What is Phishing?

phishing - (pronounced fishing) - The act of sending an  e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft.
- Webopedia.com (http://www.webopedia.com/TERM/p/phishing.html)

In other words it is the electronic version of someone calling you up claiming to be from your bank and trying to get you to give them your credit card info to "verify" your accounts.

How big is the problem?

First of all, this isn't the kid next door having some fun at your expense.  Researchers believe that a large percentage of these scam attempts are actually run by organized crime including mobs in Russia (no... I'm not kidding.)

The e-mail sent typically asks you to visit a bank's web site and then provides a link which looks legitimate but in fact sends you to some bogus web server the crook has set up.  According to a recent APWG Phishing Activity Report, there were over 1700 active phishing web sites reported in December 2004 and that number is growing 24% every 6 months.

Can't the sites be shut down?

Efforts are made to shut them down, however, the same reports indicates that a single site remains up an average of almost 6 days and some as long as 30 days.  Either number is more than long enough for you to be tricked and give a criminal your bank or credit card numbers so they can steal your money.

What is DCE's Tech Team doing about this?

On July 20, 2005 we added a spam filtering server.  It has proven itself quite good at catching and blocking these emails.  As with anything, however, it is not 100% effective and the crooks are constantly changing their email messages to get around these types of controls.  The bottom line is that we are trying to limit the number of these scams which reach your inbox but in the end you need to be informed.  See the next section about how you can protect yourself from phishing scams.

What you can do to protect yourself.

Experts have several recommendations on how to handle unsolicited email which claims to be from a web site financial institution you do business with:

1. Remember that legitimate companies should not be asking for personal or financial information via email.  So start out being suspicious.
2. If you never gave your email address to the company sending the message it should send up red flags. How would the bank have gotten your email address and why on earth would they send an email to it if it wasn't verified to really be yours?
3. Don't rely on the "From" address of the email.  It is easily forged.
4. Don't click on the link provided in the email.  Instead open a new browser window and type in a web address for the bank/site which you know to be correct.
5. Don't send personal/financial information via email. Email is NOT secure.  Anyone with access to mail servers or Internet connections between you and the recipient can read the message.
6. Don't submit personal/financial information on a web page unless the web site is secured.  For tips on how to tell if a site is legitimate and secure, please see both of these pages:
   Security Check (Link will open new browser window.)
   URL Spoofing (Link will open new browser window.)
7. Review credit card and bank account statements as soon as you receive them and look for fraudulent charges.
8. Protect your computer from viruses and other software which may spy on you.  See our Malware Information page and home computer virus information page. (Both links will open a new window.)
9. Report suspicious activity to the FTC. If you get spam that is phishing for information, forward it to spam@uce.gov. 
10. Practice safe online computing.  For more tips how to protect yourself when browsing and purchasing online, see the Safety Online page.