Email Scam: Phishing

Have you ever received an e-mail from company that began, "We suspect an unauthorised transaction on your account" or "During our regular verification of accounts, we couldn't verify your information"? If so, you've been a target of the scam called "phishing" (pronounced fishing"), which is also known as carding or branding. It's become a very common way of trying to con people into parting with personal information and stealing identities. According to statistics, one in five people fall for this new variation on an old trick. But with some simple precautions, you can avoid adding your name to the list of victims.

How It Works

The perpetrators copy the design, layout and logos of an official e-mail, be it from a bank, Paypal or some other institution (virtually every bank in the U.K. and U.S. has been a victim). It won't have your name in the greeting, but there will be a sense of urgency in the message. The idea is for you to believe that the security of your account has been breached, so you'll click on the link in the mail and type in all the requested personal information. The only problem is that the link doesn't lead to an official site. Instead it takes you to a bogus site set up by the criminals, where they harvest that information.

The first attempts at phishing, just a few years ago, were quite crude. The English was poor, and the design was frequently amateurish. These days, however, they're very sophisticated, to the point where it's often hard to tell the fake from the real thing.

How to Identify a Phishing Scam

It can be difficult to figure out whether an e-mail is real or fake. However, the following offer very good indicators as to the legitimacy of the mail:

• Check the header (the part at the top of the mail, including address and subject line). If there are many addresses in the cc part, it's phishing
• Who is the letter addressed to? If it simply says "Dear customer," then beware. Proper e-mails will address you by name.
• Does the letter make sense? Are the grammar and spelling correct? If not, chances are it's a scam.
• Run your mouse over the link in the mail. If it's legitimate, the address that you see at the bottom of your screen (in the grey area) should be identical. A phishing mail will show a different address.
• There's an urgency in the message - if you don't respond within 48 hours, your account will be closed, for example. They want you to acct immediately.

How to Prevent Phishing

Even with the best e-mail spam filters, it's impossible to stop every phishing message reaching your inbox. But there are steps you can take to make sure you're not hurt by them.

1. Install a filter such as Mailwasher, which allows you to preview (and delete) e-mails before they're on your computer.
2. Make sure you have both anti-virus software and a firewall installed on your computer, and update them very regularly.
3. Sometimes phishing mails can install viruses; these will help prevent that happening.
4. Be dubious about opening any attachment to an e-mail. These can contain viruses and spyware. Only open attachments that you were expecting, sent by people you know and trust.
5. Never click on a link in an e-mail. Instead, open your browser, and type in the proper link. Don't copy and paste from the e-mail!
6. Don't e-mail sensitive information. No legitimate organisation will ask for this in an e-mail. If in doubt, search online for a phone number and ring them.
7. You should only perform online transactions with legitimate companies you trust. Never type in sensitive information unless you see a closed padlock in the bottom right-hand corner of your screen - that means the transaction is secure and encrypted. Even then, be careful; some phishers have forged security icons.
8. Check your credit card and bank statements every month and report any suspicious activity.
9. Report all suspected phishing mails to the institution being hoaxed.

What To Do If You Think You've Been Phished

If you feel you've been scammed, your actions depend a great deal on the information you've given out. If it's just a password log on to the site immediately and change it. If you can't get into your account, inform the company so they can take action.

If you've given more information, then you should contact your banks and credit card companies, informing them and changing account numbers. Request a copy of your credit file from one of the credit reporting agencies and have a fraud alert put on your account.

Act quickly, and you can minimise any damage. The one thing you quite literally can't afford to do is fret and wait.

Phishing is widespread, and becoming even more so. The criminals behind it are becoming slicker and more sophisticated. But if you think carefully, you can avoid the traps.