Don’t Take the Bait!
    Avoid Getting Hooked by “Phishers”

You’ve probably heard a lot about identity theft—people stealing others’ personal information to use for illegal purposes.  In a relatively new scheme called “phishing,” ID thieves trick people into providing their Social Security numbers, financial account numbers, PIN numbers, mothers’ maiden names and other personal information by pretending to be someone they’re not.

The most common form of phishing is by e-mail.  Pretending to be from a legitimate retailer, bank or government agency, the sender asks to “confirm” your personal information for some made-up reason.  Typically, the e-mail contains a link to a phony web site that looks just like the real thing.  You enter your personal information on the web site—and into the hands of identity thieves.

Phishers also use the phone to hunt for personal information.  Some, posing as employers, call or send e-mails to people who have listed themselves on job-search web sites.

  • Be suspicious if someone contacts you unexpectedly and asks for your personal information.  It’s a warning sign that something is “phishy.”  Legitimate companies and agencies don’t operate that way. 
  • Don’t click on links in e-mails that ask you to provide personal information.  Even if the e-mail address appears to belong to a legitimate company, it may contain hidden characters that will reroute your information elsewhere.  To check whether an e-mail or call is really from the company or agency, call them directly or go to their web site (use a search engine to find it).
  • Job-seekers should also verify the person’s identity before providing personal information to someone claiming to be a prospective employer.

The extent of the phishing problem is staggering.

  • 43% of the respondents to a May 2005 consumer survey indicated that they had received a phishing contact.  Of those recipients, 5% (or approximately 4.5 million people) provided the requested personal information.  Nearly one-half of the phishing victims also reported that their information was used to make an unauthorized transaction, open an account, or commit another type of identity theft.
  • The IRS reported receiving more than 8,100 reports from consumers who received bogus e-mails purportedly from the IRS over a 7 month period.  (See the July 2006 Wall Street Journal article for information about e-mails supposedly sent by the IRS.)
  • In the month of May 2006, the Anti-Phishing Working Group received 20,109 reports of phishing.
  • For actual examples of phishing e-mails, visit the web site of the Anti-Phishing Working Group.

If you have given your account number, PIN or password to a phisher, immediately notify the companies where you have those accounts.  For information about how to put a “fraud alert” on your files at the credit-reporting bureaus, as well as a wealth of other advice for ID theft victims, contact the Federal Trade Commission’s ID Theft Clearinghouse at or by calling toll-free, 877-438-4338.  The TDD number is 202-326-2502. 

Even if you haven’t been hooked, please report phishing attempts to the company or agency that is being impersonated.  You should also report the problem to the National Consumers League’s National Fraud Information Center at or 800-876-7060 (TDD 202-835-0778).