We continue to see increasing numbers of fraudulent e-mail messages trying to convince people to visit fraudulent web sites in order to steal their credit card numbers, bank account numbers, E-Bay, PayPal, banking, and AOL account passwords, and other sensitive data. Fraudulent messages pretending to be from local banks, such as SunTrust and BB&T, have also been seen.
These scams, being referred to as "phishing" attacks, use e-mail messages made to appear as though they come from banks and other businesses you may trust. The messages contain links leading to malicious web sites that duplicate the business' web sites in almost every detail and that ask for passwords, credit card numbers, and other sensitive information useful to criminals. It is very difficult to tell the difference between an official web site and one set up by criminals to mimic an official one and they are getting more sophisticated. You can view real-life examples of these messages and the fake websites at: http://www.fraudwatchinternational.com/phishing/index.php.
The face values of web links in email, web sites, instant messages, and other locations cannot be trusted to make critical decisions such as whether to supply sensitive information or download software on to your computer. They're as useless and as easily forged or disguised as the return address on a post card or the FROM address on an email message.
It is best to avoid typing sensitive data (account numbers, passwords, credit card numbers, etc.) into unfamiliar web sites or those led to by links in unexpected or unusual e-mail messages. It is also prudent to avoid clicking links in such e-mail and instant messages especially those that are blatant spam or phishing messages as they sometimes lead to web sites that will infect visiting computers. For the same reason, it is also best to avoid downloading software from such web sites.
Use a known good web link and/or verify the message contents over a known good secondary channel (phone number, email address, etc.).
General recommendations for handling unsolicited messages can be found on the JMU SPAM web page.
If you receive such a message, you may report it to authorities by forwarding the message, preferably with full mail headers, to firstname.lastname@example.org and/or the owner of the site being forged (e.g. email@example.com, firstname.lastname@example.org, or the address supported for this purpose by the organization).
A web site ( http://www.lookstoogoodtobetrue.com ) promoting Internet fraud awareness has been published with the cooperation of the FBI, U.S. Postal Service, and several other organizations.
Carnegie Mellon University has designed a game meant to improve your ability to identify fraudulent web sites. It can be accessed at http://cups.cs.cmu.edu/antiphishing_phil/ . http://www.adobe.com/support/security/bulletins/apsb07-12.html
If you typed sensitive information into one of these criminal's web sites it is likely the information you provided will be, or already has been, sold or misused. To limit loss in such a case, review the recommendations at the following web sites after contacting the organization whose site was forged.
In the past, it has been difficult for a person to freeze credit reporting on themselves. State laws mandating the ability of consumers to request such freezes were spotty ( notably absent in Virginia ) and the credit reporting agencies did not offer the service in states where laws mandated it. Luckily, the credit agencies seem to be responding and are beginning to offer the ability for anyone nationwide to freeze their credit reports ( see this article and this one ). This becomes a useful tool for preventing fraud and the spread of identity theft.
Additional phishing information:
Can you tell the difference?
Phishing in the news:
Other Internet Fraud:
Scams, Hoaxes, and Fables