Toughen Up: Don't Get Hooked: Protect Yourself Against Phishing Scams

Knowledge is power. Bulk up your understanding of Internet threats and how to prevent them from ever reaching your computer. Learn how to avoid viruses, spyware, identity theft and other threats. Get tough and stay tough.

Things you can do:


Keep your identity and your accounts safe by recognizing the bait

Phishing is a 21st century crime. On an almost daily basis, criminals succeed in stealing the personal information of unsuspecting people by baiting them with phony e-mails, instant messages and Web sites. Through a combination of social engineering and technical subterfuge, successful phishing scams result in stolen identities and financial loss by delivering credit card numbers, passwords and financial account information into the hands of thieves.

The most common tactic used in these deceptive messages and Web sites is to exploit your trust; by appearing to be from respected businesses, organizations and government entities, these cyber criminals are expecting you to not question and just take the bait. Increasingly sophisticated technical methods include such things as planting crimeware on computers to automate the theft. For example, keystroke loggers—software originally used as a legitimate diagnostic tool—can also collect information like the login and password for your bank account and then report them back to the thief.

Being informed and alert to the hazards of phishing scams is a strong line of defense. There are also things you can do to protect yourself and to minimize the damage if you think you’ve been hooked. 

How do I protect myself against Phishing?

The following tips may help you avoid a phishing scam:

  1. If you receive an e-mail message with an urgent request for personal financial information, be suspicious. Legitimate institutions do not ask you to click a link in an e-mail taking you to a “special” Web site. Contact the institution directly if you have any doubts or questions.
  2. Ask banks, companies and organizations how they will communicate with you, and check their Web sites regularly. Because of the prevalence of phishing, many institutions now provide helpful information to their customers listing the latest scams and providing ways for you to report any suspicious e-mail.
  3. Make sure you are using a secure Web site when you submit credit card or other private information over the Internet. Check the beginning of the Web address—it should read "https://" rather than “http://” if it is a secure site. Still be careful though, because no one indicator is foolproof. Recent phishing scams have found ways to forge security icons.
  4. Understand the “closed lock” security icon found in the status bar of a secured browser window. This icon indicates you are on a Web page that is encrypted to protect any sensitive, personal information you enter. Typically, it only appears on the page of a site requesting personal information. Unfortunately, it can be faked by con artists. You can confirm the icon’s authenticity by double-clicking on the lock to display the security certificate for the site. The name following Issued to should match the name of the site. If the name differs, you may be on a fake site and should not enter any personal information.
  5. Regularly check your bank, credit and debit card statements. If you find anything suspicious, contact the company immediately to discuss your concerns.
  6. Use anti-virus software and a firewall, and keep them updated. These tools scan and, if necessary, block incoming communications from unauthorized or suspicious sources. Phishing scams may well be blocked before they reach your inbox.

How can I minimize the damage if I have fallen for a phishing scam?

If you believe you’ve already been hooked by a phishing scam, these steps may help minimize any potential damage: 

  • If you fell for a scam and have given out your credit card information, report the incident immediately to your credit card company. Frequently they are able to track any unauthorized activity on your account and can block the robbery in progress.
  • Report the fraud to the organization or company exploited by the phishing scam. Call them instead of contacting them online. They may ask you to forward the imposter e-mail to them, to help them in tracking the criminal.
  • Change your passwords. If you’ve provided passwords via e-mail or logged them into a site you now suspect may be a fake, change your passwords immediately. Make your new password strong by using seven to eight characters, both upper and lower case letters, and incorporating numbers and symbols.
  • Notify the authorities. The Internet Fraud Complaint Center (IFCC) and the Federal Trade Commission are two organizations that work to stop phishing, spam and other online abuses. Contact them to let them know you may have been tricked by a scam.