Protecting Yourself

Now that you know what phishing is, you can work to prevent from happening to you. This page will offer a series of scenarios. Pick the action you think is most appropriate and we’ll discuss it.

On the Phone

Scenario 1

The phone rings. A very pleasant-sounding woman is on the line from your credit card company. According to the woman, there has been a rash of card fraud in your area, and the credit card company needs your card number to verify you haven’t been targeted. Do you:

1. Give her your credit card number.
2. Refuse and hang up.
3. Take the woman’s contact info and call the credit card company’s customer service line to verify the woman’s request.

As long as you didn’t pick A, you should be okay. Remember, a key goal to keep your information secure is to never give it away.
Option B works, but you’re leaving yourself open. You’ve been targeted by a phishing scheme, and by not alerting anyone, you’re no better off before the phone call.
By alerting the credit card company in option C, you may be able to flag your account for potentially suspicious activity or even help catch the data thieves.

Scenario 2

The power company calls. During a routine audit, they find a problem with your account. They need your social security number to match to their records, or they’ll be forced to shut off your electricity. Do you:

1. Ask questions, ultimately refusing the request.
2. Give the caller your social security number.
3. Break out the candles.

When in doubt, start asking questions. Why does the power company need your social security number? Why is there no written warning? What is the person’s name, title, and extension? Even if the call sounds legitimate, ask for the problem in writing or call the power company on your own. Never give out your information to people who call asking for it.
The power company will not suddenly turn off your power because of one phone call. Even if there were account problems, the power company won’t end service based on a single phone call. Messages with senses of urgency and dire consequences should raise flags of concern.

Through the Postal Service

Scenario 1

It’s time to pay the bills. Do you:

1. Mail your bill payments from your mailbox the night before.
2. Mail your bill payments from a locked mailbox or at the post office.
3. Pay your bills online with a bill payment service.

Phishers are known to go through people’s garbage and mail to gather information. Just because something is in your trash can or mailbox, doesn’t mean it’s safe. Send your bills via a secure environment such as the post office. Better yet, ditch paper altogether and use an online bill pay service; it’s safe and convenient.
In general, the less paper you deal with, the better.

Online

Scenario 1

You get an email from your credit union asking you to verify your account by clicking a link and logging in. Do you:

1. Reply to the email with your account information.
2. Open your browser, type your bank’s web address and login.
3. Click the link, log in and verify your account settings.

You definitely don’t want option A. Remember, email is not a secure channel. Any email you send is delivered unencrypted and stored on any number of servers. Your internet provider, your employer, and the recipient’s server may all have copies of whatever email you have ever sent, depending on where you sent it.
Unlike a secure web site, email is not encrypted; anyone with access can read your messages. Same goes for your instant messages if you’re into chat rooms. Think about that next time you think about emailing your friends about that embarrassing medical condition.
Back to the scenario, option C’s no good either; this is a classic phishing technique. There are all kinds of ways to hide information in emails, from the sender’s identity to the provided URL. Whether the email is legitimate or not, you should never follow a link in an email. You just don’t know where it could lead.
In a phisher’s case, links in emails lead to web sites that look like your credit union’s web site, but is` really a trap to capture the financial data of you and your fellow credit union members.
Looks are deceiving. Always make sure you’re on the web site you think you’re on by manually typing in a known good URL for the site you’re trying to reach. When in doubt about the correct URL, contact the institution in person or by phone using a known good phone number to verify their web site domain name.

Scenario 2

You’re shopping online. Ready to checkout, you notice the web page with the credit card form doesn’t have the little lock in the bottom corner. Do you:

1. Ignore it. It’s not like the lock means anything.
2. Proceed cautiously, looking for other means of ordering or a secure form page.
3. Abandon your cart and shop somewhere else.

First, the lock means your data is not only being encrypted, but your secure connection is with the web server it’s supposed to be.
Anyone can establish a secure connection. What the lock icon means, is the server has been registered and certified. A third party company like Thawte or Verisign verifies the company and the web server match.
Still, don’t trust just the certificate. Whether the page you’re on is secure or not, as long as the destination is secure, that connection is secure. Unfortunately, the opposite is also true. Even if you’re on a secure page now, if you submit a form to an unsecured page, that connection is wide open. Sometimes, it’s okay to proceed even if you don’t see a lock icon – just be sure of what you’re doing and where that data is going. Your web browser has built in settings to help you make those choices.
Of course, this is the Internet we’re talking about. Everything is for sale from any number of companies. If a business doesn’t try hard enough to make you feel secure in your shopping, go to an online vendor that does.