Anyone with an email account is vulnerable to fraud by modern-day con artists using tactics commonly known as "phishing" and "spoofing." This article provides the basics of these online fraud tactics, how to spot them, and ultimately how to avoid becoming a victim.
Email phishing is the act of impersonating a business or other entity for the purpose of tricking the recipient of email into giving up sensitive personal information. Data gleaned from phishing often is used to commit identity theft or to gain access to online accounts.
Spoofing is similar to email phishing in that it uses deception to trick users into providing sensitive information. Email spoofing involves the use of a header appearing to have originated from someone (or somewhere) other than the true source. Similarly, IP spoofing involves the use of a forged IP address to trick the victim's computer into believing it came from a trusted source.
Most email users have received a message asking for verification of personal information at least once. Often, this sort of communcation can look something like this:
"During our regular verification of accounts, we couldn't verify your information. Please click here to update and verify your information."
Almost always, such a request for sensitive data actually is a phishing attempt. Perpetrators of phishing attacks usually seek data such as credit card numbers (along with the expiration date and security code), Social Security numbers, bank account numbers, birth dates, or various passwords. But legitimate businesses, especially financial institutions (including PayPal), do not ask for this type of information via email.
Some phishing attacks use sophisticated software to send legitimate-looking pop-up messages requesting such information. Pop-up and email messages asking the recipient to "click here" will take users to a legitimate-looking Website to fraudulently collect an unsuspecting victim's data.
As its name implies, spoofing is the act of using a faked (or "spoofed") email header or IP address to fool the recipient into thinking it is legitimate. Unsolicited spam email unrelated to phishing often uses spoofing tactics to hide its tracks, but email spoofing often is used in conjunction with phishing.
If you have received an email that appears to be from a friend but is soliciting goods or encouraging you to follow a link, you probably have been the target of spoofing. In such cases, the perpetrator has gained access to someone's address book by nefarious means.
IP spoofing frequently is used to launch denial-of-service attacks, in which a target computer is hit with an overwhelming amount of data and subsequently crashes. By spoofing the IP, the attacker can appear harmless and thus gain easy access.
The best protection is to simply pay attention. If an email or Website just doesn't seem right, or if you receive a message asking for financial or personally identifying data, you should take pause and proceed with caution.
The Federal Trade Commission (FTC) and the Federal Bureau of Investigation (FBI) offer the following tips:
Unfortunately, you may not know you have been victimized by a phishing or spoofing attack until your information has been used to commit identity theft or other crimes.
However, if you believe you have been scammed by a phishing and/or spoofing attack, file a complaint with the FTC and look for signs of identity theft (see our section on Identity Theft for more information). You also should contact your local law enforcement office and file a complaint with the FBI's Internet Crime Complaint Center.
If you receive messages that appear to be phishing or spoofing attempts (i.e. seeking sensitive data), forward it to [email protected], as well as the organization being spoofed.
Contact a qualified consumer attorney to assist with the hazards and stress accompanying identity theft and online scams.