Been ‘phishing’ lately?

March 1, 2005
We all are used to getting those Nigerian money scams and ads for Canadian drugs and Rolex watches.

We all are used to getting those Nigerian money scams and ads for Canadian drugs and Rolex watches. But there is a new breed of emails hitting our inboxes that pose a whole new and even more dangerous threat.

You may now be receiving official looking emails from a bank or companies such as eBay or Earthlink, requesting you to verify account names, numbers, passwords, credit card numbers, and other personal information. These emails will contain a link to fake Web sites that lure you into revealing all of this information. You then become a quick candidate for identity and/or credit card theft. This practice is called “phishing,” which is short for password harvesting fishing.

APWG (The Anti-Phishing Working Group) has reported that the number of reported incidents of this sort of scam has increased 800 percent in the first six months of 2004. Some reports state that from 3 to 5 percent of people who get these emails fall prey to them. Phishers steal goods, services, and cash totaling over $1.2 billion a year!

Here are some things to watch for:

The emails appear to be from trusted banks or companies that you know and use. Examples of some of the more commonly used companies are eBay, PayPal, U.S. Bank, Citibank, AOL, and EarthLink.

They always want to verify your information and the messages are written with a sense of urgency, stating your account will be terminated unless the information is “updated.”

They are well-designed and use official logos ... the same ones you would expect on these companies’ Web sites. They are usually cut and paste copies of legitimate emails that are actually sent to customers.

They try to fool you with an official looking email address, usually an embedded link to respond to. This link will not take you to the actual company, but to a fake site, set up strictly to collect your personal information.

So, how can you protect yourself against these scams? Here are a few good rules to keep in mind when you are going through your emails:

1) Pay attention to URLs. The scammers will make you think you are going to a company’s Web site, but you actually are being directed to a site of their own design. You might find a different ending to the address, such as .org instead of .com. You might find an extra word in a site such as The last two words in an address are actually the top-level domain name. The address is actually located on the site, not

2) Watch for padlocks in the browser’s status bar or “https” in the URL address line. These two items usually show you that you are visiting a secure site. However, the “phishers” are getting more sophisticated and are designing counterfeit padlocks to appear on their Web pages.

3) Type in links, rather than clicking on hyperlinks. If you see an address such as to click on to take you to their site, hold your cursor over the address before clicking and you may see something such as show up. This will prove you are being lured in by a phisher. Keep in mind that clicking on a hyperlink may not send you to the site you think you are going to. Frequently, once you click on these hyperlinks, an IP address (usually an 8 to 12 number sequence) will show up in your address bar. This numbered address is actually that of the site set up to collect your information.

For the criminals, there are an abundant number of tools to help them set up these scams. There are even “phishing-in-a-box” kits available for downloading! To add insult to injury, a phished credit card becomes its own currency online. These cards are often bought and sold online, and then used to apply for new cards and loans.

For more information on this subject, visit If you unknowingly have supplied personal or financial information to someone you should not have given this information to, contact your bank and credit card company immediately. Protect your personal information and account data at all costs! Do not give information out unless you are 100 percent sure you are in a secure Web site and that you are sending it to the actual company requesting it. Don’t forget - you can always pick up the phone and call the company to verify that it is, in fact, requesting this information in the first place.

Jeffrey B. Dalin, DDS, FAGD, FICD, practices general dentistry in St. Louis. He also is the editor of St. Louis Dentistry magazine and spokesman and critical-issue-response-team chairman for the Greater St. Louis Dental Society. Contact him by email at [email protected], by phone at (314) 567-5612, or by fax at (314) 567-9047.