Oh, look . an email from eBay
Wait a minute . I don't have a Citi account. Come to think of it, there's something fishy about these notices.
Ain't that the truth. "Phishing" -- the act of mimicking a legitimate organization to trick victims into revealing account or other personal information -- is one of the fastest-growing types of identity theft, as evidenced by the popularity contest playing out in my email inbox. Last year, consumers and businesses lost an estimated $5 billion to scamsters.
It's not just banks and online auctioneers getting spoofed. Mutual fund companies, game makers, and heiresses (no, Paris did not really send you an email) have been imitated by con artists. And they're getting lucky. Are you sure you can spurn their advances?
Most common phishing myths, according to Sestus Data Corporation, maker of security software:
Myth: "I won't get tricked by these phishers."
The equivalent of 10% of all U.S. households with a computer -- nearly 2 million adult Internet users -- experienced some form of phishing fraud between April 2003 and April 2004, according to the Federal Trade Commission. In February 2005 alone, more than 2,500 new phishing websites were created, says the Anti-Phishing Working Group, and phishing attacks grew by 4,000% between 2004 and 2005. It appears that everyone is indeed out to get you.
Myth: "My bank account is insured by the FDIC, so I will get my money back if it is stolen by phishers."
The Federal Deposit Insurance Corp. protects bank accounts up to $100,000 against bank failure, not consumer fraud or theft. Same goes for the contents of your safe deposit box and your mutual funds and other investments. Some banks will cover such losses via additional insurance or out of their own pockets, but don't assume that you'll be reimbursed if you fall victim to a scam.
Myth: "I didn't click it, so I'm OK."
Keeping your mouse safely away from suspect links is the best way to protect yourself against fraudulent email (or "spoofs"). But that won't protect you against "pharming." (What's up with the "ph"s, anyway?) Pharming exploits vulnerabilities in DNS servers by redirecting a victim's browser to a lookalike website. It can be done via a virus downloaded from a questionable website or even a script hidden on a page.
Myth: "I've got a firewall and anti-virus software. I'm invincible!"
These security devices help prevent users from inadvertently downloading or becoming infected with pharming auto-redirection software. But they don't account for human error. If you visit a phishing website on your own, you do so without your backup.
To guard against cyber-crime:
Password-protect everything. Use a complex assortment of nonsensical letters, numbers, and random punctuation marks. Once you have your password memorized, it's time to change it.
Don't put the good stuff on a handheld device. If you do lose your PDA, or if someone manages to crack your electronic Fort Knox, having your Social Security number and a list of bank and brokerage accounts and a map to those buried gold bars only compounds the potential damage.
Don't click that! By now you've probably gotten several hundred notices from banks with whom you do no business telling you there's a problem with your nonexistent account. Ignore the solicitations. But what about the less obvious come-ons? Take a tour of your computer to see whether anyone's lurking. The CERT Coordination Center (operated by Carnegie Mellon University) has a library of Internet security tips -- from installing initial security measures to responding to incidents and fixing email abuses.
- Make creditors call you before any funny business occurs. Ask the credit reporting agencies to put a fraud alert on your file. (By calling one, all three will comply.) It requires lenders to request additional documentation from you any time you request credit. If you get a call about a credit application you didn't fill out, you can stop a thief in his tracks. It will also opt you out of pre-approved offers. Fraud alerts expire, so make a note of when you need to re-up. Here are the contact numbers: Equifax: (888) 766-0008, Experian: (888) 397-3742, TransUnion: (800) 680-7289.
Next, go analog and protect yourself from low-tech criminals:
Thwart wallet-snatching. Photocopy the contents of your wallet -- all cards, back and front. Don't carry important documents, such as your original Social Security card or a passport, unless you need to. Eliminate personal information (such as your Social Security number) from your checks, and ask that it not be the identifier on documents such as your insurance card.
Give trash-picking thieves less fodder. Take your name off the junk mail lists. Opt out of pre-approved credit card offers -- gold to ID thieves -- by calling 888-5OPTOUT (888-567-8688). Buy a cheap shredder, gather any official documents destined for the trash, and pretend you work at Enron during commercial breaks.
Check your bills. No, really. Check them. It's tempting to just glance at a bill and dash off a check. But a small, innocuous mistake may really be a fraudster checking to see whether he's tapped into a usable account.
- Look out for Aunt Edna. Many identity thefts are committed by someone close to the victim. Family members have easy access to all the necessary documents and can keep a close eye on their mark (often, the elderly). Unfortunately, you can never drop your guard. It may feel weird to narc out someone with the same last name, but shared DNA doesn't give anyone the right to rip off a loved one.
Sadly, this is only a partial list of protective measures. If you're really paranoid, make the FTC's ID theft website your home page. It's regularly updated with the latest scams.
Phor phurther Phoolishness: