"Phishing" and Other Online Identity Theft Scams: Don't Take the Bait

Update: According to computer security experts, economic cyber-crime continues to surge. "Phishing" attacks—scams that use spam email or a fake website to lure you into revealing your bank or brokerage account information, passwords or PINs, Social Security number or other types of confidential information—have increased significantly since they were first discovered in 2005. FINRA is updating this Alert to keep you informed about some of the latest online identify theft scams targeting financial sector customers and to provide tips for spotting and avoiding these scams.


Fraudsters can turn on a dime when it comes to creating new pitches to separate hard-working Americans from their money. Virtually any news item, positive or negative, can become a "hook" for a new scam—whether a natural disaster (domestic or international) or the launch of a new product or company.


But sometimes the hook can look more mundane—and can come in the form of a seemingly authentic email from a well-known company, financial institution, or even a government agency or other regulator, you know and trust. For instance, around tax time, the Internal Revenue Service (IRS) regularly warns of phishing schemes that use references to tax refunds, filing issues or investigations to lure recipients into opening a bogus email.


Real Life Examples: Fake IRS and SEC Emails

A recent scam involved an email that appeared to be from the IRS Taxpayer Advocate Service. The email included a bogus case number and links to the supposed “advocate,” which actually led to a Web page that phishes for personal information.

The Securities and Exchange Commission (SEC) warned investors to beware of emails that appear to come from SEC staff, including a bogus email scam using the name of the SEC’s Director of the Office of Investor Education and Advocacy. The email was in fact not from the SEC, and contained a link to malicious software.


"Phishing"—Fraudulent Emails That Steal Your Personal Information


Phishing scams typically involve emails that falsely claim to be from brokerage firms, banks, credit card companies, Internet auction sites, electronic payment services or some other service that you use. In other instances, the emails purport to be from government agencies. To appear genuine, these emails may use:

  • The names of real people.   
  • Legitimate looking email addresses, such as support@[name of your financial institution].com
  • Authentic looking logos and graphics. 
  • Links to pages of a bona fide website. 
  • Official looking fine print and references to laws.

Most of these emails attempt to lure you into providing sensitive personal information by requesting that you provide it in a reply email or by clicking on a link to a website that mimics a legitimate website and asks you to provide the information. Various "urgent" messages are also used to lower your guard, such as:

  • Your account will be shut down unless you update your information. 
  • You need to verify your identity because your account appears to be being used by a third-party in violation of the law. 
  • Security measures to protect your account from identify theft require you to verify your account information. 
  • Due to a technical update you need to reactivate your account. 
  • Recent changes in the law require users to identify themselves.


Financial Phishing


Fraudsters regularly target customers of financial services firms with deceptive email tactics. According to a recent industry study, 71 percent of phishing scams detected in 2014 spoofed banks1. Some fraudulent emails, for example, appear to originate from a financial institution that acquired the consumer's bank, savings and loan or mortgage. They direct recipients to update, validate or confirm account information by clicking on a link that redirects to a "spoofed" website that looks similar to, but is actually a fraudulent copy of, the website of a legitimate financial institution or lender. Also be wary of emails from financial institutions that purport to have updated their online security systems.


Real Life Example: Fake Emails to Bank Customers

According to the Better Business Bureau, the following phishing email circulated around the Internet in early 2014. Customers who clicked through to the website and entered banking information exposed their information to the scammers.


IMAGE: Phishing Email



Trojan Horses—Hidden Software That Tracks Your Every Move Online


Trojan Horses are malicious software programs (often called “malware” or "crimeware") that hide in files attached to an email or that you download from the Internet and install on your computer. While these programs can take many forms, Trojan Horses used in identity theft scams usually take the form of keystroke loggers—programs that log the keystrokes you type and allow scamsters to find your usernames and passwords, giving them access to your online accounts. Over the years, Trojan Horses have increasingly been showing up in "phishing" scams, or used in place of a phishing scam to secretly capture sensitive information.


Real Life Example: Crimeware

A crime group sent false email messages purporting to be from popular social networking sites that contained fictitious offers for popular software upgrades and fake tax forms. These "lures" took victims to sites where the criminals infected their computers with “crimeware,” allowing the criminals to access the computers remotely to steal personal information, intercept passwords and online transaction information, and even log onto the victim’s computer to perform online banking transactions.


Brokerage Firm Identify Theft Scams—Using a Good Name for Crime


Some scamsters are creating phony websites that misappropriate the name or website content of legitimate brokerage firms to solicit business from unwary investors. By stealing the identity of a legitimate brokerage firm, scamsters can claim that they are members of the Securities Investor Protection Corporation (SIPC) and registered with FINRA. Potential investors may be urged to go to SIPC's and FINRA's websites to "verify" the phony brokerage firm, giving them a false sense of security.


Using these phony websites, the unlicensed brokerage firms often attempt to sell shares of small U.S. companies to investors in other countries. After the sale, the price usually falls and the investors lose their money. In a twist on this scam, the fraudsters may offer to help investors recover their losses by selling their thinly traded stocks (usually, bought through another scam). However, in order for the transaction to proceed, the investor must first deposit money in an "escrow account" or buy a performance bond. The phony firm then vanishes with the money.


Phishing Today


Phishing scammers are growing ever more sophisticated:

  • Targeted phishing—known as "spear phishing"—is a recent twist. Scammers send messages that appear to be from an individual or business that you know. These “friend” or “colleague” emails seem plausible (for instance, an email that looks like it is from your company’s HR department asking for updated personal information). The latest wave in spear phishing: mobile apps that appear to be recommended by someone you know.
  • It used to be that misspelled company names and jumbled Web URLs were a clear tip off to early phishing ploys. But now seemingly legitimate links can hijack users to a fraudulent site through technical code buried behind the message.
  • Scammers have learned to modify a directory called a host file in Microsoft Windows that can turn your browser into a vehicle for a phishing excursion: type in a Web address from your browser and you could be directed to a fraudulent site.
  • Domain-name servers match up users or customers with the computers they use to access the Internet. If the server is corrupted, it’s possible that identity thieves could be routing users to a look-alike site.


Seven Tips to Protect Yourself from Online Identity Theft


  1. Beware of email requesting personal information. Don't reply to or click on a link in an unsolicited email that asks for your credit card, bank or brokerage account information, passwords or PINs, Social Security number or other types of confidential information, even if it looks like the email comes from a financial institution with which you do business. When in doubt, log onto the main website of your credit card, bank or brokerage firm at the normal Web address you use, or call your firm using a telephone number that you know or one from a previous account statement to inquire about whether the request for information is legitimate. Alternatively, you can obtain the main office address and primary telephone number for any brokerage firm through FINRA BrokerCheck. You also can visit the Anti-Phishing Working Group's website to find out about some of the latest phishing attacks.


  2. Leave suspicious websites. If you think a website