Email theft: 5 ways to avoid phishing attacks

April 4, 2011

People browse web at an Internet cafe in Madrid  May 23, 2008.    REUTERS/Andrea ComasWith the extraordinary theft of millions of email addresses collected by some of the nation’s biggest companies, it’s time to think about the likely result — phishing attacks — and how to avoid becoming a victim.

If you have accounts with Citigroup, Capital One, The College Board, Walgreen, HSN or TiVo there’s a reasonable chance some con artist is trying to figure out how to get in touch with you — and not to be Facebook friends. They want to dupe you into giving them more information than they have right now.

Here’s what they’ve got: Your name (maybe just your first name) and your email address. Here’s what they want: The good stuff like your home address, phone number, Social Security Number and — of course — account numbers. Now they’re going to release a hailstorm of somewhat targeted emails intended to get you to believe they’re real, perhaps even referencing the theft itself.

Don’t just assume you’re too smart to become a victim. Thousands of consumers every month fall victim. These are not just people who are gullible or lack web savvy.

All sorts of people fall victim because the crooks have gotten very sophisticated, perfectly (sometimes) mimicking real communications from companies you do business with.

The big difference — and what you need to watch out for — is that the phishing emails are going to be angling for information from you. The real companies would never ask you for that kind of information in an email. Sometimes their attempts to con you will be well masked, like asking you to click on a link to go to their site to “update” your account information or some such rouse. Here are five ways to avoid phishing attacks.

Don’t click links in your emails. In most browsers, you can run your mouse over a link to see where it really goes. The crooks will often create URLs intended to confuse you — instead of they might use yourbank/accounts/and hide the real URL somewhere way over to the right.

Get a good virus protection program installed and then make sure to update it regularly.

DO NOT call phone numbers in the emails and DO NOT click the links in them. If you have a question about a credit card communication, for instance, call the customer service number on your card or bill. If you need to update to account information online, do that only by logging into an established site that you’ve already used.

NEVER email personal or financial information. Be sure to read your credit card and bank statements immediately. Fraud protections on cards, in particular, are good but are time-limited. So raise a red flag as soon as you see suspicious charges. You’ve typically got 60 days from the time the fraudulent charge appears on your bill.

If you get a phishing email, notify the company or agency that was being impersonated and forward the email to this federal government email address: That’s the Federal Trade Commission, which collects the complaints to determine whether action can be taken, but does not deal with an individual consumer’s situation. You should also complain to the Internet Crime Complaint Center, an anti-internet crime venture involving the FBI, the Bureau of Justice Statistics and the National White Collar Crime Center.

One comment

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see

[…] of the emails offer general warnings about how to avoid phishing attacks — a company email to report any phishing attacks, the most likely consequence of the data breach. […]

Posted by Email theft: Is your company sorry? | | Report as abusive

It may sound extreme, but consider limiting or not doing financial business on the web. Online access to bank and credit card accounts simply creates opportunities for fraud. I can easily recognize phishing emails, because I don’t have online access to my bank and credit card accounts. I can call them for information in real time, and I get written statements monthly. Maybe too much access is too much access.

Posted by ZenRuth | Report as abusive

[…] And similar to the major email breach of a couple of weeks ago, those who did business with Sony PlayStation need to watch their emails for further attacks and attempts to get even more personal and financial information. (Some tips for avoiding phishing attacks.) […]

Posted by Sony PlayStation users: How to fight a data breach | Prism Money | Report as abusive

[…] reports of privacy invasions have made it imperative that we do more to put consumers in the driver’s seat when it comes to […]

Posted by Consumer groups embrace “do not track” bill | Prism Money | Report as abusive