Avoid Letting Yourself Get Hooked by an Internet ‘Phishing’ Expedition

Two weeks ago, thousands of Internet users got an urgent message: Update your bank account information now or your federal deposit insurance may lapse.

The message was accompanied by a link to what looked like the official site for the Federal Deposit Insurance Corp., which insures bank deposits for as much as $100,000. But the real FDIC had nothing to do with the site, which asked depositors to divulge private information.

The FDIC scam is just one example of “phishing” -- computer-geek slang for a con that aims to lure consumers into providing bank or credit card information so the swindler can run up bills or clean out the victim’s bank account.

To protect yourself from getting hooked, experts say it’s wise not to respond to any request for financial information unless you have initiated the contact. The request may look real, but so do the artificial flies that anglers use to tempt trout.

“Do not provide any personal or sensitive information in response to an unsolicited e-mail,” warned Mark Rodgers, spokesman for Citibank.

Victims can be easily fooled. The hackers conceal their true Web address, while displaying what appears to be the real company’s Web address on the computer screen. That can cause even fairly sophisticated people to succumb to the fraud, experts note.

“Phishing is a two-tiered scam,” said John Hall, spokesman for the American Bankers Assn. “First the crook steals a company’s identity. Then they use that to victimize consumers by trying to steal their financial information.”

No one knows precisely how many phishing scams are operating or how much they’ve cost the public, but industry experts estimate that tens of millions of people have been targeted. Even if just a small fraction of the recipients respond, the con artist can make a killing. And experts maintain that the pace of phishing expeditions is picking up.

“By sending out millions of e-mails, they hope to get just a handful of responses and profit from other people’s naivete,” said Hall. “It’s the latest big scam.”

One of the most troubling aspects of phishing is how real the bogus Web pages can look, said Elizabeth Ford, an FDIC spokeswoman. The site mimicking the FDIC’s looked remarkably professional, she said. However, the real FDIC site would never request a visitor’s bank account information and personal identification numbers the way the phony site did.

After getting several frantic phone calls, the FDIC was able to find and shut down the bogus site. The agency then issued warnings to member banks and the public.

“This e-mail was not sent by the FDIC and is a fraudulent attempt to obtain personal information from consumers,” the agency said in its warning. “Financial institutions and consumers should not access the link provided within the body of the e-mail and should not under any circumstances provide any personal information through this media.”

Banking regulators were only among the latest targets, however. Last week, the Securities Industry Protection Corp. warned that its website was being mimicked to get investors to part with their cash and securities. The fake SIPC page urged investors to do business with a nonexistent Hong Kong brokerage. The FBI is investigating.

Users of America Online, Amazon.com, PayPal and EBay have been targeted in the past. In addition, customers of nearly every major bank in the world -- from England to Australia -- have faced a version of this scam in the last year. So have phone companies, Internet service providers and credit card companies.

New York-based Citibank has been hit so many times that the company has an “about e-mail fraud” link on the home page of its website and posts more than a dozen of the bogus communiques online.

“It is happening all over the place,” said Citibank’s Rodgers. “The message we are trying to get across is certainly do not respond to those e-mails. Delete them.”

Notably, consumers are protected from losing large sums to fraud losses, but only if they are vigilant about tracking their accounts and reporting wrong-doing.

The maximum amount in bogus credit card charges that consumers can be held liable for is $50. That’s also the maximum consumer liability for electronic debit charges -- such as ATM withdrawals -- as long as the consumer reports the loss or theft of the ATM card or account information within two days, said the FDIC’s Ford.

A consumer who waits to report the theft until the next statement arrives could be liable for as much as $500 in losses on a debit card, he said.

Ford acknowledged that phishing could expose consumers to heavy losses.

“This is a new twist on lost or stolen ATM cards,” she said. “These situations really didn’t exist when the current laws were written.”

The solutions are simple, experts agree: Don’t click on the links; don’t answer the e-mails.

If something in an e-mail makes you concerned about the status of your account, use the phone number on the back of your credit card or the public number for the contacting company to check it out, suggested Hall.

Ford added that consumers should never give out personal identification numbers, Social Security numbers or bank account or credit card data unless they personally initiated the contact.