What would you do if you received e-mail from your bank asking you to go to its website and update your account information? The message looks authentic – it's even got the bank's logo. If you're smart, don't do it! In all likelihood, this seemingly innocent request is really from a cyberthief looking to steal your personal financial information. This unscrupulous practice, known as phishing, is a high-tech way to lure you into revealing your bank accounts, passwords, credit card numbers, PIN codes and other sensitive data. Armed with this private information, your identity, and then your money, can be stolen.

Phishers target consumers by sending them e-mail messages from well-known companies such as PayPal, eBay, Citibank, and AOL that appear legitimate. Take a look at this message that we received:

Email with fake message from Paypal


Even though it resembles a message that could have been sent from PayPal, including the e-mail header, there's one crucial difference: The link doesn't go to Paypal's site. It links to a phony site controlled by criminals. Look at the web address highlighted below. It spoofs Paypal's address, but in reality, it has nothing to do with it.

Screen illustrating fake proported PayPal screen.


Once you enter the requested information – from credit card number to your driver's license and your mother's maiden name – they can access all your accounts. The same scam can be used with any financial site, no matter how real it looks.


Avoid the Phish Net

In the real world, you wouldn't reveal private financial information to anyone who asks, so don't do it online either. Here's how to avoid becoming a victim:

  1. DO NOT respond to these e-mail requests. If you have questions, call the company and talk to a customer service representative. (Don't use the phone number in the e-mail – it too could be fake).
  2. Never transmit sensitive information such as your social security number or bank and credit card information in an e-mail.
  3. If you want to check or update your account information, do it by going directly to the company website. Type the address into your web browser. Remember, DO NOT click on a link in an e-mail message.
  4. Whenever you transmit sensitive data online, make sure the website is secure, indicated by a closed lock icon on the bottom right hand corner of your web browser. And also check that the address begins with https (Notice the "s," short for "secure").
    lock icon   Web address using h t t p s
  5. If you receive a suspicious message, file a complaint by e-mailing the Federal Trade Commission or contacting the Anti-Phishing Working Group.

What to do if you think you’ve been a victim of phishing?  If you think you've been caught off-guard, don't feel embarrassed, but take action immediately by doing the following:

  1. Check your financial accounts to see if there's been unauthorized access.
  2. If there is unauthorized access, report it immediately to the company in question, such as PayPal, eBay, the credit card issuer or bank.
  3. Close your account and open a new one.
  4. If you suspect that your identity has been stolen, file a police report and make a report with credit bureaus like Equifax.