What is Phishing?

Phishing(pronounced "fishing")- is the criminal attempt to electronically collect confidential information by disguising oneself as a legitimate company.

In most cases this scam starts with an urgent email that appears to be from a company you deal with regularly. It could be a bank, a courier service or any number of large companies that have many customers.

The email warns about some immanent threat that has to be dealt with immediately and usually provides a link to their website. The website you are directed to may look exactly like a site you visit regularly. You are then directed to log in and verify your account number or other sensitive information.

Before you know it, the perpetrator has your user name and password along with other confidential information such as a bank account, PIN or credit card number. You may not even know this has occurred until you find your bank account cleared out, your credit card maxed or your credit rating bottoms out because of unpaid loans taken out in your name.

Although technically not a virus, phishing techniques can be used to direct an unsuspecting user to an infected website.

How Can I Protect Myself?

The perpetrators of this crime can be incredibly sophisticated. They are experts in social engineering and know exactly how to get people to "click here". However, there are usually telltale signs that can expose this fraud for what it is before any damage can be done.

The following steps should be taken before you click on their provided link and begin entering your personal data into their website.

1. Do You Deal with this Company?

The reason that the people committing this crime disguise themselves as large companies is to increase the likelihood that you will take the bait.

They know that if you receive a message from, say, Amazon.com, Federal Express or the Royal Bank that there's a good chance that you either deal or have dealt with these companies in the past.

Before you blindly "click here" to respond to their "urgent request", ask yourself, "do I do business with this company?" If the answer is "no" then the red flags should go up immediately.

Always keep in mind that legitimate companies will never send you an unsolicited email or text message asking you to verify any of your personal or account information. Most financial institutions post their email policies and information about phishing directly on their websites.

2. Don't Depend on an Email's Return Address

If you're like me, you receive a number of spam emails every day that appear to be sent by "yourself". This is a glaring indication of how easy it is to spoof (fake) the return address of an email. Be aware of this possibility and never assume that the return address of an email is valid proof of where the email originated.

3. Look Closely at the Email's Content

Examine the email closely. Are there spelling mistakes or grammatical errors? Is there any information in the content that pertains specifically to you? For example: Is the email addressed "Dear Mr. Smith" or just "Dear Valued Customer"?

Ignore corporate logos or warnings about security threats (such as phishing). These are designed to give the email legitimacy and you a false sense of security. In fact, the criminals may well have started with a legitimate email from the company they are disguised as and tweaked it only enough to direct you to their bogus website.

4. Know Where you are and Where you're going

Whether initiated by email or text message, the first message you receive in most phishing schemes is designed to lure you to a bogus website where you are prompted to enter some sort of personal information. A basic understanding of where you are being directed to can sometimes determine whether or not the initial message was legitimate.

The technical name for each and every page on any website is called the Address or URL (uniform resource locator). You can usually see the URL of a web link by hovering the mouse over it before you click and looking in the status area of your email or browser application or by looking in the Address window in your web browser after you click.

Web Addresses can be quite long and complicated. However, the most important part of an address is the "domain name". This is the right-most portion of the words located between the characters "http://" and the next slash ("/").

In the following example, the domain name is "website.com":

http://my.website.com/scripts/apage.html?user=12345#comments

Armed with a basic understanding of web addresses, you should make it a habit to take a mental note of the company websites you visit regularly. In most cases, the bogus website domain is obvious, but sometimes domains with names similar to authentic websites are used.

Look closely at the domain names in the following examples:

1. http://www.tdbank.com/
2. http://tdbank.mygreenbank.com/home.html
3. http://www.greentdbank.com/

"tdbank.com" is the legitimate domain name for TD Canada Trust, however the last 2 examples-mygreenbank.com and greentdbank.com-are not. For as little as 10 bucks anyone can register the mygreenbank.com or greentdbank.com domains and set up a bogus site. Keep in mind that a numbered address (eg. http://214.52.142.2/) is usually a dead giveaway that something unusual is occurring.

5. "Google" the Message

I use Google quite a bit to get a sense of the validity of information I find on the Internet. If you are the target of a phishing attempt you were probably not the first.

Many times, victims of identity theft will post information on forums about the troubles they've had. Or they'll alert the company that the criminals are masquerading under, which will in turn issue a bulletin or press release.

By entering the company name and part of the message on a suspected email in quotes into Google you may be able to confirm if the message is not genuine. An example for this might be to Google the keywords: "Urgent Warning" Royal Bank.

6. Use a Phishing Filter

Web browsing and anti-virus software companies are starting to incorporate phishing filters into their products. These companies maintain lists of "safe" and "unsafe" websites at a central location and monitor your web surfing behavior. If you open a web page that contains "phishing-like" attributes, such as prompts for passwords, etc., they will check the domain and warn you if the site is unknown or unsafe.

This functionality is included in the newer versions of Microsoft's Internet Explorer, however it needs to be activated in order to become effective.

7. Contact the Company Directly

If you have any doubt about the legitimacy of a message you receive, contact the company directly to verify that they sent it. Do this using the contact information you have on file, as any information contained in the email itself, including telephone numbers, should be considered suspect.

If you think you have given out confidential information in a phishing attack, contact the company you deal with as soon as possible so they can monitor your accounts. You will also want to change your passwords immediately, hopefully before any damage has been done.