Phishing, SMiShing, Vishing
Phishing occurs when a fraudster impersonates a legitimate company or organization using e-mail, faxes, and/or Web sites in an attempt to lure recipients into revealing confidential information. This is the "bait." The messages are well crafted and often difficult to distinguish from those of the companies they impersonate.
How do Phishing, Vishing and SMiShing Work?
A typical "phishing attack" begins with a fraudster sending thousands or millions of e-mails impersonating a company. Quite often, the tone of the e-mail is urgent, leading recipients to believe there is something wrong with their account. They are urged to take immediate action, which often includes opening an attachment or clicking on an embedded link to go to the "company's" Web site to update, verify, or review account information.
Although the link may appear to be legitimate, computer code may direct the user to an imposter Web site designed to be nearly indistinguishable from the legitimate site. When the victim logs in or enters confidential information, they are actually giving it directly to the criminals.
Phishers engage in these practices for pure financial gain. They like to impersonate financial services companies, Internet service providers (ISPs), and online retailers. The Internal Revenue Service has even been impersonated (typically during tax season) in the hopes of gaining Social Security numbers. Phishers have also pretended to be the Better Business Bureau and the Department of Justice.
Phishers are most interested in obtaining credit card numbers, online banking credentials, Social Security numbers, and other confidential information that will allow them or another criminal party to steal money, assume identities, and/or fraudulently apply for credit.
Vishing (voice phishing using the phone) and SMiShing (phishing via text messages) are two newer, but just as dangerous, forms of phishing that consumers and businesses need to be aware of. The scams are the same, but the technology used is different.
- Vishing requires the potential victim to respond by phone to either an e-mail or telephone message.
- SMiShing requires the potential victim to respond by accessing a Web site or calling a particular telephone number - neither of which are legitimate.
What Should You be Looking for?
Although these forms of attack are designed to be nearly impossible to distinguish from legitimate e-mails, telephone messages or text messages, there are some common signs you can look for:
- Attackers urge the recipient to click on the link (phishing & SMiShing) or call a telephone number (vishing & SMiShing) to update or verify account information, re-activate an account or cancel an order.
- Attackers convey a sense of urgency and often mention negative consequences for failing to respond.
- Attacks are not consistent with other e-mails, telephone messages or text messages from the business.
- Messages do not contain any personalization that shows the sender knows something about the recipient's account (e.g. the recipient's name, the last four digits of their account number, or other information).
- Attacks often contain spelling errors and bad grammar.
- Attacks using SMiShing often indicate the message came from the number "5000" instead of displaying an actual telephone number.
- Messages often claim the user has ordered something that they never ordered.
What Should You do if You Receive a Suspicious E-mail, Telephone Message or Text?
- Do not respond.
- If you are unsure of the authenticity of the message, call the company to verify they actually sent it or inquire about why they need your information. Use a telephone number you know is legitimate (e.g., one on your most recent statement). Do NOT call the one in the e-mail, telephone message or text message.
- If it is an e-mail or text message that appears to be from Fifth Third Bank, you can forward it to firstname.lastname@example.org to help track the phishers, shut down the fraudulent sites or disconnect fraudulent telephone numbers.
- If it appears to be from another company or financial institution, you can forward it to the Anti-Phishing Working Group at email@example.com.
- Once you have reported the message, delete it from your Inbox or mobile device.
- If you responded to the message and provided information, contact Fifth Third Bank Customer Service immediately at 1-800-676-5869.
How can I protect myself/my business?
- Education is your best defense. Know what to look for and what to do. It is very important to note that no financial institution, including Fifth Third Bank, will ever send you an e-mail asking you to verify or supply personal information, such as:
- User ID
- Social Security Number
- Card or Account Number
- Credit Card Security Code (CCV)
- Never open unsolicited e-mails from unknown e-mail addresses.
- Never send personal information via e-mail unless it is to a trusted source and you use some type of encryption.
- Install a firewall and both antivirus and anti-spyware software. Keep your virus definitions and browser and security software current.
- Exercise reasonable care when downloading software and opening e-mail attachments. Never download or open an e-mail attachment from an unknown e-mail address.
- Have your computer analyzed by a qualified technician if you suspect your computer is running abnormally, you are receiving an unusual amount of "pop-up" pages, or you notice that you are being redirected to other Web pages.