Phishing is one of the fastest-growing online crimes in recent memory. Millions of people are being affected and billions of dollars are getting stolen through phishing. This page seeks to shed some light on the phishing process and what you can do to avoid becoming a victim.

If you find the information on this page helpful, I encourage you to send it to a friend or two who you think would find it helpful as well.

Any comments can be directed to [email protected].

Note: This is a condensed version of the original article. The original article has all the same information, but is presented in a more snarky and sarcastic (and vulgar) way. If you'd like to read that version instead, visit http://www.geocities.com/phishingmemo/index.htm.

Phishing is a technique used to extract personal information from victims by means of deceptive and fraudulent emails for identity theft. Once phishers have this personal information, they can use it to make purchases in their victim's name, steal money from their victim's bank account, or, in many cases, simply annoy their victim.

Phishing is illegal and is fast becoming a crime epidemic. To date, millions of computer users -- particularly new and inexperienced users -- have fallen victim to phishers. It's estimated that up to one in twenty users who receive a phisher's email will respond to it, unknowingly providing enough sensitive information to incur tremendous financial losses.

There are a few signs typical of a phisher's email:

• The email specifically states it's not a scam.
  
  
• The email requires immediate action of some sort, especially when it's out of the blue. Many emails would say something like "Account verification needed" or "Update your information," threatening to "terminate the account" if you fail to do so. Skepticism is your friend.
  
  
• The email asks you to email back sensitive information. There is virtually no legitimate business that will ask a customer to do this; the typical email usually has no protection and is very insecure. Put it this way: If your bank actually uses this as a method of verifying account information, you need to switch banks.
  
  
• The email contains a link which leads to a form where you're told to input your sensitive information. These forms are often cleverly duplicated pages on a phisher's site; phishers duplicate the general format of a company's page right down to the logos, layout, and fonts to create a sense of legitimacy. The information you provide in the form, however, will be sent to the phishers for them to misuse.
  
  
• The email contains typos or blatant grammatical mistakes. These companies hire people to write actual customer service emails; it's what they do. A typo isn't a big deal, and a split infinitive isn't something to get too worried about. However, in particular, you should watch out for:
  
  
  • Two or more typos/misspellings.
  • Run-on sentences, like "We need to confirm your information, thank you for your time."
  • Weird capitalization, like "You are a Valued customer, and we appreciate Your business."
  • Blatantly bad syntax, like "Our records is indicating your information are outdated."
  • Incorrect brand spellings, like an eBay representative writing "Ebay" or "e-Bay."
  
  
• The email is impersonal. In many cases, legitimate organizations will provide some sort of personalized information in the email; for example, your account number or your first name ("Dear Bob"). The goal of phishers' emails is to get this information, so obviously they wouldn't have it. Thus, the email is impersonal ("Dear Valued Customer") with no personalized details.
  
  

• Don't download any included attachments. Despite what the email says, most legitimate organizations don't require their customers to download emailed programs to maintain accounts.
  
  
• Don't follow any links within the email, especially if the provided link is a long and cumbersome link. Instead, open a browser window, and manually type in the web address of the company (e.g., "http://www.ebay.com") and follow links there.
  
  
• Contact customer support of the company who supposedly sent you the email via email or phone, and ask them to verify whatever claims are being made in the email ("I received an email telling me my account may be canceled if I don't confirm my account number; is this true?").
  
  
  • Do NOT respond to the original email. Get the email address from the company's website after manually typing in the address.
    
    

• Images can be forged. Just because it has the Citi logo and a copyright at the bottom of the email doesn't mean it's legitimate.
  
  
• Return addresses can be forged. It's not much more difficult to create forged email headers; don't be surprised if that unsuspicious, kindly email from [email protected] is really from a phisher.

• Be careful. Follow this article's instructions.
  
  
• Keep track of your various online accounts, and regularly log into them. The whole "We need to verify your information/Your account has been inactive" thing is the most common phishing tactic out there; if you ensure your accounts are indeed active, it takes some credence away from phishers' emails.
  
  
• Inspect your bank and credit card statements. If you find something wrong, report it to your bank or credit company immediately.
  
  
  • If you have been the victim of phishing, visit the Anti-Phishing Working Group's site at http://www.antiphishing.org/consumer_recs2.htm for more in-depth information about what to do and links to other resources.

The Anti-Phishing Working Group maintains a very comprehensive site on this subject. Check them out at http://www.antiphishing.org.

No, absolutely not. Millions of people have been phished; you aren't alone. Also, it's a particularly clever crime, one that has fooled not only computer neophytes but tech savvy people as well. The important thing is you act quickly to fix whatever damage there might have been and be careful in the future.

Also, it would be nice if you tried to help others avoid the same mistake. I strongly encourage you to forward this site's address to your friends and family.