ITS News

Avoid Getting Hooked by a 'Phishing' Scam   printer  

"We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity."

"During our regular verification of accounts, we couldn't verify your information. Please click here to update and verify your information."

Have you received email with a similar message? It’s a scam called “phishing” — and it involves Internet fraudsters who send spam or pop-up messages to lure personal information (credit card numbers, bank account information, Social Security number, passwords, or other sensitive information) from unsuspecting victims.

According to the Federal Trade Commission (FTC), the nation’s consumer protection agency, phishers send an email or pop-up message that claims to be from a business or organization that you may deal with — for example, an Internet service provider (ISP), bank, online payment service, or even a government agency. The message may ask you to “update,” “validate,” or “confirm” your account information. Some phishing emails threaten a dire consequence if you don’t respond. The messages direct you to a website that looks just like a legitimate organization’s site. But it isn’t. It’s a bogus site whose sole purpose is to trick you into divulging your personal information so the operators can steal your identity and run up bills or commit crimes in your name.

Suggested tips to help you avoid getting hooked by a phishing scam:

  • If you get an email or pop-up message that asks for personal or financial information, do not reply. And don’t click on the link in the message, either. Legitimate companies don’t ask for this information via email. If you are concerned about your account, contact the organization mentioned in the email using a telephone number you know to be genuine, or open a new Internet browser session and type in the company’s correct Web address yourself. In any case, don’t cut and paste the link from the message into your Internet browser — phishers can make links look like they go to one place, but that actually send you to a different site.
  • Don’t email personal or financial information. Email is not a secure method of transmitting personal information. 
  • Regularly update and patch your Web browser(s). Recent browser vulnerabilities have been used as part of phishing attacks. 
  • Be cautious about opening any attachment or downloading any files from emails you receive, regardless of who sent them. These files can contain viruses or other software that can weaken your computer’s security.
  • Use antivirus and anti-spyware software on your workstation and regularly update it. Some phishing e-mails contain malicious software that can harm your computer or track your activities on the Internet without your knowledge. Antivirus software helps prevent this type of software from being installed on your computer.
    [NOTE:  ITS offers free McAfee Antivirus software to students, faculty, and staff at Vanderbilt. Antivirus software is available for download at     http://its.vanderbilt.edu/antivirus/downloads.php. WebRoot Spy Sweeper anti-spyware software is also available for free download at http://its.vanderbilt.edu/antispyware/.)
  • If you wish to report phishing emails you receive, the following groups are available:

-  Anti-Phishing Working Group (reportphishing@antiphishing.com)

-  Federal Trade Commission (spam@uce.gov)
-  The "abuse" e-mail address at the company that is being spoofed (e.g., spoof@ebay.com)

These groups use the information they collect on phishing attacks to shut down phishing web sites and take legal action against phishers.

Adapted from FTC Consumer Alert, “How Not to Get Hooked by a ‘Phishing’ Scam”, June 2005, http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm (accessed February 24, 2006)