Phishing Scams
How 'phishing' scams work
Summary
'Phishing' is the name given to attempts to get you to give away important information - your social security number, your bank account details and PIN number, your logins for websites such as PayPal or Amazon. The typical form is an email message that pretends to come from an institution such as a bank or a website such as eBay saying that there's a problem with your account and asking you to log in to correct it. When you click the link in the message, you will be taken to a website that looks exactly like the one you expect to see, but is actually run by the scammer. When you type in your information, the spammer records it and then uses it to loot your bank account.
Variants
There are huge numbers of possible variants. Phishers send out spams claiming to be from every bank in existence. They also send out spams pretending to be from popular websites such as eBay, Amazon and PayPal. A common variant in the case of eBay is a spam that says that a user has a question about an item that you've advertised, and provides a convenient link that you can use to log in. For Paypal, a common trick is to report that a new email address has been added to your account, and ask you to log in to correct it if necessary.
There have also been reports of phishing scams that used VoIP ('internet telephony') to leave phone messages instructing you to call your bank.
How to detect this scam
You can usually detect the scam by inspecting the email carefully, but this may be difficult for non-expert email users. If you have a modern email program, it may also warn you if it thinks something is a phishing attempt.
If you do click on a link in the message (which is not recommended) and end up at a website, look at the address of the website shown in your browser bar. If you're looking at a site that says it's eBay, but the part of the address that contains the name of the site doesn't end in 'ebay.com', it's a phish.
One thing that you might do is to have a special email address that you use only for communicating with your bank and sites such as PayPal and eBay. Keep that address secret and don't use it for anything else. If you get a message that claims to come from your bank at any other email address, you'll know immediately that it's a fake.
However, there's something much simpler that you can do to protect yourself: never go to PayPal or eBay or to your bank's website by clicking a link in an email or on another website. Instead, go to your web browser and type in the address of the site you want. For example, if you get a mail that seems to be from PayPal telling you that something's wrong with your account, don't click the link in the message: go to your browser and type 'www.paypal.com' instead. If the message was real, then Paypal will soon tell you what the problem is.
What to do if you get a 'phishing' spam
Ignore it. You can also report it to CERT or to the bank or organization involved. For PayPal and eBay, look for the links on their home pages that say 'Security Center'.
Never click a link in a message that could be a 'phish' and never give away important details such as your bank account, credit card or social security number to any website that might be a phishing site.
What to do if you've been phished
If you have typed in your password or other details on a website and think that it might have been a phishing site, you should immediately go to the real site and change your password. Then contact the organization involved - your bank, Paypal, eBay etc - and ask for advice.
If you have lost money as the result of a phishing scam, contact law enforcement.