Phishing For Your Data

Post Reply
David A. Szwak
Posts: 4126
Joined: Tue Jul 26, 2005 4:15 am

Phishing For Your Data

Post by David A. Szwak »

The Consumer Corner: Phishing For Your Data
By David A. Szwak, Chairman Consumer Protection Section, LSBA

Historically, scammers came to your door, called you on the phone and even mailed you fraudulent requests for your personal and credit information in an effort to use that information to access your legitimate accounts or create new accounts in your name. Phishing is when you receive an unsolicited e-mail that appears to come from a legitimate company you may do business with. [[ ... re-Web.pdf. On July 17, 2006, the Wall Street Journal broke a story about “Vishing.” Banking customers were recently receiving emails telling them that their accounts with the company's online banking system had been disabled after the bank detected unauthorized access. The customers were told to dial a telephone number (with a local area code) where an automated voice prompted them to enter their account numbers, personal-access codes and other details. It was not clear who was on the other end of the phone line, but it was not the victim’s bank.]] It provides a link to a fake website and asks you to input personal information that can be used to support fraudulent activity. Because the website appears to be legitimate, many consumers are falling prey to this scam. Now, email phishing allows scammers to troll for victims on a massive scale and at little to no cost to initiate the scam. After all, email is really cheap. You can send millions of them in a matter of seconds with a basic program that generates email addresses randomly. Fake domain names that spoof the real bank’s or other legitimate company’s website create an appearance of legitimacy to the sender’s email address. I suspect everyone has seen at least one email in their email in-box from a phisher and news agencies have begun to report about phishing incidents almost daily. [[]]

If you receive this type of e-mail and it appears to come from a legitimate source but asks you to provide any sensitive information by email, contact the company directly by phone (look up the number in a directory or through a or similar search) to verify whether or not it's legitimate. It is better to check it out than to have to stop a wave of fraudulent charges and accounts if you improvidently give your information out. It is very uncommon for banks, credit card companies and government agencies to ask you for sensitive personal identification, account number or check routing information over the internet.

However, since some phishing emails direct you to a spoof site that may even have illegal duplicates of logos and other suggestions of validation, you need to be careful about entering your information into a web site. These spoof sites are growing in number and facilitate phishing where direct email requests did not succeed. eBay and its countless account holders were the targets of a spoofing attack where consumers received emails suggesting that their eBay account was compromised and the consumer needed to click on a link in the email which directed the consumer to a spoofed internet site [ex.,, as opposed to the real]. [[Other spoofed sites are generated by substituting a numerical “1" in place of a lower case letter “L.” The same occurs between a numerical “0" as opposed to a capital letter “O.” Of course, spoofing occurs by substituting “.net” as opposed to “.com,” etc.
]] eBay suggested that if you receive any e-mail from eBay, and it asks you to click a link to a web site that requests a user name or e-mail address and password, then it is a scam. You should also report the e-mail to eBay and your internet service provider by clicking the “Report Spam icon” or similar option on your browser. [[eBay also provides an email address to report the matter to eBay:]]

You can also spot fake emails by checking the e-mail carefully for misspellings, requests for information that your bank, eBay, etc., already have, such as your username, password, account number, social security number, mother’s maiden name, or credit card number, and other suspicious signs that the e-mail could be a scam. Many institutions provide tutorials and alerts to warn their customers and other consumers on how to identify a spoof e-mail. You should be careful not to click on any links contained in the phishing e-mail you receive.

Some phishing emails have attachments that contain computer viruses and spyware including dangerous Trojan Horse viruses that damage your computer and lead to other scams. America Online [AOL] and its customers were the subject of such an attack. It is trickier than most phishing scams. The scam started with a phony e-mail purporting to come from Hallmark (or other e-card services like Blue Mountain) and it asked the recipient to download an attachment in order to pick up an e-card from a loved one. The attachment was not an e-card. [[Legitimate Hallmark e-card notifications are never sent with attachments. If you receive an e-mail from Hallmark with an attachment, it is a scam. Hallmark e-cards will come from or from the address of the person sending you the e-card. Real Hallmark e-card notifications will contain the retrieval number of the card being sent to you.]] It was a Trojan Horse computer virus. Once downloaded, the Trojan Horse waited for the recipient to sign on to AOL. When the recipient logged on to AOL, the Trojan Horse presented a pop-up that resembled an AOL form and asked for verification and update to the consumer’s AOL billing information. It also sought credit card numbers, checking account numbers, and social security numbers. Both the Hallmark e-mail and the pop-up are part of this scam and are not from Hallmark or AOL.

Never provide financial or account information in an e-mail, instant message or pop-up window. Your computer should be upgraded to use the most up-to-date anti-virus software. Anti-virus software can protect your computer from downloaded software and program attacks, such as Trojan Horses, worms, viruses, etc. These items can damage your computer and cause it to crash, erase information, garble your saved programs and files, and cause you serious problems. Some items can cause your computer to transmit information from your computer to remote sites while online. [["Spyware" is software that collects data without the prior knowledge or informed consent of the data's owner.]] Using anti-virus software is just as important as backing up your computer software and data frequently.

One of the more famous phishing scams using a bank name involved SunTrust Bank. [[Related scam: Washington Mutual Bank 'Reconfirm Account Information' Scam.]] Countless consumers got emails stating that their SunTrust bank account had been compromised and called for the consumer to click to a spoofed SunTrust web site that appeared to be the legitimate SunTrust Bank web site. Now, some consumers readily knew that they had no account or relationship with SunTrust Bank and did not respond. However many SunTrust customers were lured in. The scammer is playing the odds that some small percentage of recipients will respond. Scammers even share and sell victim lists, containing email addresses of elderly, wealthy and other consumers who were duped in the past.

Most banks and other financial institutions have very strict policies about emailing their customers and will not ask for sensitive data by email under any circumstances. You can even check the email policy of your own bank or financial institution. If the email you receive violates that policy, do not respond to the email.

If your account is compromised, close it. You might even consider changing banks, credit card companies, etc. Get your credit report copies and study the inquiries, account listings, recent addresses reported and always contest any errors in writing to the credit reporting agencies, Experian, Equifax, Trans Union and the ‘new kid on the block,’ Innovis. [[Information about how to obtain your credit reports, how to lodge disputes, who to write and what laws govern various credit reporting issues, can be found in the Dispute Forum at and its sister site,
]] Errors are prevalent so checking your credit quarterly is a good idea regardless of whether you are the victim of a fraudulent scam.

The Federal Trade Commission releases its annual report detailing consumer complaints each year. The FTC highlights the “Top 10 Fraud Complaint Categories” reported by consumers. Since 1999 to the present date, identity theft topped the FTC’s list, accounting for 42 percent of the 500,000 complaints lodged in 2003. Internet-related complaints accounted for 55 percent of all fraud reports in 2003, up from 45 percent in 2002. By comparison, in 2006, consumers reported over 670,000 cases of fraud and identity theft to the FTC. Those frauds cost the consumers $1.2 billion in losses. ID theft was again the most common complaint, accounting for 36 percent, or 246,035, of the complaints. [[The FTC has reported that the amount lost in consumer frauds has increased steeply in recent years, jumping from $569 million in 2004 to $1.2 billion in 2006. The average loss reported was $3,257.00]] Credit card fraud is the most common form of identity theft, making up 25 percent of the identity theft complaints, followed by phone or utilities fraud and bank fraud.

Though hard to document, a large number of the identity theft cases and credit card fraud came from data breaches at companies that track consumer information. ChoicePoint Inc., which provides credit information and other consumer data to insurance and finance companies, agreed in January, 2006 to pay the FTC a $15 million penalty to settle charges that its security procedures violated consumers' privacy rights after thieves infiltrated the company's massive database.

Be careful on the internet. Do not be paranoid. Limit your sharing of your personal and sensitive information. Frequently check your credit reports. Contest all inaccuracies and always keep copies of your letters, credit reports, and account statements. If you receive emails from suspicious sources, do not even open those emails and simply delete them. If it is legitimate, the source will contact you through more appropriate channels. Authentication is a shared responsibility. You need to authenticate who you are dealing with before you share sensitive information. It will make your life a lot easier when you take greater care in who you place trust.
David A. Szwak
Bodenheimer, Jones & Szwak, LLC
416 Travis Street, Suite 1404, Mid South Tower
Shreveport, Louisiana 71101
318-424-1400 / Fax 221-6555
President, Bossier Little League
Chairman, Consumer Protection Section, Louisiana State Bar Association
Post Reply

Return to “Invasion of Privacy: State Law”