Question: What must you do when you receive email stating that your personal bank account has been compromised and that you must immediately go to a web site to enter your personal account information in order preserve account security? For your convenience (and ensured security) you may be able to use your social security number as both the login and password to enter their secure server.

Answer: You must recognize that it is nearly certain that this is a fraudulent communication attempting to get you to provide your account information so that the perpetrators can drain your bank account funds and use your credit card to make charges you know nothing about.

These sorts of email "phishing" attempts have been common on the Internet for the past year. They look genuine but they are not. In recent days people at Colby have received notices that appear to have come from banks doing business in our area giving this kind of warning, with a link to a web page that has no relation to the financial institution. The email looks very well crafted, even having the logo used by the bank. These are efforts to trick you into providing personal information that can be used to gain access to your banking resources.

I received one of these today, apparently from Washington Mutual. I had never even heard of this financial institution. A link in the message has text indicating that it is the web page for logging into a personal account for Washington Mutual. However, the link actually connects to a computer in Hong Kong (only the numerical IP address is displayed; I had to do some investigating to find out where in the world it is located) but the web page looks identical to the genuine Washington Mutual web page. It even has the same link for information about protecting you against fraud.

How do you know that email like this is fraudulent?

First, always be skeptical about the legitimacy of email you receive. Realize that there is no authentication process required for what is put in the "sender's" address. Just because the sender appears to have an email address at a bank does not mean the person actually sending the email has anything to do with that bank. The content may or may not be genuine. It may look official. The grammar and punctuation might even be correct! However, anyone can craft an email message that looks genuine and seems urgent.

Second, if you click on a link in an email message and it takes you to a web address that is different from the one listed, you should immediately be suspicious. There is danger in merely clicking on a link because the web site may attempt to install a virus or other dangerous software on your computer.

Third, if you have missed the warning signals up to this point and have gone to the linked page and are being asked to enter personal financial information (social security number, credit card numbers, ATM card numbers and PINs, account names or passwords, etc.) STOP and close the browser. Financial institutions would never ask for this assortment of information on-line or by telephone.

What do you do if you have been duped into providing your personal account information? Act immediately to protect your accounts and your credit rating.

The link below provides a good overview of the problem and how you can protect yourself. This page was developed by the Office of the Comptroller of the Currency in the U.S. Department of the Treasury:

http://www.occ.gov/consumer/phishing.htm

Here is what they recommend:

If you fall victim to an attack, act immediately to protect yourself. Alert your financial institution. Place fraud alerts on your credit files. Monitor your credit files and account statements closely. Report suspicious e-mails or calls to the Federal Trade Commission through the Internet at www.consumer.gov/idtheft or by calling 1-877-IDTHEFT.

Finally, why doesn't ITS just block all email like this or insert a warning somewhere in the email that it is fraudulent? Discriminating between legitimate and fraudulent communication is very difficult. Many of us routinely do on-line financial transactions (Amazon.com, Barnes and Noble, eBay, airline companies, etc.) and most of those have an email verification component. Applying filters that block email from what appears to be a financial company having links that appear suspicious will inevitably block some of this authentic email that we must receive. We tried some software that is designed to flag suspicious links in email but in our initial use it inserted many erroneous warnings and almost always missed the fraudulent links, leading me to discontinue its use until improvements in the software are made.

It is primarily up to each person to use caution regarding the actions taken when receiving any email of this sort.

Ray Phillips, Dir. of ITS