| Webopedia, the online dictionary and search engine for computer and Internet technology terms, defines phishing as “The act of sending an email to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft.”
Phishing emails can be extremely deceiving. They often look as if they come from the organization they falsely claim to be from, and the Web sites they send you to, if you are unfortunate enough to fall for their scam, look exactly like the organization’s Web site — usually because the phishing scammers have stolen the company’s Web site design code.
Although it can be a challenge, there are usually clues to indicate that a phishing email message is not legitimate.
“An obvious example would be that it comes from an organization with which the recipient is not affiliated,” said Jeff Jones of Trust CC, an information technology security firm and a sponsor of the West Sound Technology Professionals Association. “This is actually quite common.”
Phishing scams will send out thousands of fake email messages in hopes of connecting with individuals who have accounts with the organizations that they are pretending to be. Naturally many of these “phishing expeditions” end up in the email inboxes of people who have no affiliation with the organization at all.
Another clue to be on the lookout for is the fact that the Web address used in the message is not the one typically used by the organization.
“If the normal URL is www.abcbank.com and the email comes from www.abc_bank.com or links in the email point to addresses such as http://192.168.1.230/abcbank.com,” said Jones, “then chances are the email is an attempt at phishing.”
In some cases, phishing scams have sufficiently faked the URL in the email message that the recipient reads. In that case, said Jim Kendall of Telebyte Northwest Internet Services, looking at the HTML source code of the email may reveal the scam.
“If you look at the URL in the source code, you’ll see that the link will go to some IP address instead of a legitimate link,” said Kendall. “It’s very subtle.”
Of course, the simple fact that these email messages are asking for personally identifying information, such as usernames, passwords, social security numbers and so on is the clearest indicator that the email is not legitimate.
“Simply put, financial institutions will not ask for this kind of information from their customers via email,” said Jones. “Other organizations should not be, either.”
Your best response if you receive an email message that you think might be part of a phishing scam is to get rid of it right away.
“When you get one of those [phishing messages] your immediate response should be ‘delete,’” said Kendall.
Kendall warned of the potential dangers involved in even following a link within a phishing email, even out of curiosity.
“The problem is that even just going there they can see where you’re coming from,” he said. “They can download code onto your machine or hijack it. The safest thing to do is never open the darn thing.“
After you’ve deleted the suspicious email message, there are steps you can take to report what’s happened. A number of organizations, such as eBay and PayPal, have dedicated security areas on their site that you can use to report suspicious messages that you’ve received purporting to have come from them.
Even if the organization doesn’t have a dedicated system to address potential phishing scams, it’s still a good idea to notify them.
“The best place to start is to call the organization and let them know about it,” said Jones. “This allows the organization to take measures to stem the tide and hopefully prevent others from being duped into giving away sensitive information.”
Other resources for reporting phishing scams are:
The Anti-Phishing Workgroup (APW), www.antiphishing.org. The APW compiles statistical information about phishing in general, investigates phishing attacks and helps to facilitate the “taking down” of perpetrators’ Web sites. Individuals can report email as a potential phishing attack through this site.
FTC. Suspicious emails can be forwarded to spam@uce.gov. The FTC uses the spam stored in this database to pursue people who send deceptive email.
State Attorney General’s Office. The Washington State Attorney General has a junk mail complaint form, www.atg.wa.gov/consumer/forms/emailcins.html, which you can fill out in cases where you believe an unsolicited email message has violated Washington law.
If you are concerned that you have fallen for a phishing scam and that you may have given away personal information you should report it right away to your bank, credit card company or other relevant organization to help avoid being the victim of identity theft.
Although phishing scams are increasingly clever and sophisticated they are easy to avoid, as long as you take the time to look for the signs that an email message is not legitimate.
“You just have to be very aware,” said Kendall, “and not allow yourself to get complacent.”. | 
