Share

How To Understand Phishing

What is phishing? Wikipedia defines it as "a form of social engineering, characterized by attempts to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an email or an instant message. The term phishing arises from the use of increasingly sophisticated lures to "fish" for users' financial information and passwords."
Phishing emails are also considered spam. More information in our How To in Related Articles (Understand Spam).

Phishing Explained

Phishing is a form of identity theft. Individuals attempt to steal your identity and personal information to gain access to your accounts or commit other crimes using your credentials. Some of the basic types of KEY information that Phishers are looking for include:

Information Theft Phishers want items like your Employee ID number and Bank account numbers. In addition, they especially want credit card numbers and social security numbers. These are the pieces of gold that allow for …

Identity Theft Once your ID has been stolen, it may be used for these activities.

  • Financial Theft
  • Medical Theft
  • Character identity theft

Unlike spam, phishing attacks can be targeted. These are referred to as Spear-Phishing . Example: If you were a past 4-H member and somehow a list of 4-H members were available on the Internet, they could craft an E-mail targeted to you.

To see sample spoof emails and phishing scams, here are two links. First, Millersmiles.co.uk has an archive of scam emails. Second, MailFrontier has a Phishing IQ Test where you can challenge yourself against the phishers.

Don't take the bait

These guidelines will help you protect yourself against phishing and minimize its effects. They are from Stay Safe Online .

  • Watch out for "phishy" emails. The most common form of phishing is emails pretending to be from a legitimate retailer, bank, organization, or government agency. The sender asks to "confirm" your personal information for some made-up reason: your account is about to be closed, an order for something has been placed in your name, or your information has been lost because of a computer problem. Another tactic phishers use is to say they're from the fraud departments of well-known companies and ask to verify your information because they suspect you may be a victim of identity theft!
  • Don't click on links within emails that ask for your personal information. Fraudsters use these links to lure people to phony Web sites that looks just like the real sites of the company, organization, or agency they're impersonating. If you follow the instructions and enter your personal information on the Web site, you'll deliver it directly into the hands of identity thieves . Instead, to check whether the message is really from the company or agency, call it directly or go to the Institution's Home Page and “drill down” to where you need to go. Look for Spelling Errors as well.
  • Never enter your personal information in a pop-up screen. Sometimes a phisher will direct you to a real company's, organization's, or agency's Web site, but then an unauthorized pop-up screen created by the scammer will appear, with blanks in which to provide your personal information. If you fill it in, your information will go to the phisher. Again, close the box. If you have an account with this Institution, go to their Home Page instead.
  • Only open email attachments if you're expecting them and know what they contain. Even if the messages look like they came from people you know, they could be from scammers and contain programs that will steal your personal information.
  • Know that phishing can also happen by phone. You may get a call from someone pretending to be from a company or government agency, making the same kinds of false claims and asking for your personal information.
  • If someone contacts you and says you've been a victim of fraud, verify the person's identity before you provide any personal information. Legitimate credit card issuers and other companies may contact you if there is an unusual pattern indicating that someone else might be using one of your accounts. But usually they only ask if you made particular transactions; they don't request your account number or other personal information. Law enforcement agencies might also contact you if you've been the victim of fraud. To be on the safe side, ask for the person's name, the name of the agency or company, the telephone number, and the address. Get the main number from the phone book, the Internet, or directory assistance, then call to find out if the person is legitimate.
  • Job seekers should also be careful. Some phishers target people who list themselves on job search sites. Pretending to be potential employers, they ask for your social security number and other personal information. Follow the advice above and verify the person's identity before providing any personal information.
  • Be suspicious if someone contacts you unexpectedly and asks for your personal information. It's hard to tell whether something is legitimate by looking at an email or a Web site, or talking to someone on the phone. But if you're contacted out of the blue and asked for your personal information, it's a warning sign that something is "phishy." Legitimate companies and agencies don't operate that way.

Password Security is another key Anti-Phishing step. Please be aware that your Penn State password, if stolen, can be used for MUCH MORE than just accessing your computer and your email. One key example of your passwords monetary value is you ability to login to secure Penn State sites and download software worth hundreds of dollars (Ex: Microsoft Office and Symantec AntiVirus). Another example ... as a Penn State employee, your UserID and password allows you to see your benefits package, where you Social Security number can be found.

REMEMBER: Create secure passwords, protect your passwords, and regularly change your passwords.

What to do if you've been 'caught'

If you have fallen victim to a phishing scam and sent out your details to the phishers, what should you do?

Act Immediately!

  • Change Passwords, Contact Institutions, Close Accounts Depending on how much information you revealed, you should log into your relevant accounts and change your passwords. If possible, also change your usernames. This will stop the fraudsters accessing your accounts with the information you sent them. Contact your banks and financial institutions (Note: having a list of your card numbers and the bank's toll free numbers on hand is key )and make them aware of the situation in case of problems. They should also give you further help and advice. If needed, you may actually want to close accounts that have been compromised.
    See our How To Change your PSU Access Account Password and College AG password in Related Articles.
  • File a police report File a police report as soon as possible where your credit cards, etc., were stolen. This proves to credit providers you were diligent, and is a first step toward an investigation (if there ever is one).
  • Put a "fraud alert" on your files at the credit reporting bureaus and with Social Security This should stop the phishers from making an application for credit in your name.
    1. Equifax: 1-800-525-6285
    2. Experian: 1-888-397-3742
    3. Trans Union: 1-800-680-7289
    4. Social Security Administration (fraud line): 1-800-269-0271
  • Advice for Identity Theft Victims For other advice for ID theft victims, contact the Federal Trade Commission's ID Theft Clearinghouse, http://www.ftc.gov/bcp/edu/microsites/idtheft/ or 877-438-4338, TDD 202-326-2502.