Welcome to Consumer Reports Advocacy

For 85 years CR has worked for laws and policies that put consumers first. Learn more about CR’s work with policymakers, companies, and consumers to help build a fair and just marketplace at TrustCR.org

Stop phishing

Consumers Union’s Web Watch tips on avoiding phishing

Consumer Reports WebWatch
Cybercrime Prevention Project
Factsheet #3: Don’t Get Phished

This is the third in a series of factsheets published by Consumer Reports WebWatch, with grant support from the New York State Attorney General’s Office.

Has this ever happened to you? You get an e-mail that looks like it’s from eBay, PayPal or Citibank, asking you to update your account. But don’t click on that link! You may wind up on a Web site built by scam artists that downloads a keystroke logger to your home computer that records all your passwords and sends the information to a stranger overseas. Millions of people have fallen for scams like this – even if they don’t do business with the company sending the e-mail. Phishing e-mails usually pretend to originate from financial services companies, Internet service providers or retailers, though some entrepreneurial phishing scammers once even hijacked the name of the U.S. Federal Trade Commission, responsible for prosecuting e-mail fraud.

Depending whom you talk to, the boom in phishing scams has stabilized a bit, but scammers’ phishing techniques are improving. Popular social-engineering techniques that entrap consumers include: Associating the mail with a holiday or event, such as the World Cup; spear-phishing, when the sender appears to be someone inside the company you work for; or an e-mail telling you your bank account has been compromised, urging you to enter personal information into a fake site that looks like the bank’s.

Here are five tips to help you avoid being phished:

1. Be skeptical of any e-mail, and avoid using hyperlinks in e-mail. They may show one address, but take you to another. Delete any e-mails that seek to send you to a Web page via a link in the e-mail’s text. Legitimate e-mails will ask you to go to a specific Web site — type its address into your browser or use your own bookmark. Financial institutions are beefing up security against phishing techniques. Bank of America and Vanguard now ask customers to select a personalized image or phrase to appear whenever they access the site to let them know it’s the real thing.

2. On Web pages, mouse over the URL and see whether the address that appears at the bottom of your browser looks related to a page or site you expect to visit. When you arrive at the site, verify that the URL shown in your browser’s address bar is the correct one. Pay attention to the part of the URL between “http:// ” (or https:// ) and the next slash. Look for tricks such as the use of a zero where the letter O should be. Verify the address, then type it into your browser. Or use a favorite or bookmark you’ve already stored in your browser.

3. Watch carefully for misspellings and poor grammar, one of the surest signs of a phishing scam.

4. Report phishing. If you receive a phishing e-mail, forward it to the Anti-Phishing Working Group (reportphishing@antiphishing.org), the Federal Trade Commission (spam@uce.gov), and the company or organization being impersonated. You also can file a complaint with the FBI’s Internet Crime Complaint Center at www.ic3.gov

5. Use a Web browser with site verification tools, such as Firefox (http://www.mozilla.com/en-US/firefox/), or software such as McAfee’s Site Advisor (http://www.siteadvisor.com/), which tests sites and tells users the results via a free download.

For more information, and to keep up to date on the latest phishing scams and resources for consumers, bookmark Consumer Reports WebWatch: http://www.consumerwebwatch.org