Phishing and Pharming for Your Personal and Financial Information

| Print | E-mail |

Phishing is a scam that is trying to steal your personal financial information. Phishing primarily uses email or pop-up messages, including instant messages, but can also occur over the phone. Email and pop-up messages may have a link to click or a phone number to call. In the case of the link, it usually goes to a fake website that mimics a legitimate site. The messages or phone calls seem to come from well-known companies and banks — even companies you may have an account with.

"Spear-phishing" is a phishing scam that is targeted to a specific, usually small, group. These emails may contain (or seem to contain) personal or confidential information and seem to come from a trusted person such as a boss, friend, or family member.

Take the SonicWALL Phishing IQ Test to see how savvy you are about these scams. This test shows how hard it is to distinguish between a real and a fake message.

Here are 3 things to note to avoid being hooked by such scams:

• Reputable companies and financial institutions, like your credit union and bank, NEVER, EVER send e-mails asking for personal information and account number information they already have on file. Always be suspicious of any request for information that comes from an unsolicited e-mail. When you initiate the online contact with your bank or a reputable merchant, you may provide information to purchase merchandise or handle your account.
• Report the scam to the company, using the customer service number or website address from a recent statement. You can send the actual spam to the FTC at This e-mail address is being protected from spambots. You need JavaScript enabled to view it .
• NEVER click on the link in an e-mail of this sort, even if it looks legitimate. The link takes you right to the scammers not the real company.

Malicious software installed on your computer can also "phish" for your information. The malicious software may monitor a user's keystrokes looking for usernames and passwords for specific sites or the software may misdirect the user (using various techniques) to fake websites or the software may cause the user's information to be sent to a legitimate site but through a computer that can collect the user's information.

Pharming is similar to phishing but much harder to detect. You don't have to do anything to get "scooped" up by the scam. It works like this. Scammers create a fake, malicious website that looks like the site of a real company. Then these skilled criminals use Domain Name System (DNS) "poisoning" to redirect your browser to their fake site. In DNS poisoning, the legitimate Internet Protocol (IP) address (numerical address) for a site is replaced by the IP address of the fake site. Pharming can occur at an individual's PC by the poisoning of the PC's Hosts file. A Hosts file may not exist on your PC but if it does, it translates domain names into IP addresses without using the DNS system.

Using a toolbar such as Netcraft, Trustwatch, or Earthlink (all work with Internet Explorer and Firefox) or the Opera browser that displays the location of the site's host can be helpful in avoiding phishing and pharming scams. Internet Explorer 7 and Firefox 2 include antiphishing features (but you must turn them on).

The StraightTalk Report This Scam Will Hit You This Week! But You Don't Have to be "Phished" provides tips on avoiding these scams and screen shots of some actual scams.

Want to test your Phishing knowledge? Then take the quiz: Phishing Scams — Avoid the Bait. It's from OnGuard Online.

This handout for Remar Sutton's Privacy seminars was prepared by Remar Sutton, CCU's StraightTalk spokesperson & Remar Sutton & Associates, for Corning StraightTalk, October 2006. All rights reserved.