Protecting Yourself Against E-Mail Phishing and Spoof Attacks

Most unwanted e-mail is harmless, apart from clogging your inbox. But e-mail phishing and spoof attacks are more than just a nuisance; identity thieves and cybercriminals use these techniques to steal passwords and other sensitive information to perpetrate all manner of frauds. Here are some ways to protect yourself.

Spoofing and phishing are two different, but interrelated, techniques employed by scammers to steal your personal information. Spoofing refers to the practice of "impersonating" someone else in an e-mail or on the Web. Phishing attempts to trick users into revealing their private information, usually in tandem with a spoofed e-mail and Web page.

Odds are you have been the target of a phishing/spoofing attack yourself. These usually take the form of an HTML e-mail that looks as though it has come from eBay, PayPal, or a bank or other financial institution. The e-mail may claim that your account has been compromised, or that you need to update your account information as a routine procedure. Of course, the message isn't from one of those trusted companies at all; it's from a scammer "phishing" for your sensitive information.

If you follow the link in the e-mail, you will be taken to a spoofed Web page. It looks much like a Web page for the company in question, but it isn't. If you enter the requested personal information, it will go not to the trusted company, but into the hands of the scammer, who will use or sell your information.

Phishers have gotten pretty good at spoofing Web pages and e-mail messages, making it easy to fall for their schemes. But taking a few simple precautions will keep you from ending up a victim.

1. Be careful about clicking on links in e-mail messages. If a company you do business with is requesting information from you, go directly to its Web site by typing the company's Web address in your browser, rather than clicking on the link to submit the information. Do this by opening your browser and typing the Web address yourself. Since URLs and e-mail addresses can be spoofed and redirected, never submit sensitive information in e-mail form or via a link in an e-mail message.

2. Make sure you are on a secure site. If you do go directly to the Web site and are submitting any information, check your browser and the URL. If the site is secure, your browser will show a "lock" graphic (usually in the lower right corner), and the URL will begin with "https://" and not "http://". The "s" tells you the server is employing secure HTTP.

3. If you suspect you have received a spoof e-mail, forward it to the company it appears to be from. The company can verify if it is indeed from them, or a fraud. Be sure to forward the entire e-mail, including the header information. The company can use this information to try to locate and stop the phisher — at least temporarily. You can also send the e-mail to the Federal Trade Commission at spam@uce.gov.

4. When in doubt, do not submit any information. If you even suspect you are being phished, call the company on the phone, or visit its site as outlined in steps 1 and 2.

5. Practice good general computer security measures. This includes installing and maintaining antivirus and firewall software. Some phishing e-mails include spyware that can track your Internet activity and compromise the security of your system. If you suspect you have spyware on your system, install an anti-spyware application such as Ad-Aware or Spybot Search & Destroy.