Identity thieves prey on your personal data — credit card information, social security number, and account passwords. They are trying to steal from you, using data they collect.
Identity thieves get their information about you from a variety of sources — spyware, viruses, your trash, hacking into databases. But would you believe that one of the biggest sources of compromised data is people just giving their information away themselves? Of course, people don’t know they are doing this, but they are doing it. It happens every single day — people becoming to a scam called phishing.
How does Phishing work?
Phishing is a low-level form of social engineering — manipulating people into providing secure or confidential information. What makes it “phishing” specifically, is that the attacker masquerades as a trusted entity.
- Users might get an email claiming to come from PayPal, telling them to log into their account and update some critical information. The victim clicks on a link within the email, which goes to a fake site that looks like PayPal. By trying to log in at that site, the victim is providing their username and password to the attackers.
- A message might appear to come from a bank, claiming that fraudulent activity has been reported, with a link to “verify identity.” The link in the email leads to a site which asks the user to enter bank account numbers or social security numbers.
All phishing schemes have two things in common:
- An attempt to get the victim to provide sensitive data.
- Messages claiming to come from a trusted source, but which are actually sent by an attacker.
What are Phishers Looking For?
The information most often collected by phishing scams include the data most often coveted by identity thieves:
- Credit card information.
- Social Security numbers.
- Bank account numbers.
- Website account login information (username and password), especially for finance-related accounts like PayPal and online banks.
- Personal data such as address, phone number, and date of birth.
How To Tell if a Message is Legitimate
Most phishing schemes involve one or more of the following:
- Requests to “verify” data
- Claims of possible fraudulent charges
- Warnings of unauthorized login
Phishing messages are, by definition, unsolicited. The email “from” addresses are usually spoofed — which means the email can appear to come from a legitimate address, even though it didn’t.
Things to look for include:
- Links to URLs other than the domain name you are used to for the account. For example, a PayPal-based phishing scheme might link to a URL like
http://paypal.com.example.com— that looks like PayPal’s domain, but if you look closer, you can see that it isn’t. (This is a good reason to understand what a URL is supposed to look like.)
- Bad graphics, typos, or a design style that is atypical for the company being represented.
- Claims that action must be taken by a certain date.
- A lack of personalization (your name or username) in the text of the email.
How To Protect Yourself
You should NEVER provide you credit card or social security number in reply to an unsolicited message. Always check the URL of any links you follow from emails, especially if they claim account action is needed on your part – better yet, navigate directly to a website (by typing the address into the address bar on your browser) instead of following links from emails. Report any suspicious emails to the company they seem to represent — they can verify whether it is legitimate or fraudulent.
What to do if You Become a Phishing Victim
If you are the victim of a phishing scam, don’t panic. You simply need to calmly deal with the problems:
- Figure out what information was compromised.
- Change any passwords or other login information that was compromised.
- Contact the service provider or company where your account was compromised, and inform them of the situation.
- If it is possible that your credit card information was compromised, call the credit card company and report it. They will issue you new cards.
- Think about secondary accounts that might have been compromised by the breach. For example, if you have a credit card linked to a PayPal account, and your PayPal account was compromised, you should get your credit cards provider involved as well.
- Be sure to talk to the provider of the compromised account, and inform them of fraudulent charges. Most companies have fraud prevention departments that can help you, even if charges have already been made against your card.
- Contact your local police department to discuss filing a police report.
- Get a copy of your credit report immediately and again in a few months. Look for any recent activity that you do not recognize.
- Once you've identified the source of the breach, try to avoid making the same mistakes in the future.