Andrew, it is not unusual for phishing e-mail to arrive in bunches and to keep doing so for a few days or significantly longer. Spam and phishing e-mail (the term "phishing" refers to a type of spam that attempts to fool recipients into supplying confidential information) are sent in HUGE numbers so as to increase the probability of reaching some gullible soul. Increased awareness of this problem, as well as efforts to combat the amount of spam and e-mail scams, have forced spammers to rely on different strategies. Chances are all those phishing e-mails are being sent by the same or a small group of individuals, who sent them through different channels in an effort to stay one step ahead of spam filters and ISPs who shut down accounts once complaints are received. Also, by flooding the Web with new scams or more clever variations of old ones, these criminals increase the probability of hitting pay dirt before the new scam is brought to the public's attention.
If there was a simple way to completely stop or effectively minimize spam and phishing e-mails, someone would've have sold it and by now made enough money to make Bill Gates look like a beggar. The sad truth is that there is very little we can do to stop receiving scam e-mails. Again, these messages are sent in bulk, with randomly generated recipient addresses or those harvested from websites, chat rooms, etc. All it takes is for your e-mail address - or one very close to yours - to appear somewhere in the web, and spam will find you. But just because we are currently unable to eradicate spam and phishing scams doesn't mean we should stop trying, or that we have to give in to their tricks. You can find some useful advice for fighting spam here
as well as by enrolling in the CNET online course I will refer to a bit later.
As for phishing, newer products such as Zone Labs' ZoneAlarm Security Suite (http://www.zonelabs.com/) and Trend Micro's PC-cillin Internet Security (http://www.trendmicro.com/) offer anti-phishing protection. While the latter is hardly a perfect solution, it might be worthwhile if you are getting seriously bombarded with phishing e-mails, or are in the market for comprehensive protection for your PC. You might be able to find anti-phishing freeware on Download.com (http://www.download.com/), too.
The most important thing to realize is that no legitimate business will ever send an e-mail asking for sensitive personal or financial information. Any legitimate company stupid, irresponsible, and careless enough to do so would be essentially giving its customers a heck of a good reason to take their business elsewhere! It's just bad business.
Think about it. A financial institution has your home and work phone numbers, Social Security information, and probably more information on how to contact you than might be found on your own wallet. Even eBay has your phone number. If a serious breach in security were to take place, getting hold of customers as soon as possible would be absolutely essential. Why would a financial institution use standard e-mail - an unsecured form of communication that might or might not be checked daily - rather than contact you by phone?
Then there's the question of how exactly entering account, PIN, credit card numbers and/or your mother's maiden name on a website does anything about "suspicious account activities." Chances are, financial institutions and other organizations will either halt access to an account and call the account holder as soon as anything out of the ordinary is detected, or require that you contact them before access is restored. Why would they e-mail you to ask information already in their possession? Some of these phishing e-mails and websites ask for so many details that they literally scream "identity theft!!!"
It follows that if no legitimate business will ask for sensitive information via e-mail, you should never e-mail any sensitive personal information. Ever. Any e-mail that requests such sensitive information, regardless of how genuine or sophisticated it looks, has to be considered fraudulent and treated accordingly. Period.
(You might run into small, legitimate retailers who sometimes give you the option to remit credit card payments via e-mail. Don't. Call them instead and provide the payment details over the phone, even if they lack a toll-free number. And even these retailers will not send you an e-mail asking for a credit card number or similar information!)
What should you do when you get that "verification" e-mail or one alerting you to some supposed emergency? The Federal Trade Commission (FTC) offers the following advice on an article titled "How Not to Get Hooked by a ?Phishing? Scam," included here in its entirety for your convenience:
? If you get an email or pop-up message that asks for personal or financial information, do not reply. And don?t click on the link in the message, either. Legitimate companies don?t ask for this information via email. If you are concerned about your account, contact the organization mentioned in the email using a telephone number you know to be genuine, or open a new Internet browser session and type in the company?s correct Web address yourself. In any case, don?t cut and paste the link from the message into your Internet browser ? phishers can make links look like they go to one place, but that actually send you to a different site.
? Use anti-virus software and a firewall, and keep them up to date. Some phishing emails contain software that can harm your computer or track your activities on the Internet without your knowledge.
Anti-virus software and a firewall can protect you from inadvertently accepting such unwanted files. Anti-virus software scans incoming communications for troublesome files. Look for anti-virus software that recognizes current viruses as well as older ones; that can effectively reverse the damage; and that updates automatically.
A firewall helps make you invisible on the Internet and blocks all communications from unauthorized sources. It?s especially important to run a firewall if you have a broadband connection. Operating systems (like Windows or Linux) or browsers (like Internet Explorer or Netscape) also may offer free software ?patches? to close holes in the system that hackers or phishers could exploit.
? Don?t email personal or financial information. Email is not a secure method of transmitting personal information. If you initiate a transaction and want to provide your personal or financial information through an organization?s website, look for indicators that the site is secure, like a lock icon on the browser?s status bar or a URL for a website that begins ?https:? (the ?s? stands for ?secure?). Unfortunately, no indicator is foolproof; some phishers have forged security icons.
? Review credit card and bank account statements as soon as you receive them to check for unauthorized charges. If your statement is late by more than a couple of days, call your credit card company or bank to confirm your billing address and account balances.
? Be cautious about opening any attachment or downloading any files from emails you receive, regardless of who sent them. These files can contain viruses or other software that can weaken your computer?s security.
? Forward spam that is phishing for information to firstname.lastname@example.org and to the company, bank, or organization impersonated in the phishing email. Most organizations have information on their websites about where to report problems.
? If you believe you?ve been scammed, file your complaint at ftc.gov, and then visit the FTC?s Identity Theft website at www.consumer.gov/idtheft. Victims of phishing can become victims of identity theft. While you can't entirely control whether you will become a victim of identity theft, you can take some steps to minimize your risk. If an identity thief is opening credit accounts in your name, these new accounts are likely to show up on your credit report. You may catch an incident early if you order a free copy of your credit report periodically from any of the three major credit bureaus. See http://www.annualcreditreport.com for details on ordering a free annual credit report.
You can learn other ways to avoid email scams and deal with deceptive spam at ftc.gov/spam.
(Original source: http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm)
I forward all phishing e-mails to email@example.com as well as to SpamCop (you'll need to register at http://www.spamcop.net/ for the free reporting service). SpamCop will process the e-mail and forward a report to the company, bank or organization impersonated in the e-mail. SpamCop will also try to trace back the message to the original sender. There is really no need to try to trace the e-mails yourself. In all likelihood, doing so will accomplish nothing good.
While most phishing scams stand out like a sore thumb, there are always a few that make even experienced users wonder. If you would like to learn more about the intricacies of identifying phishing e-mails, by all means check out the interesting analysis of one of these legit-looking e-mails in Lesson 3 ("The World of Spam") of Help.com's outstanding Combating Spam and Spyware online course. This free course is currently being offered through July 1, and I highly recommend it. (http://courses.help.com/index.jsp)
There are simpler ways to tell if a message is fraudulent, though. You can visit the Anti-Phishing Working Group's website (http://www.antiphishing.org/) and search its Phishing Archives to see whether the message you received is already there. You can also file a report while there, though that should be unnecessary if you have already forwarded the suspicious e-mail to SpamCop and/or the FTC.
Other websites dealing with Internet hoaxes and rumors (e.g., http://urbanlegends.about.com/library/blhoax.htm?once=true& ) might also corroborate your suspicions. Remember, phishing e-mails are essentially Internet hoaxes that strike a nerve and tend to be immediately taken more seriously simply because of the blunt emotional impact the threat of a sudden financial catastrophe has on their readers.
Last, but not least, you can always open a new browser window and visit PayPal, eBay, or your bank's website. Logging into your account without any difficulties should confirm that the warning was bogus.
Hope this helps!
Submitted by: Miguel K. of Columbus, Ohio