In the May 2005 installment of “Technology Talk” (See Page 15), John Anderson wrote about some of the ways in which hackers obtain your identity – namely, “pharming” and “phishing”. This month, I am going to go into a little more detail about the dangers posed by phishing in light of the serious increase in the incidents of identity theft.

According to the free, online Web encyclopedia Wikipedia (www.wikipedia.com), “phishing (also known as carding and spoofing) is the act of attempting to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business with a real need for such information in a seemingly official electronic notification or message (most often an e-mail, or an instant message). The term phishing comes from the fact that Internet scammers are using increasingly sophisticated lures as they ‘fish’ for users’ financial information and password data.”

Generally you will receive an e-mail message from your bank, your ISP, eBay, Amazon, PayPal or some other large institution with whom you may have done business. The e-mail looks amazingly legitimate. The message usually indicates that there is some sort of problem and that they need some confidential information in order to fix it. Very often there will also be a link to what appears to be a very legitimate website.

To see how difficult it is to distinguish some of these phishing sites from real sites, MailFrontier has a quiz that you can take to see if you can determine which sites are real and which are not (http://survey.mailfrontier.com/survey/quiztest.html). I highly recommend that you, everyone in your office and your family take this test; you will be stunned by how easily you can be fooled.

Phishing scams are no different in theory than the phone scams when people called pretending to be your bank, tricking people into giving out their bank account numbers. Most legitimate institutions will not contact you via e-mail and ask for confidential information. If you or anyone in your office or family gets a message like this, you can file a complaint with the Federal Trade Commission (FTC) at www.ftc.com.

In addition, you can get information on what to do if you have given out or think you may have given out any confidential information by visiting the Anti-Phishing Working Group online (www.antiphishing.org/consumer_recs2.html).

In “How Not to Get Hooked by a Phishing Scam” (www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm), the FTC offers the following recommendations on how to avoid being a victim of phishing:

1. If you get an e-mail or pop-up message that asks for personal or financial information, do not reply (and don’t click on the link in the message, either).

2. Use anti-virus software and a firewall, and keep them up to date.

3. Don’t e-mail personal or financial information. If you are going to send confidential information over the Internet, make sure it is a secure site. By this time you should all know how to determine if a site is secure. It will have a “whole key” or lock in the corner of the site on the status bar (as opposed to a “broken key”), or it will have “https” in the URL (the “s” stands for secure).

4. Review credit card and bank account statements as soon as you receive them. I now write down every purchase I make each month on my credit card and I compare it to what is on my statement. I also save all receipts in a separate file folder. (Just as an aside, this exercise of writing down all my credit card purchases and keeping that information with me has actually caused me to use my credit card less, thus saving me from buying “stuff” I really do not need – I have actually saved money by writing it down!)

5. Be cautious about opening any attachment or downloading any files from e-mails. If you were not expecting an attachment from someone, contact that person to make certain that it is legitimate.

6. Forward spam that is phishing for information to spam@uce.gov as well as to the company, bank or organization impersonated in the phishing e-mail. Most organizations have information on their websites about where to report problems (this is important if you want to try to slow down some of these criminals).

7. If you think you have been the victim of a phishing expedition, file a complaint with the FTC. You should also consider getting a copy of your credit report to make certain no one is opening credit cards in your name; visit www.annualcreditreport.com to obtain a copy of your report. Unfortunately, the free credit reports will not be available in Maryland until September 2005, but the cost for ordering them is very low and it is something you should consider. For more information on identity theft, visit www.consumer.gov/idtheft/.

Although many of these scams are very slick, “A Memo on Phishing” (www.geocities.com/phishingmemo/) suggests some things to look for to determine if the e-mail in question is a phishing scam:

1. It says it is not a scam.

2. It requires immediate action.

3. It asks for sensitive information (such as account numbers or financial information).

4. It will usually direct you to a site or form to put in this confidential information. This site will look legitimate.

5. The site/message will contain typographical or grammatical errors.

6. The message will be impersonal (most legitimate institutions have your information and will personalize messages to you)

For every new technology or invention, there will be people who will try to exploit it. Criminals and scam artists have been around since the beginning of time; only the tools have changed. Just remember everything your mother told you: Be careful. If it doesn’t seem right, it probably isn’t. And eat your vegetables.