Phishing and identity theft

What is it?

"Phishing" -- with a "ph", not an "f" -- refers to schemes aimed at extracting sensitive information about you in order to commit fraud.  That fraud can be as simple (and illegal) as making purchases using stolen credit card data, but may in some cases involve wholesale identity theft that can ruin a person's credit rating.

Most commonly, phishing is done by email -- email that appears to be legitimate business correspondence from a familiar organization, like a bank, credit card issuer, Internet Service Provider (ISP), or online retailer.  (Click here to see a faked email from eBay.)  

A link in the phishing email directs recipients to what appears to be the organization's Web site.  Typically the Web site has a form that asks for sensitive information - like birth date, social security number, bank accounts or credit card numbers, computer user-IDs or passwords - for some plausible purpose like a "security update."

Phishing doesn't always involve personal data.  Phishers can go after sensitive corporate information too.  And the attack doesn't always come in email.  Phishers can use the telephone, or even face-to-face conversations, to trick someone into revealing information.

Why is it called "phishing"?  It's a variation of "fishing" -- as in "fishing for information."  Phishing has been around since the early days of the Web, when the scam du jour was pretending to be an AOL customer service agent in order to steal account information for free Internet access.

How do you prevent it?

Phishing can be hard to spot.  Sometimes the emails look entirely genuine.  Addresses for phishing Web sites can be disguised to look like the "real" ones, and the site itself often appears quite genuine.  In a few cases it actually is the real company site, with a deceptive pop-up window in front that makes a request for personal data.

In a particularly insidious variation, called "spear phishing" because it is targeted at a particular set of victims, the communication is designed to look like it comes from your own organization, perhaps even a person or department you know, in order to trick you into divulging information.

So, how can you stay safer?   Here are some do's and don'ts, adopted from the sources listed below.   Always remember one overall rule: Don't reveal sensitive information to anyone (or anything) unless you are sure that they are who they claim to be and that they should have access to that information.

(1) Be extremely wary of any email asking you to provide sensitive information, especially related to your finances.  Email is generally not a secure communications method, so it's usually a bad idea to exchange any sensitive information using it.   Legitimate companies rarely if ever request sensitive data via email.   

(2) Don't reply to suspicious email, even to try to "opt out."  Use the telephone to confirm the sender's identity and the validity of their request.  Get the telephone number from a trusted source.  Don't just use one you find in the email (it could be a fake).

(3) If a suspicious email contains a link to a Web page, don't click on it.  If you want to go to the company's Web site, do that by typing the company’s address (URL) yourself.  As with a telephone number, don't just type a URL that you find in the email.  Get the Web address from a document that you are sure is legitimate or use a search engine.

(4) Never submit confidential information via forms embedded within email messages, on Web pages, or in pop-up windows, unless you are absolutely certain of the request's authenticity.  Instead, communicate that information over the telephone or through a secure Web site accessed via a verified URL that you typed in yourself.

(5) Watch out for generic-looking requests for information.  Fraudulent emails are often not personalized -- because the phisher doesn't have that information, at least not yet.  Legitimate emails from a company usually directly address you or your account, though that's not a guarantee of authenticity (see "spear phishing" above).

(6) Don't let yourself be pressured into divulging information.  Phishing messages often use scare tactics -- such as threatening to disable an account or delay services until you update certain information.  Resist the impulse to respond immediately.  Contact the company by telephone to confirm the authenticity of the request.

(7) Whenever you submit sensitive information via a Web site, make sure the connection is secure.  Check for the "closed lock" icon on your browser's information display, and look for an "https" URL.   (Please note that just because the site's address appears to begin with "https" doesn't guarantee the connection is secure.  That can be faked too.)

(8) Be extremely cautious about attached files in emails you receive, even if the email appears to be from someone you know.  Attached files can contain malicious software, including data-extracting spyware.  Sender information for an email can easily be faked.   If you weren't expecting the email, or it appears suspicious for any other reason, call the sender to confirm authenticity.  Note that even just clicking on a link can initiate an infestation by malicious software or spyware, depending on your browser's security settings and the quality of your anti-virus software.

(9) Check your bank, credit card and other online accounts frequently and carefully.  Make sure all listed transactions are valid, and if they aren't contact the company immediately.  Get a copy of your credit report regularly, and inspect it for errors.  (You're entitled to one free report per year from each of the big three credit bureaus.)

(10) Keep your computer's operating system and Web browser software up to date, and configure them with appropriate security settings.  Some phishing emails try to exploit vulnerabilities in un-updated software.  It is possible for phishers to damage an insecure computer even if you don't open an attachment or click on a link.

(11) Install anti-virus, anti-spyware and firewall protections on your computer, and keep them current.  Anti-virus and anti-spyware software are essential for all computers.  If you have a home computer, particularly one connected via an "always on" broadband connection, also use firewall software or hardware.  (The Medical Campus network has its own firewall protections.)

(12) Forward a copy of any suspicious email you receive at work to Medical Information Technology Security, at spam@med.miami.edu We filter email coming into the Medical Center, so most phishing emails are intercepted.  But not all of them.  Phishing emails received at home can be sent to the Anti-Phishing Working Group, or to the Federal Trade Commission at spam@uce.gov.

Most organizations will also be interested in knowing they are being misrepresented, and will have information about where to report that information on their (legitimate) Web sites.

Learn more

Avoiding Social Engineering and Phishing Attacks (US-CERT)
Good one-page summary of the what it is, and how to avoid being a victim of it

How Not to Get Hooked by a 'Phishing' Scam (Federal Trade Commission)
Some basic rules to keep you from being phished

Identity Theft: What to Do If It Happens to You (Privacy Rights Clearinghouse)
Comprehensive guide for victims of identity theft

What To Do If You've Given Out Your Personal Financial Information (Anti-Phishing Working Group)
Another comprehensive guide for victims and potential victims

What You Should Know About Phishing Identity-Theft Scams (Microsoft)
Basic information about how fraudulent email messages and spoofed web sites are used to steal data