What is phishing?
Phishing (pronounced "fishing") is a type of online identity theft. It uses email and fraudulent websites that are designed to steal your personal data or information such as credit card numbers, passwords, account data, or other information.
Con artists might send millions of fraudulent email messages with links to fraudulent websites that appear to come from websites you trust, such as your bank or credit card companies, and set up a scenario that would require you to provide personal information. Criminals can use this information for many different types of fraud, such as to steal money from your account, open new accounts in your name, or to obtain official documents using your identity.
FAQs about phishing
Phishing - General
- What should I do if I receive an email phishing scam? If you think you've received a phishing scam, delete the email message. Do not click any links within the message.
- What should I do if I think I've responded to a phishing scam? Take these steps to minimize any damage if you suspect that you've responded to a phishing scam with personal or financial information or entered this information into a fake website.
- Change the passwords or PINs on all your online accounts that you think could be compromised.
- Place a fraud alert on your credit reports. Check with your bank or financial advisor if you're not sure how to do this.
- Contact the bank or the online merchant directly. Do not follow the link in the fraudulent email.
- If you know of any accounts that were accessed or opened fraudulently, close those accounts.
- Routinely review your bank and credit card statements monthly for unexplained charges or inquiries that you didn't initiate.
- How do scammers get my email address or know which bank I use? Criminals who send out phishing scams (often called "phishers") send out millions of messages to randomly generated email addresses. They fake or "spoof" popular companies in order to attempt to dupe as many people as possible.
Recognize Phishing Scams
- Can an email message that contains a company's official logo be a phishing scam? Yes. Phishing scams often use the official logos of the companies they're trying to spoof. If you think an email message is a phishing scam, delete it, or type the web addresses directly into your browser, or use your personal bookmarks.
- Can I tell if an email message is a phishing scam just by reading it? Not necessarily. Phishing email messages often include official-looking logos from real organizations and other identifying information taken directly from legitimate websites. They might also contain phrases like:
- "Verify your account."
- "Update your account."
- "During regular account maintenance…"
- "Failure to update your records will result in account suspension."
- I received an email message that requests banking information. Is that a phishing scam? Any email message that requests banking information is probably a phishing scam. Most legitimate banks and financial institutions do not request this information by email. If you receive a message to an email address that is not the one you use to log in to your bank account, this is probably a phishing scam.
- I received an email message telling me I'd won the Microsoft Lottery. Is this a phishing scam? Yes, this is a type of phishing scam known as "advance fee fraud."
Prevent ID theft from phishing scams
- What can I do to help prevent identity theft from phishing scams? You can do the following to help protect yourself from phishing
- Don't click links in email messages.
- Type addresses directly into your browser or use your personal bookmarks.
- Check the site's security certificate before you enter personal or financial information into a website.
- Don't enter personal or financial information into pop-up windows.
- Keep your computer anti-malware software current with the latest security updates.
- How can Internet Explorer help protect me from phishing scams? Internet Explorer includes the SmartScreen Filter, which can help protect you from web fraud and personal data theft.
- What is the SmartScreen Filter? The Microsoft SmartScreen Filter is a feature of Internet Explorer 7 and Internet Explorer 8. It's designed to help protect you from fraudulent websites that try to steal your personal information.While you surf the Internet, SmartScreen Filter analyzes pages and determines if they have any characteristics that might be suspicious. If it finds suspicious web pages, it shows a yellow warning and advises you to proceed with caution. If the site matches an updated list of reported phishing sites, SmartScreen Filter notifies you with a red flag that it has blocked the site for your safety.
- What does it mean when a website is flagged yellow and "suspicious"? A suspicious website has some of the typical characteristics of phishing websites, but it is not on the list of reported phishing websites. The website might be legitimate, but you should be cautious about entering any personal or financial information unless you are certain that the site is trustworthy.
- What does it mean when a website is blocked and flagged in red as a reported phishing website? A reported phishing website has been confirmed by reputable sources as fraudulent and has been reported to Microsoft. We recommend that you do not give any information to such websites.
How to recognize phishing email messages or links
Phishing email messages are designed to steal your identity. They ask for personal data, or direct you to websites or phone numbers to call where they ask you to provide personal information. A few clues can help you spot fraudulent email messages or links within them.
What does a phishing email message look like?
Phishing email messages take a number of forms:
- They might appear to come from your bank or financial institution, a company you regularly do business with, such as Microsoft, or from your social networking site.
- They might appear to be from someone listed in your email address book.
- They might ask you to make a phone call. Phone phishing scams direct you to call a phone number where a person or an audio response unit waits to take your account number, personal identification number, password, or other valuable personal data.
- They might include official-looking logos and other identifying information taken directly from legitimate websites, and they might include convincing details about your personal history that scammers discover from your social networking pages.
- They might include links to spoofed websites where you are asked to enter personal information.
- They might contain alarmist messages and threats of account closures.
- They might promise monetary reward for little or no effort.
- They might feature deals that sound too good to be true.
- They might solicite donations for charitable organizations after a disaster has been in the news – appealing to your good nature or willingness to help less fortunate individuals.
To make these phishing email messages look even more legitimate, the scam artists use graphics that appear to go to the legitimate websites (Windows Live Hotmail and Woodgrove Bank, respectively), but actually take you to a phony scam site or possibly a pop-up window that looks exactly like the official site.
Here are a few phrases that are commonly used in phishing email scams:
- "Verify your account." Businesses should not ask you to send passwords, logon information or user names, Social Security numbers, or other personal information through email. If you receive an email message from Microsoft or any other business asking you to update your credit card information, do not respond: This is a phishing scam.
- "You have won the lottery." The lottery scam is a common phishing scam known as advanced fee fraud. One of the most common forms of advanced fee fraud is a message that claims that you have won a large sum of money, or that a person will pay you a large sum of money for little or no work on your part. The lottery scam often includes references to big companies, such as Microsoft. There is no Microsoft Lottery.
- "If you don't respond within 48 hours, your account will be closed." These messages convey a sense of urgency so that you'll respond immediately without thinking. A phishing email message might even claim that your response is required because your account might have been compromised.
What does a phishing link look like?
Sometimes phishing email messages direct you to spoofed websites.
HTML-formatted messages can contain links or forms that you can fill out just as you would fill out a form on a legitimate website.
Phishing links that you are urged to click in email messages, on websites, or even in instant messages, may contain all or part of a real company's name and are usually masked, meaning that the link you see does not take you to that address but somewhere different, usually an illegitimate website.
Notice in the following example that resting (but not clicking) your mouse pointer on the link reveals the real web address, as shown in the box with the yellow background. The string of cryptic numbers looks nothing like the company's web address. This is a suspicious sign.
Cybercriminals also use web addresses that resemble the names of well-known companies but are slightly altered by adding, omitting, or transposing letters. For example, the address "www.microsoft.com" could appear instead as:
This is called "typo-squatting" or "cybersquatting."
Sign of a scam: bad grammar and misspelled words
We received a message from a reader who asked whether or not this email was a scam:
"Microsoft Corporation wish to notify all online customers as we celebrates the 35th year anniversary 2010; and also to inform you that you have emerged one of the beneficiary
Selected in this ongoing 35th Anniversary Program in conjunction with the Foundation of Software Products (F.P.S.) The Microsoft internet E-mail draw is held periodically and is organized to encourage the users of the Internet and promote computer literacy worldwide."
This email message continues with a request for personal and financial information. This is a scam. Email messages from Microsoft or other familiar and trustworthy organizations that are full of bad grammar and misspellings are fraudulent. If you receive one of these unsolicited e-mail messages, delete it.
The secret of life is not to do what you like but to like what you do.