Return to A-Z

Phishing, Smishing, Vishing and Pharming

Phishing image

Are you familiar with the terms phishing and pharming?  If you spend any time surfing the internet, paying bills or banking online these are terms you need to understand.  Both phishing and pharming are Identity Theft scams designed to obtain your personal information.  To stay up-to-date with these scams, follow us on  Facebook.

Phishing : The term "phishing" – as in fishing for confidential information - refers to a broad scam that involves the theft of your personal and/or financial information by crooks who use the Internet or telephone to lure you into revealing your user names, passwords, bank account numbers, Social Security number, credit card numbers, expiration dates, PIN numbers, billing addresses, and telephone numbers.  A species of phishing is "whaling" where the attack is focused on senior management who would have access to more sensitive data, or the power to order lower level staff to release sensitive data to the scammers. Another form is called "spear-fishing" where the attack is focused on an individual.The key difference between whaling and spear-phishing is that whaling attacks target specific, high ranking victims within a company, whereas a spear-phishing attacks can be used to target any individual. Vishing is phishing via voice calls. Finally, "smishing" is a security attach that tricks you into clicking on links in texts or downloading harmful programs to your cell phone.

Pharming:  Refers to a more sophisticated form of "phishing."  Rather than spamming you with e-mail requests, "pharmers" secretly plant a virus, spyware or malicious program that "poisons" your Domain Name Server (DNS) and hijacks the web browser in your computer.  As a result, when you type in the address of a legitimate website, like that of your bank, credit card company or retailer, the planted program redirects you to a fraudulent site.  As far as your browser is concerned, however, you are connected to the right site.  Unfortunately, just watching the address bar on your Internet browser won't inform you of any hijacks because the URL and the fake site will look just like the legitimate site. The danger of pharming is that you don't have to click an e-mail link to be taken to the fake site where you unknowingly hand over your personal information to identity thieves.

The way phishing scams work is a scammer will send out an e-mail or instant message disguising themselves as a legitimate organization and request your personal information.  The only way that this type of scam will work is if you willingly give the scammer your information.

So how do you avoid falling into this trap?

  • If you receive an e-mail or instant message which requires your personal information,  do not respond. Instead contact the organization directly.
  • If a link is provided in an e-mail or instant message requesting your personal information, do not click on the link. The link that was provided could take you to a fake "mirror" site.  These sites are designed to look like the official site and are used to record and fraudulently use your personal information.
  • Delete e-mails that come from unknown sources .

Not becoming a victim of a pharming scam is much more complicated than just simply not responding to an e-mail or instant message.  Pharmers secretly attack your computer and infect your Domain Name Server (DNS).  Once your DNS becomes infected, you are at the mercy of the scammer.  When you enter the address of a legitimate site, like that of your bank, credit card company or retailer, the planted program redirects you to a fake "mirror" site.  These sites are made to look like the official site, but are designed only to record your personal information for future fraudulent use.

Because it is much harder to detect this type of scam, the following precautions should be taken before sharing any personal information over the internet:

  • Check the websites address  Before entering any personal information in a website, check to make sure the correct address is displayed.  Standard website Uniform Resource Locators (URL) begin with: "http".  When entering personal information, make sure that the URL begins with: "http(s)".  The "s" stands for secure.
  • Verify that the website has a security certificate  This can be done by choosing "file" and then select "properties" or by right clicking on the webpage and selecting "properties."  Once in the "properties" screen, select "certificates" to see if the site carries a security certificate from the legitimate owner.
  • Install anti-virus software  By installing anti-virus software on your computer, you reduce your exposure to pharming and other scams.
  • Use a personal firewall  In order to protect your data from hackers, viruses, worms, and Trojan horses make sure you have a firewall on your computer or network .

If you suspect that an e-mail or website is fraudulent, report the information to the legitimate bank, company, or government agency, using a phone number or e-mail address from a reliable source. For example, if your bank's webpage looks different or unusual, contact the institution directly to confirm that you haven't landed on a copycat website set up by criminals. If the website is not legitimate, contact the Internet Crime Complaint Center, a partnership between the FBI, the National White Collar Crime Center, and the Bureau of Justice Assistance.

If you have been a victim of identity theft, visit OCP's  Identity Theft webpage for information on how to combat identity theft .