Credit card 'phishing': What it means, how to prevent it
By Ben Woolsey
"Phishing" has recently become a familiar phrase in the banking business, but for those who haven't heard it, it doesn't involve a lazy afternoon on the dock. It is a form of fraud: Phishing is when thieves pretend to represent legitimate companies, contact consumers and extract their credit card information.
Then the phishers go shopping. For the victims, it's not phunny.
How phishing works
Phishing starts when a consumer receives an official-looking e-mail from a business. The e-mail looks in every respect like one from a trusted source, such as a bank or e-Bay. The fraudulent e-mail will come with all of the right wording and company logos and will typically profess to be doing a security check, requiring the customer to verify private information.
Consumers who fall for the phishers' scheme click on the ad or call the number and then volunteer their vital banking information: Social Security and account numbers. Then the trouble starts.
Protecting yourself from phishing
Experts say this is the key: Do not give out personal information when you have not initiated the conversation.
Unless you initiated the call, DON'T give out:
• Your date of birth.
• Your Social Security number.
• Your mother's maiden name.
• The three-digit security code on the back of your card.
Con artists' phone tricks
Do not give your information out even if someone calls and says they are with your credit card company and are investigating a potential identity theft. Ask for the caller's phone number, and offer to call back. A scammer is unlikely to give you a number. Even if he or she does, don't call back; just report it to authorities. If you call and surrender your account information, kiss your money goodbye: Thieves can use your credit card to shop online in complete anonymity.
John Brewer, assistant district attorney of the major fraud division of the Harris County (Texas) District Attorney's office, is an expert in prosecuting identity thieves. "The general rule is that nobody should ever be sending you an e-mail -- no bank, not PayPal, not your mortgage company -- saying that they need your personal identifiers such as your PIN number or expiration date," Brewer says. "Those companies already have that information. If you stop and think about, why would they be asking you for it? There may be great story in the e-mail saying the computer system is down, and sometimes they'll give you some of your information that they've stolen, such as your card number, as 'proof' that they are who they say they are."
If you get a suspicious e-mail, forward it to your bank or retailer. Most of them have internal security teams that want to stay abreast of the latest phishing techniques.
'Computers don't steal, people steal'
Theft of information over the Internet has been tempered by online security measures, and consumers can generally feel safe when shopping on websites that display a lock emblem and an "https" heading in the Internet browser. This indicates that an online retailer offers a highly secure website employing the latest in Secure Socket Layer (SSL) technology, which fully encrypts personal and credit card account data. Brewer says that online shoppers should also look for sites that have seals from companies such as VeriSign to prove that the transaction will be secure.
While many dangers lurk in e-commerce, Brewer wants consumers to know that the vast majority of credit card numbers are actually stolen in brick and mortar stores by physical employees -- not online. "Shopping over the Internet, as long as you're dealing with reputable retailer, is safe, especially when it's a site youve sought out rather than one in which you've responded to a solicitation," Brewer says. "I tell people that it's safer to shop online than in person because computers don't steal things; people steal things. When you buy something online, it's an automated process. In a store, you're handing your card to somebody. Most of the online phishing cases involve people compromising their personal information because they didn't know it was unsafe to give it out."
To ensure that you are not an identity theft victim, Brewer recommends checking your credit card statements frequently and carefully. If you are married, sit down with your spouse and account for every charge. Brewer has prosecuted criminals who steal many credit card numbers but put only nominal charges on each card, such as $9.95 or $12.50. Some will even make a $1 donation to a charity. Most consumers won't notice little charges here and there and may assume they were purchases by their spouses. The crooks make a killing when they do this to thousands of people every day.
Brewer also suggests diligently checking your credit report at least once a year to make sure you are aware of all accounts in your name, and that any time an inquiry to your report was made, you know who made it. Keeping identity theft at bay takes vigilance, but is vital if you want to keep your finances safe in this digital age.
See related: Beware the $1 scam
Updated: June 20, 2008