Phishing & Fishing

"Phishing" is the name given to attempting to persuade victims to fill out an online form or respond to an e-mail with details of their bank accounts, credit card numbers, passwords and other personal information.

It starts with an e-mail supposedly from a bank, ISP or other business with which you may do business. The e-mail presents an important reason for you to "confirm" information with them and gives you a link to an official-looking online form.

If you fill out the form, you are giving personal and financial information like credit card information and social insurance numbers to the scammers. This can lead to charges on your accounts or even identity theft.

The term "phishing" is a variation on "fishing", in the sense it is being done at large with the hopes that someone will take the bait and supply the personal information requested. The term was inspired by the bad spelling of the first phishing attempts.

Everyone is vulnerable. Phishers are becoming increasingly sophisticated in their tactics and have successfully targeted and scammed even savvy Internet users. Your risk of becoming a victim to phishing is not linked to age, race, income or geographical location. By hijacking the trusted brands of well-known financial institutions, phishers are able to convince up to five per cent of their target victims to respond to them.

The reason you got the e-mail might be because scam artists have obtained your e-mail address from a variety of sources:

1. They may have used a spam mailing list on which your address is listed with or without your consent. (These lists are sometimes created from online contest entries. Always be sure to check out the legitimacy of a company before you enter their online contest.)
2. They may have obtained your address via spyware installed without your knowledge on your PC. (Make sure your computer is protected against spyware.)
3. They may have created hundreds of thousands of e-mail addresses randomly by combining first and last names and known domain names, one of which happens to be your personal e-mail address.

Once scam artists find an e-mail address that works, they send e-mails to that address over and over again.

If you get a suspisious e-mail take the time to think about it and don’t yield to the urge to respond immediately and provide the requested information because "your account will be suspended" or you’ll lose a great deal or offer if you don’t. Phishers ask you to respond urgently to their request but no matter how upsetting the threat or exciting the offer, take the time to check out the information more closely.

Phishing emails don’t all look the same. However, here a few tips to bear in mind when examining a suspicious email.

• Examine the email to see if it makes sense. Remember, Columbia Valley Credit Union would never ask you to provide sensitive financial information by email. Legitimate financial institutions already have this information in their records. Treat all such requests with suspicion.
• Don’t be deceived by the use of logos in an attempt to give the email and websites authenticity. Phishers may use our logo in their impersonation efforts.
• You may find a link in the email that leads to a cloned replica of our website, where you’ll be asked to enter the requested information. This website address will often start with http:// instead of https://, which is one warning sign that the site is not secure and likely fraudulent. Also, a legitimate site will have a padlock icon on the lower right corner of the screen and you should be able to view the security certificate details for the site by clicking this icon.
• Many phishing emails come with a form within the body of the email, with a request to fill in the personal financial information.
• In some cases, the phisher may ask you to provide the requested information by replying to the email.

Vishing is a telephone scam in which fraudsters collect sensitive personal and financial information from unsuspecting members of the public. Vishers usually impersonate financial institutions and credit card companies by way of an automated or live phone call or email leading to a phone call, which then requests vital personal and financial information such as account numbers, credit card numbers, account user names and passwords, and social insurance numbers. The scam artists may then be able to use this information to charge items to your account or borrow money under your name.

Most vishing scams work like this: you receive a recorded phone message letting you know that your credit card or financial institution account number has been compromised. The recording then lets you know you need to call a certain number back to protect your account. When you call the number, it is either a recorded message or a live person that asks you to enter your credit card number or account number. The automated system is then able to record the keystrokes entered. The live caller or automated system may then ask for more personal information such as your Social Insurance Number (SIN), date of birth (DOB), your Personal Identification Number (PIN) or account passwords.

Recently, a scam has surfaced in which the caller already knows all the of the victims’ personal information including name, address, credit card number, etc. The only piece of information the caller is looking for is the three digit security number on the back of the credit card. They will claim that a purchase has just been made to your account and ask if you made this purchase. When you reply that you did not make the purchase they ask for the three digit number on the back of the card to "ensure that you are in possession of the card". When you give them this number they then charge purchases to your card.

Everyone is vulnerable. These recorded phone calls are sent out in mass quantities, blanketing an area. This scam is especially volatile because legitimate institutions will call their customers if the security of their accounts have been comprised.

How do I protect myself?

• If the recording you receive refers to you as "valued customer" rather then stating your name, this is a red flag. A legitimate institution would use your name if your account had been compromised.
• DO NOT verbally give out PIN numbers or passwords. Again, a legitimate institution would never ask you to verbalize your PIN or passwords.
• Most importantly, if you do receive a call stating that your credit card or account has been compromised, call the number on a recent statement, the back of your credit card, or a publicly advertised source (such as a phone book) rather than the number they have given you.