What is it?
Phishing is a scam designed to steal unsuspecting users' valuable personal data – such as login details, PIN numbers, credit card details, etc.
A phony Web site that looks like a trusted Web site – such as a bank or business site where you might store credit card details – is set up by scammers. These phony Web sites are often elaborately constructed to look exactly like the site they are impersonating.
The scam artists then randomly send out millions of e-mails that appear to be coming from the same trusted Web site - inviting users to come to the phony Web site and update their password or confirm their credit card details, etc.
If a user goes to a phony site and enters any sensitive details, the scammers will use these details to access their online bank accounts, make fraudulent purchases on their credit cards, or use the stolen data in other illegal ways.
How do I know if an e-mail is fraudulent?
Scammers use sophisticated phishing e-mail messages and pop-up windows, which often include the corporate logos of legitimate Web sites. So it is often difficult to tell at a glance whether an e-mail or Web site is to be trusted.
The following phrases are typically used in phishing e-mails:
- Verify your account
- You should never be asked to confirm or send passwords, login names, identification numbers, or other personal information through an e-mail. Many banks and businesses have a statement on their Web site saying that they will never e-mail you for this type of information.
- If you don't respond within 48 hours, your account will be closed
- The urgent tone is meant to make you act before thinking. These messages might even claim that your response is required because your account has been compromised.
- Dear Valued Customer
- Your first and last name will not appear in phishing e-mails as they are usually sent out randomly in the hope of landing in the inbox of a user who uses the Web site the scammers are faking. This is why you may receive phishing e-mails “from” sites where you do not have an account.
- Click the link below to gain access to your account
A phishing e-mail will usually contain a link that appears to go to the real site, but actually leads to the phony site.
The links you are asked to click on may contain all or part of a business’s name, for example: http://mweb.example.com/login.
Usually they are “masked” – in the e-mail the link you see does not take you to that address, but somewhere else – often a phony site.
What Can I Do?
You should be suspicious of e-mails – regardless of where they appear to come from. Particularly if you receive an unexpected e-mail from your bank, or another trusted Web site, asking you to follow a link and log in to that page or confirm your details.
If it is an unexpected e-mail but you feel that it might be an honest e-mail, do not follow the link in the e-mail. Go to the home page of the Web site that the e-mail appears to be coming from and look around to see if there is any mention of the content that was in the e-mail. If you are still uncertain, log in to the Web site as you normally would, not by following the link in the e-mail and see if there are any notices similar to what was mentioned in the e-mail.
If you receive what you suspect is a phishing e-mail, report it as ‘spam’ in MWEB Message Centre.
If you are not using Message Centre, forward the e-mail to firstname.lastname@example.org. You should do this even if it appears to come from a bank or a Web site that you do not have an account with – you may help prevent someone else from being scammed.
Most modern Web browsers such as Internet Explorer 7, Firefox 2 and Opera 9 have anti-phishing features built-in which will check the Web sites you visit against a constantly updated list of known phishing sites and warn you if you are accessing one. Check the Web browser’s Help to learn how to enable this feature.
When registering on many Web sites, they may need to make sure that the e-mail you provided when you registered is valid. An e-mail will be sent to your inbox. Immediately after you register with a link you need to click on to confirm that you received the e-mail. Clicking on the link is enough to confirm your e-mail address – you should not need to log in on this page, although the option may be made available to you.
Next topic: Undesirable web content »