Phishing (a classic tip from 10/14/2013)

I recently came across this article about how a scammer posing as Sallie Mae was trying to steal private information by claiming the federal government was offering student loan forgiveness during the government shutdown.  This reminded me that phishing is alive and well in the world, and is something we should all be thinking about.

Imagine it’s 1996.  You are enjoying the Internet through America Online when an instant message pops up.  Someone masquerading as an AOL employee asks you to verify your password.  This was the birth of the Internet scam called phishing.

From its early start as attempted AOL password harvesting (thus the “ph” replacing the “f” in the word fishing) scam, phishing has evolved into the practice of sending out e-mails that appear to be from banks or other reputable organizations with the intent of luring the recipient to reveal sensitive information such as Social Security number, usernames, passwords, credit card information or bank account details.

The scam artists who run phishing schemes are quite clever.  They have made an art form out of creating e-mails and web sites so like those of the organizations they are impersonating that it can be near impossible to tell the difference.  Usually they are asking for the intended victim to “update” or “validate” their account information.  Often they will try to incite fear with threats such as “your account will be canceled” if you don’t provide the requested information.  The phishing e-mail then provides a link to a web site where the intended victim will be asked to provide the private information the phisher seeks.

You can learn to identify phishing scams by looking for these clues:

  • Watch for address spoofs.  The original e-mail may appear to be from a legitimate address, such as, but this is really just concealing the scammer’s actual address.  The enclosed link will lead to a look-alike web site at a similar but fake address such as
  • Phishing e-mails almost always link to a web site that is not secure.  It’s very simple for you to tell the difference between a secure and a non-secure site.  A secure site will always start with “https://”.  A non-secure site lacks the “s” for secure and will start with “http://.”
  • A genuine e-mail from a financial institution you work with will likely include your name or a partial account number.  A phishing e-mail will likely start with a more generic “Dear Customer.”
  • Phishing e-mails almost always use scare tactics such as threat of account cancellation.

You can further protect yourself from phishing by doing the following:

  • If you get an e-mail asking for personal information, do not click on the link in the message.  If you are concerned that it may be a legitimate request from a company you work with, you should go to that company’s web site directly to confirm your account information there.
  • Do not e-mail personal or financial information.  E-mail is not secure, so you should only send confidential information through secure sites.
  • Regularly review your bank account and credit card statements to ensure that all transactions were initiated by you.
  • Install anti-virus software on your computer and keep it updated.  Some phishing e-mails will contain software to track your Internet activities without your knowledge.  Anti-virus software and firewalls can protect you from this.
  • Always be cautious about opening attachments in e-mails—even from people you know.
  • If you receive an e-mail you are certain is phishing, you should report it to the Anti-Phishing Working Group at

If you have given out personal information, here is what you should do to limit the damage:

  • Report the theft of your information to the holder of your account as soon as possible.  This will limit your liability.
  • Cancel the account and open a new one as soon as possible.
  • Monitor the stolen account for fraudulent use.
  • If you have downloaded a virus, you should install or update anti-virus software and run a full scan.
  • If you have given out personal identification information such as your Social Security number, you could be a target for identity theft.  You should contact the three major credit reporting agencies (Experian, Equifax and TransUnion) to place a fraud alert and a victim’s statement in your file.  You should regularly monitor your credit reports to watch for any fraudulent activity.

The Internet is a powerful tool.  It has drastically changed the way we do just about everything.  But the Internet is also a dangerous place.  It is important for us to keep this at the forefront of our minds and exercise caution in your Internet use.



Leave a Reply