What is phishing?
‘Phishing’ refers to emails that trick people into giving out their personal and banking information; they can also be sent by SMS. These messages seem to come from legitimate businesses, normally banks or other financial institutions or telecommunications providers. The scammers are generally trying to get information like your bank account numbers, passwords and credit card numbers, which they will then use to steal your money.
Phishing emails often look genuine and use what look to be genuine internet addresses—in fact, they often copy an institution's logo and message format, which is very easy to do. It is also common for phishing messages to contain links to websites that are convincing fakes of real companies' home pages.
The website that the scammer’s email links to will have an address (URL) that is similar to but not the same as a real bank's or financial institution’s site. For example, if the genuine site is at 'www.realbank.co.za', the scammer may use an address like 'www.realbank.co.za.log107.biz' or 'www.phoneybank.co.za/realbank.co.za/login'.
- You receive an email or SMS claiming to be from a financial institution or telecommunication provider. This message may seem to be from your bank, service provider or a business you don’t have an account with. The email contains a link that leads you to a website where you are prompted to enter your bank account details.
- The email does not address you by your proper name.
- The email might contain typing errors and grammatical mistakes.
- The email might claim that your details are needed for a security and maintenance upgrade, to ‘verify’ your account or to protect you from a fraud threat. The email might even state that you are due to receive a refund for a bill or other fee that it claims you have been charged.
Protect yourself from phishing scams
- NEVER send money or give credit card or online account details to anyone you do not know and trust.
- Do not give out your personal, credit card or online account details over the phone unless you made the call and know that the phone number came from a trusted source.
- Do not open suspicious or unsolicited emails (spam)—ignore them. You can report spam to Australian Communications and Media Authority. If you do not wish to report the message, delete it.
- Do not click on any links in a spam email or open any files attached to them.
- Never call a telephone number that you see in a spam email or SMS.
- If you want to access an internet account website, use a bookmarked link or type the address in yourself—NEVER follow a link in an email.
- Check the website address carefully. Scammers often set up fake websites with very similar addresses.
- Never enter your personal, credit card or online account information on a website if you are not certain it is genuine.
- Never send your personal, credit card or online account details through an email.
Do your homework
If you receive an email claiming to be from a bank, other financial institution or telecommunications provider that asks you to enter your details—delete it! A legitimate bank or financial institution will NEVER send an email like this.
If the email appears to be from your bank or financial institution and you think it might be genuine, telephone your bank or financial institution to let them know about the email and ask their advice. DO NOT call any telephone number listed in the email; instead, use a phone number that appears on your bank statement or card or in the telephone directory. Many banks and financial institutions now have specialised internet security staff who can help you.
You should NEVER give your personal or bank account details to people you don’t know and trust. Don’t be fooled by an email that looks legitimate or appears to link to a genuine website. If you think the email may be genuine, ALWAYS contact your bank to confirm an email’s legitimacy before replying. Your best defence is to delete the email straight away.
- Watch out for “phishy” emails. The most common form of phishing is emails pretending to be from a legitimate retailer, bank, organization, or government agency. The sender asks to “confirm” your personal information for some made-up reason: your account is about to be closed, an order for something has been placed in your name, or your information has been lost because of a computer problem. Another tactic phishers use is to say they’re from the fraud departments of well-known companies and ask to verify your information because they suspect you may be a victim of identity theft! In one case, a phisher claimed to be from a state lottery commission and requested people’s banking information to deposit their “winnings” in their accounts.
- Don’t click on links within emails that ask for your personal information. Fraudsters use these links to lure people to phony Web sites that looks just like the real sites of the company, organization, or agency they’re impersonating. If you follow the instructions and enter your personal information on the Web site, you’ll deliver it directly into the hands of identity thieves. To check whether the message is really from the company or agency, call it directly or go to its Web site (use a search engine to find it).
- Beware of “pharming.” In this latest version of online ID theft, a virus or malicious program is secretly planted in your computer and hijacks your Web browser. When you type in the address of a legitimate Web site, you’re taken to a fake copy of the site without realizing it. Any personal information you provide at the phony site, such as your password or account number, can be stolen and fraudulently used.
- Never enter your personal information in a pop-up screen. Sometimes a phisher will direct you to a real company’s, organization’s, or agency’s Web site, but then an unauthorized pop-up screen created by the scammer will appear, with blanks in which to provide your personal information. If you fill it in, your information will go to the phisher. Legitimate companies, agencies and organizations don’t ask for personal information via pop-up screens. Install pop-up blocking software to help prevent this type of phishing attack.
- Protect your computer with spam filters, anti-virus and anti-spyware software, and a firewall, and keep them up to date. A spam filter can help reduce the number of phishing emails you get. Anti-virus software, which scans incoming messages for troublesome files, and anti-spyware software, which looks for programs that have been installed on your computer and track your online activities without your knowledge, can protect you against pharming and other techniques that phishers use. Firewalls prevent hackers and unauthorized communications from entering your computer – which is especially important if you have a broadband connection because your computer is open to the Internet whenever it’s turned on. Look for programs that offer automatic updates and take advantage of free patches that manufacturers offer to fix newly discovered problems.
- Only open email attachments if you’re expecting them and know what they contain. Even if the messages look like they came from people you know, they could be from scammers and contain programs that will steal your personal information.
- Know that phishing can also happen by phone. You may get a call from someone pretending to be from a company or government agency, making the same kinds of false claims and asking for your personal information.
- If someone contacts you and says you’ve been a victim of fraud, verify the person’s identity before you provide any personal information. Legitimate credit card issuers and other companies may contact you if there is an unusual pattern indicating that someone else might be using one of your accounts. But usually they only ask if you made particular transactions; they don’t request your account number or other personal information. Law enforcement agencies might also contact you if you’ve been the victim of fraud. To be on the safe side, ask for the person’s name, the name of the agency or company, the telephone number, and the address. Get the main number from the phone book, the Internet, or directory assistance, then call to find out if the person is legitimate.
- Job seekers should also be careful. Some phishers target people who list themselves on job search sites. Pretending to be potential employers, they ask for your social security number and other personal information. Follow the advice above and verify the person’s identity before providing any personal information.
- Be suspicious if someone contacts you unexpectedly and asks for your personal information. It’s hard to tell whether something is legitimate by looking at an email or a Web site, or talking to someone on the phone. But if you’re contacted out of the blue and asked for your personal information, it’s a warning sign that something is “phishy.” Legitimate companies and agencies don’t operate that way.
- Act immediately if you’ve been hooked by a phisher. If you provided account numbers, PINS, or passwords to a phisher, notify the companies with whom you have the accounts right away.
- Report phishing, whether you’re a victim or not. Tell the company or agency that the phisher was impersonating.