Data Security

Phishing and Pharming: Two Threats to Your Online Safety

What is Phishing?

Phishing (pronounced fishing) is a technique used by unsavory individuals and companies to try and fool you into giving out important personal and financial information. Armed with publicly available information plus what you supply, they can forge documents, set up accounts, and steal your identity. The ultimate purpose is to separate you from your money.

Phishing is clearly on the rise, so it must be working. According to the Anti-Phishing Working Group, 75 million to 150 million phishing e-mails are sent every day, and the number of Web sites known to be involved is nearing 1000.

What Phishing Looks Like

Phishing is usually started in the form of an e-mail that looks like it is from a legitimate source. It usually is asking you to verify or update account information and provides a link to login to a Web site. These e-mails can look legitimate, but the Sender field can be spoofed, as can the links. Usually there is a logo that was actually taken from the real site. Often there is some kind of urgency involved such as your account will expire if you don’t update your account information.

Most phishing messages are spoofed to be from a financial institution such as a bank or investment company. Remember, the ultimate goal is to separate you from your money, and these are obvious ploys to get account information. These are the easiest to spot since financial institutions do not send out these types of e-mails.

Some phishing messages are aimed at getting personal information for the purpose of setting up new accounts. These are less obvious and can ask for an address or telephone update from a governmental agency, retailer, or other non-financial institution. Since these types of organizations actually do send legitimate requests for more information, these are much less obvious.

How to Avoid Phishing Scams

Never click on the links in e-mail messages. It can be extremely difficult to identify which are legitimate and which are spoofed. Go directly to the Web site of your financial institution and log in as usual. If there is a need to update some information, you will be informed when you log in.

Always be skeptical. Most legitimate companies do not send requests to update your information. Those that make these requests are finding that most people are suspicious and ignore the requests.

An example of a legitimate need to contact you is a credit card company that detects unusually high activity on your account. In this case they will attempt to call you on the telephone. They will not send an e-mail. They also already know your account numbers, so they will not ask you to confirm them.

General guidelines for protecting yourself against phishing scams:

  1. Do not give out personal or financial information through an e-mail request.
  2. Always log on to your sensitive accounts by opening a new browser and typing the actual URL directly into the address bar. For example, if you receive a suspected phishing e-mail from e-trade, open a new browser and type in the address bar.
  3. Do not click on any link in a suspected phishing e-mail.
  4. Only use a secure Web site to submit sensitive data. A secure site’s address will begin with https:// instead of http:// and will show a lock or key icon at the bottom of the browser.

What is Pharming?

Pharming (pronounced farming) is a technique used by unsavory individuals and companies to obtain important personal and financial information without your knowledge. It is similar to phishing, except the information is collected without you needing to click a link in an e-mail. Even the most savvy internet users are subject to pharming because it does not require you to make a mistake.

As with phishing, the ultimate purpose is to separate you from your money.

How does Pharming Work?

Pharmers have two main ways of operating: directly on users’ computers or on domain name servers that resolve Web site addresses for users.

Similar to phishing, pharmers send e-mails to users requesting that account information needs to be updated. The difference from phishing is that the e-mail contains a virus that installs small software programs on users’ computers. When a user tries to go to their financial institution’s real Web site, the program redirects the browser to the pharmer’s fake site. It then asks a user to update information such as logons, PIN codes, or other sensitive information. Savvy users that do not click on the links in the e-mail are still subject to this attack because it uses a virus to direct the browser to the scammer’s Web site.

The pharmers’ second method takes advantage of the fact that Web sites have alphanumeric names but reside at numeric addresses on the Internet. When users types a Web site’s name into a browser, Domain Name System (DNS) servers read the name, look up its numeric address, and take users to the site.

Pharmers interfere with that process by changing the real site’s numeric address to the fake site’s numeric address within the DNS server. This technique can only be stopped at the server, and there is little that the end-user can do. As users are later directed to the fake site, the pharmers harvest the sensitive information.

How to Avoid Pharming

The virus-based method of pharming is stopped by maintaining up-to-date antivirus, antispyware, and firewalls on your computer. This will greatly reduce the possibility that a virus will redirect you to the malicious Web site.

Additionally, be careful when entering sensitive information on a Web site. Look for the lock or key icon at the bottom of the browser. If the site has changed since your last visit, be suspicious. When in doubt, do not use the Web site.

Beware of “Skimming” When Using ATMs

Thieves are now stealing from unsuspecting ATM users through a type of fraud called “skimming.” Skimming is when a device is attached to the face of an ATM that reads account information that is stored electronically on a debit, credit, or ATM card’s magnetic stripe. That information is then used to access the accounts at a later time.

Follow these tips to make sure you don’t fall victim to this scam:

  • Skimming devices will stick out a few inches from an ATM. If the ATM you are using looks suspicious, do not enter your card.
  • Look for ATMs that appear secure. Those that are under video surveillance, have a camera, or are in a lobby or facility where people frequent will deter fraud.
  • If the ATM captures your card, notify your financial institution and the financial institution that owns the ATM as soon as possible.

Beware of Smishing

First there was counterfeiting and check kiting followed by phishing, pharming, vishing, and skimming—and now the latest fraud scheme, smishing, is on the rise.

Smishing is an email scam that tries to lure a recipient into giving personal information via SMS, the communication protocol used to send text messages to a wireless devise. This new scam is targeting credit union and other financial institution members.

With smishing, members receive a text message through a cell phone warning that their credit union or bank account has been closed due to suspicious activity. They are instructed to call a phone number to reactivate the account. Those who dial the number are then taken to an automated voice mail box that prompts them to key in their credit or debit card number, expiration date, and PIN to verify their information.

You can prevent being scammed by being wary of any message received from an unknown sender. Do not open unsolicited emails or text messages or click on links provided in such messages. Don’t display your wireless phone number or email address in public, including newsgroups, chat rooms, websites, and membership directories.

If you fall victim to this type of scam, contact the credit union to block and reissue the compromised credit or debit cards, report the incident to the credit bureau, and order a credit report to see if damage has been done. You can receive a free credit report annually by any of these methods:

  1. Visit, or
  2. Call (877) 322-8228, or
  3. Download the request form via the above website, complete it, and mail it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281.