Jackson BPW

Dollar Wise

Don't be hooked by the Internet's biggest fraud

They call it 'phishing:' Crooks use official- looking e-mails and fake Web sites to get your personal data, then steal from you. Here's how to protect yourself.

By Jennifer Mulrean

If you’ve been swatting away warnings of phishing scams for the last couple years, it may be time to finally stop and pay attention.

Why? It's running rampant, and nearly all of us are targets. In this scam, crooks use official-looking but fake e-mails and Web sites to lure you into revealing personal financial information. Then they can drain your bank accounts, charge up your credit cards or steal your identity. And according to some industry experts, it’s the biggest fraud on the Internet.

The Anti-Phishing Working Group (APWG) says the number of reported incidents of the scam climbed 800% in the first six months of 2004, and a staggering 4000% in the six months between November 2003 and May 2004. By June, the latest month for which data is available, the APWG reports an average of almost 50 unique attacks (attacks from different sources) per day. With mass e-mailings, each of those unique attacks can potentially hit thousands, if not millions, of people.

Who's taking the bait? As many as 3% to 5% of people who get the e-mails, the experts say. And the sheer numbers of people being targeted mean big payoffs for swindlers.

Watch for the telltale signs
The big problem is that the fake "phishing" e-mails look so official, so real:

They appear to be from trusted banks, retailers or other companies. Citibank is targeted more than any other business; its name was used in almost 500 of the 1,422 unique attacks reported to APWG in June. PayPal, US Bank and eBay names are also used as fronts.

The e-mail often says the company needs to verify your information, such as account numbers or passwords, for supposed security purposes.

They're slick and well-designed, using official-sounding language and real company logos to make them look and feel authentic.

They try to fool you with an address "spoof." In more than 90% of cases, the e-mail address looks like one from a real company. Although the address in the “From” line of the e-mail may contain a legitimate address, it conceals a scammer's address. (Your e-mail program can be set to display "headers" so you can see a false address. Read more in this Slate article on how to detect spoofed e-mails.)

While working on this story, I received a phishing e-mail that used the SunTrust bank brand. It said my SunTrust account (something I’ve never had) had possibly been “compromised by outside parties.” It instructed me to verify my identity by clicking on a link and then said not to access my account online for the next 48-72 hours. Now the e-mail sticks out as an obvious ploy, but if I’d really had a SunTrust account and had been less aware of phishing, I might have clicked the link -- if only to try to get a better idea of what the fuss was all about.

Here are some other giveaways:

Scare tactics. Like the SunTrust phish above, it may play on security fears.

No name. The mail doesn't address you by name but with a generic greeting, such as “Dear Suntrust.com Customer.”

It offers forms to fill out with your personal financial information.

It points to links in the e-mail, urging you to click to "validate" or "confirm" your account.

Once you're on the hook . . .
What happens after you inadvertently click on one of these links in a phishing lure? Here are some ways the crooks try to trick you:

You may be directed to a legitimate company's Web site. But a crook's pop-up window -- not part of the real site -- will open and ask for your account information.

The site itself may be fake, but it will have a similar URL to the real site, fooling you into using it.

The site may be fake, but the address window showing its URL will be hidden by a floating window displaying the legitimate company's URL to fool you. (Most of these are static images, so if you can’t click on the window or type anything in it, it’s a good tip-off that the address displayed is a decoy.)

The link may trigger the download of a "key logger" to your computer. It's a program that records what you type into legitimate sites, including your passwords and account numbers, then passes them on to the swindlers.

How to avoid the hook, line and sinker
The Federal Trade Commission’s No. 1 tip for avoiding this ripoff: DON'T provide any personal financial information via e-mail. (Banks and other companies frequently remind customers that they don't ever ask for sensitive financial data via e-mail.) Other tips from the FTC and the APWG:

Be extremely suspicious of any e-mail with urgent requests for personal financial information.

Don't fill out forms in e-mail messages that ask for personal financial information.

Don't use the links in an e-mail to get to any Web page if you suspect the message might not be authentic. Instead, telephone the company or log onto the Web site directly by typing its Web address in your browser.

Don't give your credit card numbers or account information unless you're using a secure Web site or the telephone. Check the beginning of the Web address in your browser's address bar. A secure site should show as "https://" rather than just "http://" (You may also want to click on the window containing the secure address, to make sure you’re not dealing with a floating window.)

Beware of e-mail attachments. Don't open them or download any files, regardless of who sent them.

Check your bank and credit card statements online on a regular basis. Make sure the transactions are legitimate. Don't wait for a mailed paper statement, which can take up to a month. If you see something suspicious, contact your bank and all card issuers using a phone number you know to be legitimate or by typing in a secure Web site URL into the Internet browser address bar.

Use anti-virus software and keep it up to date. Anti-virus software and a firewall can protect you from inadvertently accepting unwanted key-logger files. Look for anti-virus software that recognizes current viruses as well as older ones; that can effectively reverse the damage; and that updates automatically.

Keep your computer's operating system up to date and download security patches. These free software patches for your operating system close holes that hackers or phishers could exploit. (You can check for Microsoft patches here: http://www.microsoft.com/security/.)

Consider installing a Web browser tool bar to help protect you from known phishing fraud Web sites. EarthLink ScamBlocker alerts you before you visit a page that's on Earthlink's list of known phisher Web sites. Ebay offers a free toolbar that warns you when you might be on a spoofed eBay site.

Report the attacks by forwarding the phishing e-mail to the following addresses: spam@uce.gov, reportphishing@antiphishing.org and to the "abuse" e-mail address at the company that is being spoofed (e.g. "spoof@ebay.com").

What to do if you’ve divulged sensitive info
If you think you’ve been scammed, you can file a complaint with the FTC and the Internet Fraud Complaint Center. But the most important thing is to notify the bank or credit card issuer of the account that has been compromised. You’ll probably want to close the account and open a new one.

If you’ve given away your Social Security number, you should also notify the big three credit reporting agencies -- Experian, Equifax and TransUnion -- so that a fraud alert can be placed on your file. That way, if anyone applies for new accounts with your Social Security number, you should be notified at home. You should also start regularly monitoring your credit reports, if you don’t already.

For more tips, go to the FTC’s Identity Theft site and MSN Money’s Decision Center on Guarding Your Financial Privacy.

Good public relations for your business .

Good public relations starts with good business relationships with your customers.
Be sure and recognize employees promotions and training by issuing press release.
Write thank you letters or handwritten notes - not e-mail communications
Read the newspaper, clip and mail recognitions to customers, or those you might want as customers.

Linda J. Higgins
Public Relations/Management Services
( 901) 427-6681 Fax ( 901 ) 424-4851

Don't go for a general practitioner when you need a specialist.

Using the same business lawyer you've trusted from the beginning may lead
to a bad experience if you really need a specialist. Should the case end up in
court, you don't want a lawyer who has never performed litigation cutting his
teeth at your expense. The word "specialist" may cause you to cringe and think
of high cost.
However, Starnes argues that a specialist may turn out to be less expensive,
depending on your needs. Where a general small-business attorney may take
days to research and draw up the right documents, a real estate or tax specialist
may solve your problem in a matter of hours.

Do some legwork to find a good attorney.

Simply put, don't let your fingers do the walking when it comes to tracking
down competent legal advice. "Don't be lazy," Starnes says. "You can't go to
the mall and get a lawyer."
If you need a specialist, ask your current lawyer for a referral. Don't stop there,
though; ask people you know with some connection to your legal community.
Get references and do background checks.
The more time you put into your search, the better your chances of getting a
competent lawyer who's also suited to your business.

Do some due diligence on lawyers' costs and fees, too.

Before you contact a lawyer, consider how much time and money you are
willing to spend on one. Make sure to account for time away from your
business.
Do some research on the Web and make some phone calls to get basic
understanding of lawyers' costs and whether your problem is worth what it
might cost.
If you decide that the issue is big enough, then it's time to meet with a lawyer to
discuss the problem and the fees required to solve it. But proceed cautiously: In
the hands of the wrong lawyer, your $3,000 problem can quickly escalate into
$30,000 and take months to resolve. If you lose, you now have to deal with both
the original problem and a hefty legal fee.

Don't sign up unless you're completely comfortable with the fee arrangement
and relationship.

Make sure an attorney is worth what you're spending — agree only to a fee
structure that suits you. Small-business owners are often asked to sign blank
checks or retainer fees. Avoid doing this if at all possible, Starnes says. It means
that you are dependent on the honor system and likely will have no idea how
much time your lawyer actually spends on your case.
Instead, ask your lawyer for an estimate at the beginning. This will allow you to
set up a budget and to avoid any unexpected surprises when the bills arrive. Take
it as a serious red flag if the lawyer balks.
As an attorney, "I can give you an estimate on just about anything that I know
how to do," Starnes says. "At the very least, I can give you a range and tell you
the factors that will make it higher or lower."
Also, insist on a written fee agreement where all anticipated costs and fees are
specified. In other words, get it in writing.

Understand what an attorney is doing for you.

The last thing you want is for a legal problem to bite you later because your lawyer
neglected to file the documents with the right government department — or, just
as bad, did not let you know what the documents meant. That said, another
warning sign is your lawyer failing to explain any sort of legal document he or
she is drafting.
To keep your relationship running smoothly, keep a written account of all
interactions that you have your attorney. As Starnes says in her book, "One of
the most helpful things you can do, especially early in your relationship with
your lawyer, is to provide a written summary and chronology of what happened."
This is particularly important in discussions concerning money. By documenting
your understanding of fee changes or potential settlement discussions along the
way, you will ensure a fair and quick resolution of any future disputes.
As you move through each stage, question the things that you don't understand.
A good lawyer will take the time to explain and answer these questions.

Insist on a good system of communication.

Insist in advance on how and how often you should communicate.
If you have to wait days or weeks to hear back from your lawyer, either you
didn't relate your expectations well enough, or you have a lawyer too busy to
take on your business. Give some thought to finding a new one as soon as you
can.
Starnes points out that you could have the best lawyer in the country, but if she
is too wrapped up in a high-profile case, she isn't devoting much time to you.
That means your problem is unnecessarily going to take more time, and more
money, to resolve.

Be wary of the "slam dunk" claim.

"Any lawyer who tells you you've got a slam dunk case is probably not a very
good lawyer," Starnes says. "I have seen very few slam dunks in my time. The
law is rarely black and white. Often times, there is a disagreement, and who will
win and lose is difficult to predict."
Depending on the case, an attorney likely will have to do some research and
talk to several people before making any kind of assessment. While his
confidence may be reassuring, his actions on your behalf are more important.
Also, trust your gut. If you feel doubts about a lawyer's comments or
competence, you may be best to cut your losses, terminate the relationship and
move on.

DISCLAIMER: