Don’t Be Don’t Be “Phooled”“Phooled”

By PhishingBy PhishingFederal Trade CommissionFederal Trade Commission

National Consumers LeagueNational Consumers LeagueMicrosoft CorporationMicrosoft Corporation

March 31, 2005March 31, 2005

Susan GrantSusan GrantDirector, National Consumer Director, National Consumer

League’sLeague’sNational Fraud Information Center National Fraud Information Center

and and Internet Fraud Watch ProgramInternet Fraud Watch Program

Phishing StatisticsPhishing Statistics

#4 Internet Fraud#4 Internet Fraud #10 Telemarketing Fraud#10 Telemarketing Fraud

– National Fraud Information Center / Internet Fraud National Fraud Information Center / Internet Fraud WatchWatch, , National Consumers League, 2004National Consumers League, 2004

43% or 91 million U.S. adults have received a 43% or 91 million U.S. adults have received a phishing contactphishing contact

Of those 5% or 4.5 million U.S. adults have Of those 5% or 4.5 million U.S. adults have provided personal information to phishersprovided personal information to phishers

– STAR/First Data, November 2004STAR/First Data, November 2004

www.phishinginfo.orwww.phishinginfo.org g

Can You Can You Spot Spot

a Phish?a Phish?

Jacqueline BeauchereJacqueline BeauchereBusiness Strategy ManagerBusiness Strategy Manager

Microsoft CorporationMicrosoft Corporation

Deceptive AddressSource code reveals actual mail from address as “href=mailto:accmanager@msn-network.com”

Deceptive LinkSource code reveals that the actual address linked to is href=http://www.online-msnupdate.com/?sess=qCKWmHUBPPZwT8n4GEMNh7owHDEGt40IHKG5tAGiqGOjNeovRc&cid=betteyost@msn.com

The difference between these two URLs could be a sign that the message is fake. (However, even if the URLs are the same, don't let down your guard, because the pop-up could be a trick, too.)

Alarmist MessageCriminals try their best to create a sense of urgency so you'll respond without thinking. Also, look for misspellings, grammatical errors, and typos--such as “…an access to MSN services for your account…”

Unpersonalized MessagesBe wary if a company you regularly do business with fails to address you by name.

Know the CompanyeBay generally does not send out emails to customers containing login links. Look carefully at the status bar for all links and URLs—the URL in the status bar for the login link is not eBay.com.

Differences between links or URLs in an email and the status bar should make you suspicious. If you receive an e-mail like this one, open a new browser window, type in the URL yourself and login into your account to see if there are any real account problems.

PHISH

Look carefully at the link. See the @ sign? This is a common phishing trick. In some browser applications, when a URL uses an @ sign, everything to the left of the @ sign is disregarded and the browser only reads to the right of the @ sign. When you see or suspect an @ trick, be suspicious. If you think that the sender of the email has no legitimate association with the domain you see there, suspect a phish.

PHISH

Aaron KornblumAaron KornblumInternet SafetyInternet Safety

Enforcement AttorneyEnforcement AttorneyMicrosoft CorporationMicrosoft Corporation

MSN Billing Phishing CaseMSN Billing Phishing Case

3 Subpoenas identified ISP

in Austria

5 Subpoena to Qwest and

investigations identified Jayson Harris in Iowa,

US

1 MS filed John Doe lawsuit in WA

6 Referred to FBI and obtained $3 million Default Judgment

2 Issued subpoenas to web hosts in

CA

4 Austrian ISP identified IP address

registered to Qwest in the US

Lydia ParnesLydia ParnesActing Director, Bureau of Acting Director, Bureau of

Consumer ProtectionConsumer ProtectionFederal Trade Commission Federal Trade Commission

Tip Number 1:

• If you get an email or pop up message that asks for personal or financial information, don’t reply, and don’t click on the link in the message. Legitimate companies don’t ask for this information by email

Tip Number 2:

• Don’t email personal or financial information.

Tip Number 3:

• Read your credit card and bank account statements as soon as you receive them to spot any unauthorized charges

Tip Number 4:

• Use anti virus software and a firewall, and keep them up-to-date.

Tip Number 5:

• Report suspicious activity to the FTC.