When "Gone Phishing" Spells Trouble for You
Given that I haven’t made any recent attempts to access my account, I immediately wondered who had. A bit disturbed, I immediately tried to call the customer service number, which lo and behold gives the following recording: “Call 1-800-918-TALK, that’s 1-800-918 T-A-L-K, just 69 cents per minute.” (This is the point where in the movie version of my life, the film score will emit a duhn duhn duhn).
Dear Washington Mutual Customer:
For your security, the profile that you are using to access Washington Mutual Online Banking has been locked because of too many failed login attempts. You can unlock this profile online by selecting an option below:
Unlock your profile with:
My ATM/Visa Check Card number and PIN
Other personal information (SSN, Date of Birth, Account #, etc)
We regret any inconvenience this may cause you.
Washington Mutual Account Review Department.
Need help? Use "Site Helper" or call customer service at 1.800.788.7888.
Please do not "Reply" to this Alert.
©2005 Washington Mutual Financial Group. All rights reserved.
Now I knew that the message is bogus not in that someone else had attempted to access my account, but in that someone is trying to get me to release my personal information. Fortunately I hadn’t clicked on any of the given links, but I did scroll over them to reveal their destination, which turned out to be the third confirmation of a fraudulent message. The hyperlinks for “unlocking your profile” were to www.lynn-sanders.com/login.personal.wamu/unlock/SignOnError.php.
Who’s Lynn Sanders? The bank president? The same perverse curiosity that found the 69 cents per minute to be too much to follow up was given the go ahead to find out what’s behind http://www.lynn-sanders.com/. Unsurprisingly, nothing. My browser wouldn’t go there.
So, I give you these details in order to offer a first time warning for some and a reminder for others, of a practice known as phishing (pronounced fishing) that has nothing to do with driving around the country in a vintage 60s Volkswagen van, doused in patchouli and incense, making friendship bracelets to sell at the next Phish show, which I hear is no longer possible anymore. Darn. Anyway, the kind of phishing my experience illustrates is a type of Internet fraud whereby some clever bastards spoof legitimate web sites in order to get the gullible, naïve, ill-informed, distracted, or unlucky to hand over the keys to their financial identities. I had heard of it but have taken it only vaguely seriously until now because I’ve only ever received messages to entities with which I have no relationship such as Citibank. I don’t have an account with Citibank so whenever I get a message regarding problems with my Citibank account, I automatically know it’s a fake. But this one has taught me to be a little more savvy.
Several groups are taking this quite seriously, including the FBI and the National White Collar Crime Center (NWC3). They have partnered to create the Internet Fraud Complaint Center, whose mission is “to address fraud committed over the Internet. For victims of Internet fraud, IFCC provides a convenient and easy-to-use reporting mechanism that alerts authorities of a suspected criminal or civil violation. For law enforcement and regulatory agencies at all levels, IFCC offers a central repository for complaints related to Internet fraud, works to quantify fraud patterns, and provides timely statistical data of current fraud trends.” Unfortunately, when I tried to submit my complaint, the system was down.
No worries. The Anti-Phishing Working Group is also “committed to wiping out Internet scams and fraud” and offers worthwhile consumer advice on how to avoid phishing scams. It’s a good idea to forward your bogus email to them; of course, the email address they give contains a typo so it bounces. It’s firstname.lastname@example.org not .com.
The Federal Trade Commission also accepts notification of unsolicited commercial emails, which is their sanitized name for this public menace. Forward any malicious emails to email@example.com or firstname.lastname@example.org, though I’ve read that the former email address bounces a lot.
And of course, contact the institution being spoofed. If, by chance, you realize belatedly that you have given out info that you shouldn’t have, contact all of your financial institutions as soon as possible. When forwarding spoofed messages, always include the entire original email and keep the header information intact. Remember, it's a mad world. You gotta protect yourself before you wreck yourself.