Helping people with computers... one answer at a time.

Phishing is an epidemic. Legitimate looking emails asking for sensitive information are often bogus. Phishing is on the rise, and you need to be aware.

I think I may have been "phished" with the "request to confirm" scam email. How can I tell? And if I have been "phished" what do I do now?

First, don't feel too bad - phishing attempts are getting very, very sophisticated. I haven't fallen for one yet, but I've come darned close a time or two in recent months.

But be prepared for a painful recovery, if you were phished.

How to tell depends on where in the process you are: looking at the email, after clicking a link in the email, or some time thereafter.

What to do depends on what information you gave in response to the phishing attempt.

Prevention

In a previous article, Phishing? What's Phishing? I discussed how to identify potential phishing attempts. The rule of thumb is never click on a link in email unless you're positive it's safe. Go to the site yourself by typing the URL into your browser and logging into your account by hand.

However, if you're tempted, or you just want more clues as to whether or not an email is a phishing attempt, in most email clients and browsers you can hover your mouse pointer over the link and it will show you either as a tool tip, or in the status bar, where the link really goes. Ensure that:

"The rule of thumb is never click on a link in email unless you're positive it's safe."
  • the actual destination matches what you expect. Exactly. If the link claims to be eBay, it should be for ebay.com. Targets like http://ebay.hacker.com, http://ebay.signin.services.ru, http://www.ebay.cc (note that it's not ".com") are all attempts to deceive you.

  • the actual destination is a name, not a number. If the destination of the link takes you a link that has numbers, such as http://72.3.133.152, chances are it's not valid.

  • the actual destination is secure. That means it should begin with https:. If the target destination begins with the regular, unsecured, http:, chances are it's not legitimate.

  • the actual destination is not Google. I've recently seen a rash of phishing attempts that try to use Google as a type of redirection service. It looks like a URL you trust (Google) but then takes you to a completely different site.

Detection

OK, you clicked. By mistake, but you clicked. And it looks totally legitimate. How can you be sure?

Several tests:

  • All the tests for the link above now apply to what you see in the address bar as the URL of the page you landed on. If it's not what you expect, if it's a number, if it's not https secure ... chances are it's bogus.

  • If they ask you to "reconfirm" by providing sensitive information like your credit card number, don't do it, it's likely bogus. Merchants do not, for example, need to update your entire credit card number if they keep it on file and all they need is a new expiration date. Banks never need this information, as they're the ones that have it to begin with!

  • If, after you "log in", you're only presented with information that you just provided, it's VERY suspicious. Your legitimate services will typically recognize you from your login, and then provide you with more details that you entered when you set up the account. If the site doesn't do something like this, then it's possible they don't have it, they're bogus, and they're simply trying to collect your information.

  • If, after you do provide information, you get an error message, or a "service temporarily down" message, or nothing at all ... it's likely you've been "phished".

Recovery

You think you've been phished. Now what?

As recommended by the Federal Trade Commission, you may need to do several things.

You probably need to close any credit card or other accounts if you gave up that account information the phisher. You'll at least want to contact the appropriate customer service department for each.

You'll need to contact the consumer credit reporting agencies. This is particularly important if you gave your social security number. This is a primary way that identity theft happens because people can start opening accounts in your name - accounts that you know nothing about.

You may want to file a report with the police. This can be an important piece of data to prove that you were the victim of identity theft.

You'll want to file a complaint with the FTC.

The Lesson Here?

I'm sure you've heard stories of how recovering from identity theft can be difficult, painful and time consuming.

The real lesson here, the one thing to walk away with, is simply this: prevention is a whole lot easier than recovery. Pay attention, remain skeptical, and avoid the problem in the first place, and you'll be much, much happier.

There's an old adage about telephone marketers: never give any information to someone you don't know who called you. Only give information to someone you call. The idea is that you know and can verify who you're calling. The same is true for the internet: never give information to someone who independently asks for it - only give information in transactions that you initiate with sites that you know. You know when you go to ebay.com and login to your own account that it is ebay, and that it is your account. But if you get email from someone claiming to be ebay, it simply might not be them.

Article C2734 - July 26, 2006 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

21 Comments
Dan Ullman
July 26, 2006 1:33 PM

You should also go the site in question anyway. Ebay, paypal and most banks will have a link on thier index page telling you how they will contact you and what they will ask.

Ken
July 26, 2006 3:42 PM

A few things also to take into account...

With JavaScript enabled, the phisher can cause something other than the actual URL to appear when you hover the mouse over the link. (Some browsers will always show the true URL, perhaps in addition to the "status" message supplied by the JavaScript code.) However, most browsers allow you to see the actual destination by right-clicking the link and selecting something like "properties" from the popup menu.

Another trick used by phishers is to redirect you to the real website, so that the URL in the address bar really is the known website, but only after popping up a "login" window on top of the main browser window. While the browser really is at the true website, the popup window still is from the phisher's site. (Someone I know ran into this last year. While he knew enough to know this was a phish, he was at a loss to see how it worked, as the browser's address bar showed the real site's URL.) Most decent popup blockers probably prevent this, however.

Al Kubeluis
July 27, 2006 3:06 AM

Thanks Leo, another excellent, clear, useful article.

Nathan Kully
July 27, 2006 12:08 PM

Thanks for the advice Leo, this has to be one of the most obnoxious issues out there today and the biggest way to fight back is to simply educate people. There are so many articles/blogs out there that tell about all of the issues regarding phishing, but this is one of the only that actually offers help to those affected.

Educating people is our best option these days to potentially fix our phishing problems.

Lou Gascon
July 29, 2006 3:30 AM

I can't believe that people actually fall for these tricks, but then I suppose the word Niave covers this...
As Nathan says: ‘obnoxious’, and there is no telling what these bandits will do to trick you into giving your personal information...
They need:
Your Name
Your address
Your DOB
Your account Number or card number
...and the security number that goes with it
Your opening password or memorable word/name/date
And sometimes your screen name.
And your telephone number
With this info, the bandits can rape your account to its limit and more, and whilst you are often protected in the UK and sometimes on the internet, many banks hold you the user responsible and you may have to foot the bill.
Check your account small print for info on this and if necessary, change your account to one that offers full protection ~ there are newer visa or other payment card facilities that advertise the fact that they are abreast of the 21st century bandits, and will insure you against theft if alerted within a certain period…
You can take additional protection -as I have, with Card Protection Plan (CPP). Just pop that into Google and go…

Quick note on eBay: and as told by them, if you read their site rules etc.
Any mail sent to you from eBay will be in your account inbox.
This acts as confirmation that it is Kosher
If it’s not in your inbox at eBay, it’s not kosher…
Some other sites act similarly.

Finally, when you have discovered Mr Phish, open a new folder in your email client, cal it headers or keepers or just plain ‘ol Thomas Crapper. Drag n drop your phisher mail here and then go the site concerned, look for the security link and contact them to see if they might like the header detail to follow-up – and together we will have Stealth.
Don’t be shy, kick sand in their faces.

BUT ABOVE ALL - STAY ALERT…!

Good luck
Lou

debbie
March 3, 2007 1:13 PM

i have been phished on myspace and i tried clicking on the link to change my password to restore my account but it isnt working and i dont even know if i gave them the right email address so i am totally lost i tried to email Tom but he is not accepting emails at this time

jenn
January 16, 2008 11:19 AM

I clicked a link to a bank knowing it was a bogus website (curiosity got me...just wanted to see how smooth the pranksters might really might be), but I didn't enter anything. I did notice a little pop-up that said something like "click sensor", but it disappeared too fast to check it out further. I closed all apps and restarted my computer after a separate ad/pop-up froze up and couldn't be closed. Should I be worried that some kind of spyware has been installed? If so, how do I get rid of it? BTW- the computer is hooked up to a server with McAfee virus protection, has a firewall, etc. Thanks for any feedback. :-)

Marianna
March 1, 2008 12:59 AM

I too, have been phished.
However, after multiple attempts to follow the url tom gave me, it hasn't worked.

it just keeps having me log in again, and again.

how do i get my account back?

thank you so much.

Clyde Hudnall
August 5, 2008 5:58 AM

I have been phished. Some fraudster has my name, address, email address and social security number. They do not have my credit card numbers or any bank numbers

Nichole
November 20, 2008 2:26 PM

I got a pop up and it said windows internet explorer...Your computer may have been hit with a virus click here if you want to check...so I did then it said my computer was hit with a virus and to click here if I want windows to fix it was I phished? it looked legit, but my husband said windows internet explorer won't send you anything like that what do I do or have I done?

Your husband is right. You need to immediately run anti-virus and anti-spyware scans using legitimate tools that you choose, rather than those that might appear in some random popup.
- Leo
21-Nov-2008

jim
December 10, 2008 10:10 AM

i think i've been phised. cant login to my facebook account or hotmail, or paypal or e-bay - they all had the same passwords - hate this new digital age.

Sylvia
March 25, 2010 8:16 PM

What if all I gave was an email address and password before wising up to the scam?

"All" you gave was email and password? That's enough.
Leo
26-Mar-2010

Fred
May 11, 2010 12:30 PM

I clicked on a link in an email, and it appears it was a dead link. It just told me there wasn't a page to display.

Could I have been phished just from clicking on this link?

Kimberly
May 24, 2010 6:58 AM

I received an e-mail asking to confirm my password to my sons google account. I do not know why I opened the e-mail and clicked on the link and procedded to enter his password(note sure if it was the right e-mail or not); anyway I am not sure if I need to do anything or not.

Friar Gregarious
June 22, 2010 11:11 PM

I was phished through a facebook friend finder. I managed to recover all my accounts (nothing monetary thank the gods, I use them completely separate) But I did manage to find the little [edited] forwarding address. Where can I post or submit that to do him the most harm?

The police, I would expect. Any other form just turns into revenge which can, and often does, backfire.
Leo
25-Jun-2010

christian
February 17, 2012 7:15 AM

ok i stupidly fell for this i think i gave all info on my game account for SWTOR but reseted all even questions in like 3 mins after falling for it and giving all info now will i still get hacked if i changed everything on account even security questions or should i just leave that account i was sent here{URL removed} and i being new to this fell right for it if i changed all will i still be hacked plss answer fast :(

Mark J
February 17, 2012 1:01 PM

@Christian
Theoretically, changing your password and all of your other security information should work. This article explains what information you might need to change.
Is changing my password enough?

Jimmy
July 2, 2012 12:21 AM

I was trying to buy something online, when i went to check out i filled in the information page giving name, address, email address and had to set a password then clicked proceed and internet explorer could not open the next page, i then checked my emails the company had sent me an email but when i opened it i received a warning that it may not be genuine and i was asked if i would like to report an attempt at phishing (which i did) so i dont know if i have been phished or not? so any help or advise would be great?

connie
July 2, 2012 8:35 AM

@Jimmy,
What you expect, when you buy something online, is to immediately receive an email, sometimes even several emails. They will be sent to help you verify your account, and to confirm your purchase. So receiving an email like that, (even though IE crashed and didn't let you finish) is not suspicious. It seems unlikely that it was phishing.

Your best bet is to contact customer support at the site and let them know what happened.

Maurizio
March 18, 2013 8:25 PM

OK I was stupid.
I entered my Gmail credential into a fake page.
I recognize the Phishing after 24 hours and changed my Gmail password anything else that I should do?
I was surprised to find nothing changed including recovery emails or forwarding, everything looks normal.
I'm worried that in the 24 hours they might have recovered other informations and they are planning to do something else with it.
I'd like to know more about this guys. Can I tell more from the email header?
Thanks

Mark J
March 19, 2013 11:46 AM

@Maurizio
If you've been the victim of phishing, the phishers may have accessed your email account. This article on Ask Leo! shows you what you can do to fully reclaim your email account.
Email Hacked? 7 Things You Need to do NOW

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.