Phishing: A new form of identity theft
The term phishing refers to luring techniques used by identity thieves to fish for personal information in a pond of unsuspecting Internet users. Their objective is to take this information and use it for criminal purposes such as identity theft and fraud. Phishing is a general term for the creation and use by criminals of emails and websites – designed to look like they come from well-known, legitimate and trusted businesses, financial institutions and government agencies – in an attempt to gather personal, financial and sensitive information. These criminals deceive Internet users into disclosing their bank and financial account information or other personal data such as usernames and passwords.
Canada's Department of Public Safety and Emergency Preparedness and the United States Department of Justice are jointly issuing this special report to advise the public about the risks of responding to phishing emails and websites, and the steps to take when they encounter them.
Since 2003, law enforcement authorities, businesses and Internet users have seen a significant increase in the use of phishing. A growing number of phishing schemes are using the names and logos of legitimate financial institutions, businesses and government agencies in North America, Europe and the Asia-Pacific region for illegal purposes. According to one industry organization in the United States, the Anti-Phishing Working Group, there were 1,974 unique phishing attacks reported in July 2004 – an increase of more than 1,100 percent over the number of reported phishing attacks in January 2004.
How phishing occurs
At first glance, phishing emails and the associated websites may appear completely legitimate. One recent phishing attempt in the U.S. used the names of the Federal Deposit Insurance Corporation (FDIC) and two of its officials, as well as the Department of Homeland Security. What Internet users may not realize is that criminals can easily copy logos and other information from legitimate businesses' websites and place them in phishing emails or bogus websites.
In addition, if the recipient of a phishing email clicks on a link it contains, even the window of the Internet browser that opens may contain what looks like the true Internet address (URL) of a legitimate business or financial institution. Unfortunately, some phishing schemes have exploited a vulnerability in the Internet Explorer browser that allows phishers to set up a fake website at one place on the Internet, which will make it appear as if the Internet user is accessing a legitimate website at another place on the Internet.
Most phishing emails include false statements intended to create the impression that there is an immediate threat or risk to the bank, credit card or financial account of the recipient. The phony FDIC emails mentioned above falsely claimed that the Secretary of Homeland Security had advised the FDIC to suspend all federal deposit insurance on the recipients' bank accounts. Other recent phishing emails have falsely claimed that the recipients' credit card was being used by another person or that a recent credit card transaction had been declined.
As another example, a mass email circulated in the summer of 2004 advising customers of a leading Canadian financial institution, which had experienced information technology problems, that they needed to enter their client card numbers in order to access their accounts. In fact, the email was not sent or authorized by that financial institution.
In some cases, phishing emails have promised the recipients a prize or other special benefit. Although the message sounds attractive rather than threatening, the objective is the same: to trick recipients into disclosing their financial and personal data.
People who receive phishing emails are also likely to realize that the senders may have used spamming techniques (mass emailing) to send the message to thousands of people. Many of the people who receive that spammed email do not have an account or customer relationship with the legitimate business or financial services company that is purportedly the originator of the email. The people who create phishing emails count on the fact that some recipients of those emails will have an account or customer relationship with the legitimate business, and may be more likely to believe that the email has come from a trusted source.
Ultimately, people who respond to phishing emails may be putting their accounts and financial status at risk in three significant ways. First, phishers can use the data to access existing accounts to withdraw money or purchase expensive merchandise or services. Second, phishers can use the data to open new bank or credit card accounts in the victim's name, but use addresses other than that of the victim. Finally, the Internet users may not realize that they have become victims of identity theft.
What should Internet users do about phishing schemes?
Canada 's Department of Public Safety and Emergency Preparedness and the United States Department of Justice recommend that Internet users keep the following three steps in mind when they see emails or websites that may be part of a phishing scheme:
- Recognize it – If you receive an unexpected email from a bank or credit card company saying that your account will be shut down if you do not confirm your billing information, do not reply or click on any links in the email. Phishers typically have one purpose in mind: to entice people to react immediately by clicking on the link and inputting their password or credit card number before they take time to think through what they are doing. Internet users need to resist that impulse.
- Report it – Contact your bank or credit card company if you have unwittingly supplied personal or financial information. You should also report the matter to your local police. They will often take police reports even if the crime may ultimately be investigated by another law enforcement agency. In addition, a creditor who mistakenly believes that you are the person responsible for a fraudulent transaction may want to see a copy of a police report before correcting your credit account or credit report. Finally, report your identity theft case immediately to the appropriate government and private-sector organizations. Canadian and American agencies such as these are compiling information about identity theft to identify trends and assist law enforcement agencies in potential investigations.
- Stop it – Become familiar with the practices of your financial institutions and credit card companies. They normally will not use email to confirm an existing client's information. Keep informed of the latest advisories and steps on how to protect yourself from identity theft and fraud. A number of legitimate companies and financial institutions that have been targeted by phishing schemes have published contact information for reporting possible phishing emails as well as online notices about how their customers can recognize and protect themselves from phishing.
In addition, people who use the Internet Explorer browser should immediately go to the Microsoft security home page to download a special patch that will protect against certain phishing schemes.
How to report it
In the United States
Because the disclosure of personal information may put you at risk of becoming a victim of identity theft, you should also go to the identity theft website of the Federal Trade Commission and follow directions for reporting information to credit bureaus, credit card companies and law enforcement.
Resources for victims of identity theft
Place fraud alerts on your credit reports by contacting the credit bureaus that operate in Canada.
In the United States
Place fraud alerts on your credit reports by contacting the credit bureaus that operate in the United States.
If you need other information or have other questions concerning identity theft, please contact Canadian Anti-Fraud Centre in Canada or the Federal Trade Commission in the United States, as listed above.