When Internet Scam Artists Go "Phishing,"
Don't Take the Bait.

How to avoid being lured into giving out personal information.

Law enforcement officials use the word "phishing" to describe a type of identity theft by which scammers use fake Web sites and e-mails to fish for valuable personal information from consumers. The FBI also is calling it the "hottest and most troubling new scam on the Internet." Even the FDIC's good name was used fraudulently in a phishing scheme.

In the typical phishing scam, you receive an e-mail supposedly from a company or financial institution you may do business with or from a government agency. The e-mail describes a reason you must "verify" or "re-submit" confidential information — such as bank account and credit card numbers, Social Security numbers, passwords and personal identification numbers (PINs) — using a return e-mail, a form on a linked Web site, or a pop-up message with the name and even the logo of the company or government agency. Perhaps you're told that your bank account information has been lost or stolen or that limits may be imposed on your account unless you provide additional details. If you comply, the thieves hiding behind the seemingly legitimate Web site or e-mail can use the information to make unauthorized withdrawals from your bank account, pay for online purchases using your credit card, or even sell your personal information to other thieves.

"These thieves are very good at convincing you that you are receiving a legitimate message or using a Web site from a trusted source," says Michael Benardo, a manager in the FDIC's Technology Supervision Branch.

While federal and state laws and industry practices generally limit dollar losses for unauthorized transfers from accounts, if an ID thief uses your name to commit fraud you are likely to spend a great deal of time and money — sometimes hundreds or thousands of dollars — correcting your credit files or otherwise defending yourself. Therefore, it's very important to be on guard against phishing scams and other types of Internet fraud.

Never provide your personal information in response to an unsolicited call, fax, letter, e-mail or Internet advertisement.

"If you did not initiate the communication, do not give this information, regardless of how legitimate or genuine these people or entities may appear to be," says William Henley, Jr., an FDIC electronic banking specialist.

If you decide to initiate a transaction with a bank or other entity on the Web, take some simple precautions.

Don't provide personal information to a Web site using a link from an e-mail or an Internet advertisement, no matter how legitimate it may appear. "Clicking on a link in an e-mail or an Internet ad is very risky," says Donald Saxinger, another FDIC electronic banking specialist. "You're always safer typing in the URL (Web address) from scratch, assuming you type it in correctly." The problem with typing a URL incorrectly or guessing about a Web address is that some fraudulent, copycat sites deliberately use URLs that are very similar to, but not the same as, those for well-known companies or government agencies. When contacting your bank, for example, use the phone number or Web address listed on your monthly statements or other literature from the institution.

Quickly report anything suspicious to the proper authorities.

Report any questionable e-mail message or Web site to the real bank, company or government agency, using a phone number or e-mail address from a reliable source. Example: If your bank's Web page looks different or unusual, contact the institution directly to confirm that you haven't landed on a copycat Web site set up by criminals. "Customer inquiries about changes to a Web site are one of the most prevalent ways that banks and other organizations are finding out about unauthorized sites containing the look and feel of a legitimate Web site," says Paul Onischuk, also an FDIC electronic banking specialist. And if you're pretty sure an e-mail or Web site is fraudulent, contact the Internet Crime Complaint Center, a partnership between the FBI and the National White Collar Crime Center.

What if you believe you're already a victim of ID theft, perhaps because you submitted personal information in response to a suspicious, unsolicited e-mail or you spotted unauthorized charges on your credit card? Immediately contact your financial institution and, if necessary, close existing accounts and open new ones. Also contact the police and request a copy of any police report or case number for later reference. In addition, call the three major credit bureaus (Equifax at 800-525-6285, Experian at 888-397-3742 and TransUnion at 800-680-7289) to request that a fraud alert be placed on your credit report.

From FDIC Consumer News