Welcome to Consumer Reports Advocacy

For 85 years CR has worked for laws and policies that put consumers first. Learn more about CR’s work with policymakers, companies, and consumers to help build a fair and just marketplace at TrustCR.org

Don’t Get Hooked: Tips for Avoiding ‘Phishing’ and ‘Spoofing’

“Phishing” is a new word and a new worry for many consumers. The FBI called it the “hottest, and most troubling, new scam on the Internet.” American Online, eBay and Best Buy have been victims of it. But what, exactly, is it?

“Phishing” — sometimes called “spoofing” or “carding” — refers to online scammers posing as legitimate companies in e-mail to dupe consumers into sharing their credit-card, billing-routing, and Social Security numbers, among other sensitive information.

Here’s how it works: con artists e-mail consumers pretending to be a company that person has done business with — such as a bank or Internet service provider — and ask the recipient to update or validate their billing information or risk having the account closed. The e-mail message usually contains a link to a Web site that looks like the real deal, with logos and information you might find on the site of a legitimate business you trust. However, this look-alike site is an imposter, and consumers who input their personal information often become victims of identity theft, experts say.

The U.S. Federal Trade Commission (FTC) and FBI offer these tips to avoid being “phished”:

  • Don’t reply to e-mail messages requiring you to share personal information to avoid the sudden closure of your account. Do not click on links within the e-mail.
  • Open a new browser window and type in a Web address you know to be genuine to reach the company cited in the e-mail. Or call the company instead.
  • Look for a “lock” icon at the bottom of your browser and make sure “https” appears in front of the Web address before submitting any personal or financial information through a Web site. These visual clues tell you the information being transferred is secure.
  • Report suspicious e-mail to your Internet service provider, or send the actual spam to the FTC (uce@ftc.gov).
  • Review credit-card and bank statements monthly for any unauthorized activity and report discrepancies immediately.