I think I may have been “phished” with the “request to confirm” scam email. How can I tell? And if I have been “phished” what do I do now?

First, don’t feel too bad – phishing attempts are getting very, very sophisticated. I haven’t fallen for one yet, but I’ve come darned close a time or two in recent months.

But be prepared for a painful recovery, if you were phished.

How to tell depends on where in the process you are: looking at the email, after clicking a link in the email, or some time thereafter.

What to do depends on what information you gave in response to the phishing attempt.

Prevention
In a previous article, Phishing? What’s Phishing? I discussed how to identify potential phishing attempts. The rule of thumb is never click on a link in email unless you’re positive it’s safe. Go to the site yourself by typing the URL into your browser and logging into your account by hand.

However, if you’re tempted, or you just want more clues as to whether or not an email is a phishing attempt, in most email clients and browsers you can hover your mouse pointer over the link and it will show you either as a tool tip, or in the status bar, where the link really goes. Ensure that:

  • the actual destination matches what you expect. Exactly. If the link claims to be eBay, it should be for ebay.com. Targets like http://ebay.hacker.com, http://ebay.signin.services.ru, http://www.ebay.cc (note that it’s not .”com”) are all attempts to deceive you.
  • the actual destination is a name, not a number. If the destination of the link takes you a link that has numbers, such as http://72.3.133.152, chances are it’s not valid.
  • the actual destination is secure. That means it should begin with https:. If the target destination begins with the regular, unsecured, http:, chances are it’s not legitimate.
  • the actual destination is not Google. I’ve recently seen a rash of phishing attempts that try to use Google as a type of redirection service. It looks like a URL you trust (Google) but then takes you to a completely different site.

Detection
OK, you clicked. By mistake, but you clicked. And it looks totally legitimate. How can you be sure?

Several tests:

  • All the tests for the link above now apply to what you see in the address bar as the URL of the page you landed on. If it’s not what you expect, if it’s a number, if it’s not https secure … chances are it’s bogus.
  • If they ask you to “reconfirm” by providing sensitive information like your credit card number, don’t do it, it’s likely bogus. Merchants do not, for example, need to update your entire credit card number if they keep it on file and all they need is a new expiration date. Banks never need this information, as they’re the ones that have it to begin with!
  • If, after you “log in,” you’re only presented with information that you just provided, it’s VERY suspicious. Your legitimate services will typically recognize you from your login, and then provide you with more details that you entered when you set up the account. If the site doesn’t do something like this, then it’s possible they don’t have it, they’re bogus, and they’re simply trying to collect your information.
  • If, after you do provide information, you get an error message, or a “service temporarily down” message, or nothing at all … it’s likely you’ve been “phished.”

Recovery
You think you’ve been phished. Now what?

As recommended by the Federal Trade Commission, you may need to do several things.

You probably need to close any credit card or other accounts if you gave up that account information the phisher. You’ll at least want to contact the appropriate customer service department for each.

You’ll need to contact the consumer credit reporting agencies. This is particularly important if you gave your social security number. This is a primary way that identity theft happens because people can start opening accounts in your name – accounts that you know nothing about.

You may want to file a report with the police. This can be an important piece of data to prove that you were the victim of identity theft.

You’ll want to file a complaint with the FTC.

The Lesson Here?
I’m sure you’ve heard stories of how recovering from identity theft can be difficult, painful and time consuming.

The real lesson here, the one thing to walk away with, is simply this: prevention is a whole lot easier than recovery. Pay attention, remain skeptical, and avoid the problem in the first place, and you’ll be much, much happier.

There’s an old adage about telephone marketers: never give any information to someone you don’t know who called you. Only give information to someone you call. The idea is that you know and can verify who you’re calling. The same is true for the internet: never give information to someone who independently asks for it – only give information in transactions that you initiate with sites that you know. You know when you go to ebay.com and login to your own account that it is ebay, and that it is your account. But if you get email from someone claiming to be ebay, it simply might not be them.

Related:
Ask Leo! – Phishing? What’s Phishing?
Ask Leo! – How do I keep my computer safe on the internet?
Federal Trade Commission – Your National Resource About ID Theft