Look Before you Click: Six Tips to Help Keep You from Getting Phished …

Look Before you Click: Six Tips to Help Keep You from Getting Phished 

YONKERS, New York, March 27­ Has this ever happened to you? You get an email that looks 
like it's from eBay, PayPal or Citibank, asking you to update your account. 

But don't click on that link! You may wind up on a Web site built by scam artists that downloads a 
piece of bad software to your home computer that records all your passwords and sends them to 
a stranger overseas. It's a process called "phishing," and it's a form of identity theft that uses 
technology and of social and emotional manipulation. Millions of people have fallen for scams like 
this ­ even if they don't do business with the company that has apparently sent the email. 

Consumer Reports WebWatch, with grant support from the New York State Attorney General's 
office, wants consumers in New York State to understand the risk of phishing attacks. Depending 
whom you talk to, phishing scams may be slightly on the decrease, but scammers' techniques are 
improving, and the brand names they've been using are changing as well. Popular social 
engineering methods that entrap consumers include: Associating the mail with a holiday or event 
spearphishing, when the sender appears to be someone inside the company you work for or an 
email telling you your bank account has been compromised, urging you to enter personal 
information into a fake site that looks like the bank's. 

Phishing emails usually pretend to originate from financial services companies, Internet service 
providers or retailers, though some entrepreneurial phishing scammers once even hijacked the 
name of the U.S. Federal Trade Commission, the government agency responsible for prosecuting 
email fraud. Right now, phishing scammers claiming to be from the Internal Revenue Service are 
trying to steal personal information by emailing people on the pretense of resolving a tax 
problem. Don't believe them! 

Here are six tips to help you avoid being phished: 

1. Be skeptical of any email, and avoid using hyperlinks in email. They may show one address, 
but take you to another. Delete any emails that seek to send you to a Web page via a link in the 
email's text. Legitimate emails will ask you to go to a specific Web site. Type the address into 
your browser and make sure what you are typing is the correct address. For instance, Citibank's 
main site is citi.com, so if an email asks you to type, say, citi.bankloans.com, be skeptical. Make 
sure your typing is accurate, since cybersquatters buy misspelled domains--for example, 
"cittibank.com." Financial institutions are beefing up security against phishing techniques. Bank of 
America and Vanguard now ask customers to select a personalized image or phrase to appear 
whenever they access the site to let them know it's the real thing. 

2. Make a point to bookmark the pages of the sites you do business with. Use those bookmarks 
for transactions. 

3. On Web pages, mouse over the URL and see whether the address that appears at the bottom 
of your browser looks related to a page or site you expect to visit. When you arrive at the site, 
verify that the URL shown in your browser's address bar is the correct one. Pay attention to the 
part of the URL between "http://" (or "https://") and the next slash. Look for tricks such as the use 
of a zero where the letter O should be. Verify the address, then type it into your browser. Or use a 
favorite or bookmark. 

4. Watch carefully for misspellings and poor grammar, one of the surest signs of a phishing scam. 

5. Use a Web browser with site verification tools, such as Firefox (www.mozilla.com), or software 
such as McAfee's Site Advisor (www.siteadvisor.com), which tests sites and tells users the 
results via a free download.
6. Report phishing. If you receive a phishing email, forward it to the AntiPhishing Working Group 
(reportphishing@antiphishing.org), the Federal Trade Commission (spam@uce.gov), and the 
company or organization being impersonated. You also can file a complaint with the FBI's 
Internet Crime Complaint Center at www.ic3.gov Read more on Consumer Reports WebWatch's 
"Look Before You Click" campaign to help New York State consumers to combat online fraud at 
our Web site, www.consumerwebwatch.org/ Read more detail from the AntiPhishing Working 
Group about how to avoid phishing scams at www.antiphishing.org/consumer_recs.html 

About Consumer Reports WebWatch 
Consumer Reports WebWatch is the Internet integrity division of Consumers Union, the nonprofit 
publisher of Consumer Reports Magazine, the Consumer Reports on Health and Money Adviser 
newsletters, BestBuyDrugs.org, and a variety of sites advocating consumer rights in the 
marketplace. We research and investigate Web sites on behalf of consumers, and we advocate 
for consumerfocused Internet policy and governance. Consumer Reports WebWatch accepts no 
advertising. Consumer Reports WebWatch is a member of the W3C consortium for developing 
Internet standards the Internet Society, a grassroots group focused on Internet policy and is an 
atlarge structure (ALS) in the user community of ICANN, the Internet Corporation for Assigning 
Names and Numbers. WebWatch also serves as an unpaid special adviser to StopBadware.org, 
a "Neighborhood Watch" initiative led by Harvard University's Berkman Center and the Oxford 
Internet Institute devoted to helping Internet users avoid downloading malicious spyware, adware 
and malware programs. With the Center for Media and Democracy, WebWatch in 2008 launched 
www.frontgroups.org, dedicated to exposing the online work of thirdparty groups that appear to 
represent one agenda while pursuing another.