This article explains what phishing is and includes tips on how to identify phishing schemes and follow best practices to avoid becoming a victim of online fraud. This article also describes how the 2007 Microsoft Office system helps to protect you from phishing schemes.
In this article
What is phishing?
Phishing (pronounced "fishing") is an online fraud technique used by criminals to lure you into disclosing your personal information.
There are many different tactics used to lure you, including e-mail and Web sites that mimic well-known, trusted brands. A common phishing practice uses spoofed messages that are disguised to look like they are from a well-known company or Web site, such as a bank, credit card company, charity, or e-commerce online shopping site. The purpose of these spoofed messages is to trick you into providing personally identifiable information (PII) (personally identifiable information (PII): Any information that can be used to identify a person, such as a name, address, e-mail address, government ID, IP address, or any unique identifier associated with PII in another program.), such as the following:
This information is used in many ways for financial gain. For example, a common practice is identity theft, whereby the thief steals your personal information, takes on your identity, and can then do the following:
- Apply for and get credit in your name.
- Empty your bank account and charge expenses to the limit of your credit cards.
- Transfer money from your investment or credit line accounts into your checking account, and then use a copy of your debit card to withdraw cash from your checking account at automated teller machines (ATMs) around the world.
For tips on how to avoid being the victim of online fraud, see the Best practices to help protect yourself from online fraud section later in this article.
Top of Page
Examples and characteristics of phishing schemes
Some examples of phishing schemes include:
- Fake e-mail messages The message appears to be from a company that you do business with, warning you that they need to verify your account information, and if they don't get the information, your account will be suspended.
- A combination of auction fraud and phony escrow sites This occurs when items are put up for sale at a legitimate online auction to lure you into making payments to a fake escrow site.
- Fake online sales transactions A criminal offers to buy something from you and requests that he or she pay you an amount well over the price of the item the criminal is buying. In return, the criminal asks you to send him or her a check for the difference. The payment to you is not sent, but your check is cashed, and the thief keeps the difference. Additionally, the check that you send has your bank account number, bank routing code, address, and phone number, which the criminal can continue to use and get your money.
- Fake charities This type of phishing scheme poses as a charity and asks for direct monetary donations. Unfortunately, many people want to take advantage of your generous nature.
- Fake Web sites The Web sites can be made to look similar to legitimate sites. When you inadvertently visit them, the sites can automatically download malicious software, such as a virus (virus: A computer program or macro that "infects" computer files by inserting copies of itself into those files. When the infected file is loaded into memory, the virus can infect other files. Viruses often have harmful side effects.) or spyware. The spyware can then record the keystrokes that you use to log into personal online accounts. That information is sent back to the phisher. You can protect against this particular kind of attack by downloading and installing anti-spyware software, such as Microsoft anti-spyware software.
There are many more phishing schemes that people are using. For an up-to-date report on phishing schemes that authorities have uncovered, visit the Anti-Phishing Working Group Web site.
Typical characteristics of a phishing scheme
Unfortunately, as phishing attacks become more sophisticated, it is very difficult for the average person to tell whether an e-mail message or Web site is fraudulent. That is why phishing schemes are so prevalent and successful for criminals. For example, many phony e-mail messages and Web sites link to real company logos of well-known brands, so they look legitimate. The following are a few things you can do to help protect yourself:
- Requests for personal information in an e-mail message Most legitimate businesses have a policy that they do not ask you for your personal information through e-mail. Be very suspicious of a message that asks for personal information even if it might look legitimate.
- Urgent wording Wording in phishing e-mail messages is usually polite and accommodating in tone. It almost always tries to get you to respond to the message or to click the link that is included in the message. To increase the number of responses, people try to create a sense of urgency so that you immediately respond without thinking. Usually, spoofed e-mail messages are not personalized, though valid messages from your bank or e-commerce company generally are personalized. The following is an example from an actual phishing scheme:
Dear valued bank member, it has come to our attention that your account information needs to be updated due to inactive member, frauds, and spoof reports. Failure to update your records will result in account deletion. Please follow the link below to confirm your data.
- Attachments Many phishing schemes ask you to open attachments, which can then infect your computer with a virus (virus: A computer program or macro that "infects" computer files by inserting copies of itself into those files. When the infected file is loaded into memory, the virus can infect other files. Viruses often have harmful side effects.) or spyware. If spyware is downloaded to your computer, it can record the keystrokes that you use to log into your personal online accounts. Any attachment that you want to view should be saved first, and then scanned with an up-to-date antivirus program before you open it. To help protect your computer, Outlook automatically blocks certain attachment file types that can spread viruses. If Outlook detects a suspicious message, attachments of any file type in the message are blocked. For more information, see How Outlook helps protect you from viruses, spam, and phishing.
- Fake links People who create phishing messages are so sophisticated in their ability to create misleading links that it is impossible for the average person to tell whether a link is legitimate. It is always best to type the Web address or Uniform Resource Locator (URL) (Uniform Resource Locator (URL): An address that specifies a protocol (such as HTTP or FTP) and a location of an object, document, World Wide Web page, or other destination on the Internet or an intranet, for example: http://www.microsoft.com/.) that you know is correct into your browser. Also, you can save the correct URL to your browser Favorites. Do not copy and paste URLs from messages into your browser. Some of the techniques that criminals have used to forge links are as follows:
- Link masks Though the link that you are urged to click might contain all or part of a real company's name, the link can be "masked." This means that the link you see does not take you to that address but somewhere different, usually a spoofed Web site. Notice in this example that resting the pointer on the link in an Outlook message reveals another numeric Internet address in the box with the yellow background. This should make you suspicious. Keep in mind that even the link in the box with the yellow background can be spoofed to look like a trustworthy Web address.
Also, be aware of URLs that include the @ sign. In the https://email@example.com/secure_verification.aspx example, the URL would take you to the location that comes after the @ sign, not to Wood Grove Bank. This is because browsers ignore anything in the URL that comes before the @ sign.
The real location, nl.tv/secure_verification.aspx, could easily be an unsafe site.
- Homographs A homograph is a word with the same spelling as another word but with a different meaning. In computers, a homograph attack is a Web address that looks like a familiar Web address but is actually altered. The purpose of spoofed Web links that are used in phishing schemes is to deceive you into clicking the link. For example, www.microsoft.com could appear instead as:
In more sophisticated homograph attacks, the Web address looks exactly like that of a legitimate Web site. This occurs when the domain name (domain name: The address of a network location that identifies its owner in this specific format: server.organization.type. For example, www.whitehouse.gov identifies the Web server at the White House, which is part of the U.S. government.) was created by using alphabet characters from different languages, not just English. For example, the following Web address looks legitimate, but what you can't see is that the "i" is a Cyrillic character from the Russian alphabet:
Phishers spoof the domain names of banks and other companies in order to deceive consumers into thinking they are visiting a familiar Web site. Special software is needed to detect these kinds of spoofed domain names in Web addresses. See the next section to learn more about how the 2007 Office release helps protect you from links that attempt to lead you to suspicious Web sites.
Top of Page
How can Office help protect me from phishing and homograph attacks?
Suspicious links in documents
By default, the 2007 Office release displays security alerts in the following situations:
- You have a document open and you click a link to a Web site with an address that has a potentially spoofed domain name.
- You open a file from a Web site with an address that has a potentially spoofed domain name.
The following alert appears when you click a link to a Web site that uses a potentially spoofed domain name.
You can then choose whether to continue to visit the Web site. In this situation, we recommend that you click No. This functionality helps to protect against homograph attacks. For more information, see Enable or disable warnings about links to and files from suspicious Web sites.
Suspicious links in e-mail messages
By default, Microsoft Office Outlook 2007 does the following to a suspicious message:
- If the Junk E-mail Filter does not consider a message to be spam but does consider it to be phishing, the message is left in the Inbox, but any links in the message are disabled and you cannot use the Reply and Reply All functionality.
- If the Junk E-mail Filter considers the message to be both spam and phishing, the message is automatically sent to the Junk E-mail folder. Any message sent to the Junk E-mail folder is converted to plain text format and all links are disabled. In addition, the Reply and Reply All functionality is disabled. The InfoBar alerts you to this change in functionality.
If you click a link that was disabled in a phishing message, the following Outlook Security dialog box appears.
If you want to continue to be alerted to potential security risks, click OK. If you don't want to keep getting the warning, select the Please do not show me this dialog again check box.
For more information, see Enable or disable links and functionality in phishing messages.
Top of Page
Best practices to help protect yourself from online fraud
- Never reply to e-mail messages that request your personal information Be very suspicious of any e-mail message from a business or person who asks for your personal information — or one that sends you personal information and asks you to update or confirm it. Instead, use the phone number from one of your statements to call the business. Do not call a number listed in the e-mail message. Similarly, never volunteer any personal information to someone who places an unsolicited call to you.
- Don't click links in suspicious e-mail Don't click a link in a suspicious message. The link might not be trustworthy. Instead, visit Web sites by typing their URL into your browser or by using your Favorites link. Do not copy and paste links from messages into your browser.
- Don't send personal information in regular e-mail messages Regular e-mail messages are not encrypted and are like sending a post card. If you must use e-mail messages for personal transactions, use Outlook to digitally sign and encrypt messages by using S/MIME security. MSN, Microsoft Hotmail, Microsoft Outlook Express, Microsoft Office Outlook Web Access, Lotus Notes, Netscape, and Eudora all support S/MIME security.
- Do business only with companies that you know and trust Use well-known, established companies with a reputation for quality service. A business Web site should always have a privacy statement that specifically states that the business won't pass your name and information to other people.
- Make sure the Web site uses encryption The Web address should be preceded by https:// instead of the usual http:// in the browser's Address bar. Also, double-click the lock icon on your browser's status bar to display the digital certificate for the site. The name that follows Issued to in the certificate should match the site that you think you are on. If you suspect that a Web site is not what it should be, leave the site immediately and report it. Don't follow any of the instructions that it presents.
- Help protect your PC It is important to use a firewall, keep your computer updated, and use antivirus software, especially if you connect to the Internet through a cable modem or a digital subscriber line (DSL) modem. For information on how to do this, visit Protect your PC. For additional information on virus protection, see Best practices for protection from viruses and Best practices to help prevent spam. You should also consider using anti-spyware software. You can download Microsoft anti-spyware or use a third-party product available from the security software downloads and trials site.
- Monitor your transactions Review your order confirmations and credit card and bank statements as soon as you receive them to make sure that you are being charged only for transactions you made. Immediately report any irregularities in your accounts by dialing the number shown on your account statement. Using just one credit card for online purchases makes it easier to track your transactions.
- Use credit cards for transactions on the Internet In most locales, your personal liability in case someone compromises your credit card is significantly limited. By contrast, if you use direct debit from your bank account or a debit card, your personal liability frequently is the full balance of your bank account. In addition, a credit card with a small credit limit is preferable for use on the Internet because it limits the amount of money that a thief can steal in case the card is compromised. Better yet, several major credit card issuers are now offering customers the option of shopping online with virtual, single-use credit card numbers that expire within one or two months. If the service is available in your country, your bank can provide you with details about perishable virtual credit card numbers.
If you need more tips on safer online shopping and banking, visit the Online Fraud Web site.
Top of Page
How do I report online fraud and identity theft?
If you think that you received a fraudulent e-mail message, you can report the problem and attach the suspicious message. Reporting suspicious messages to authorities helps in the effort to combat phishing schemes.
- In Outlook, select, but don't open, the message that you want to report.
- On the Actions menu, click Forward As Attachment, or press CTRL+ALT+F.
- In the To line, type the e-mail address of the company to whom you are reporting the phishing message. Some e-mail addresses that you can use to report suspicious mail are:
Top of Page