e-mail or pop-up windows.
Note: You may also hear about a scam called "spear phishing." Spear phishing describes any highly targeted e-mail attack that a scammer will send only to people within a small group, such as a company, government agency, organization, or group. The e-mail message might appear to be genuine, but if you respond to it, you might put yourself and your employer at risk.

How does phishing work?

A phishing scam sent by e-mail may start with con artists who send millions of e-mail messages that appear to come from popular Web sites or sites that you trust, like your bank or credit card company. The e-mail messages, pop-up windows, and the Web sites they link to appear official enough that they deceive many people into believing that they are legitimate. Unsuspecting people too often respond to these requests for their credit card numbers, passwords, account information, or other personal data.

What does a phishing scam look like?

As scam artists become more sophisticated, so do their phishing e-mail messages and pop-up windows. They often include official-looking logos from real organizations and other identifying information taken directly from legitimate Web sites.
The following is an example of what a phishing scam e-mail message might look like.

Example of a phishing e-mail message, including a deceptive URL address linking to a scam Web site

To make these phishing e-mail messages look even more legitimate, the scam artists may place a link in them that appears to go to the legitimate Web site (1), but it actually takes you to a phony scam site (2) or possibly a pop-up window that looks exactly like the official site. These copycat sites are also called "spoofed" Web sites. Once you're at one of these spoofed sites, you might unwittingly send personal information to the con artists. They then often use your information to purchase goods, apply for a new credit card, or otherwise steal your identity.

Just as in the physical world, con artists will continue to develop new and more sophisticated ways to trick you online. The following are just a few phrases to watch for if you think an e-mail message is a phishing scam. Don't forget to trust your instincts. If an e-mail message looks suspicious, that probably means that it is.

• "Verify your account." Businesses should not ask you to send passwords, login names, Social Security numbers, or other personal information through e-mail. Be suspicious of a message that asks for personal information even if the request looks legitimate.

• "If you don't respond within 48 hours, your account will be closed." Phishing e-mail may be polite and accommodating in tone, but these messages often convey a sense of urgency so that you'll respond immediately without thinking. Phishing e-mail may threaten to close or suspend your account or may even say your response is required because your account may have been compromised.

• "Dear Valued Customer." Phishing e-mail messages are usually sent out in bulk and do not contain your first or last name. Although, it is possible that con artists have this information. Most legitimate companies (but not all) should address you by first and last name.

• "Click the link below to gain access to your account." HTML-formatted messages can contain links or forms that you can fill out just as you'd fill out a form on a Web site. The links that you are urged to click may contain all or part of a real company's name and are usually "masked," meaning that the link you see does not take you to that address but somewhere different, usually a phony Web site. Notice in the following example that resting the mouse pointer on the link reveals the real Web address, as shown in the box with the yellow background. The string of cryptic numbers looks nothing like the company's Web address, which is a suspicious sign.

Microsoft.com * February 2005

Back