Phishing is a scam in which the attacker sends an email purporting to be from a valid financial or ecommerce provider. The email tries to trick recipients into clicking a link which leads to a spoofed website that only looks like the real bank or ecommerce site. If the recipient enters their login details on the fake website, their credentials will be sent to the attackers. Using this method, attackers are often able to gain not only the login username and password, but quite often the victim also divulges their credit card and other sensitive financial and personal information.
If you've received a phishing email and fallen victim to it, stop reading now and contact your financial institution(s) immediately by phone or in person.
If you've received a phishing email, haven't fallen victim, but want to report the email, here's how.
- You can usually send a copy to abuse@DOMAIN.com where DOMAIN.com signifies the company to which you are directing the email. For example, email@example.com is the email address for sending phishing emails purporting to be from SunTrust Bank.
- If in the United States, you can also forward a copy to the Federal Trade Commission (FTC) using the address firstname.lastname@example.org.
- If you aren't in the U.S. and the abuse@DOMAIN.com address bounces, you can visit the real website by using a pre-existing bookmark in your browser or typing the known good URL (link) into your browser. Do not use the link included in the phishing email! Once on the site, look for a viable contact resource. For example, at the very bottom of the page on the eBay website is a link titled "Security & Resource Center". Following that link takes you to a page that instructs you on how to submit "suspicious-looking email that appears to be from eBay or PayPal and you want eBay to take action." If you can't find a specific security resource, try looking for general contact or support contact details on the website.
- If you still can't find suitable contact details and you're not ready to give up, you can always do a domain name lookup, referred to as a whois, and get the contact details that way. Keep in mind that whois information is often grossly out-of-date and the email addresses listed therein are frequently unmonitored accounts. Still, it's worth a shot. Popular whois servers include APNIC, ARIN, and Network Solutions.
Whichever method you choose, be sure to forward the email as an attachment so that the HTML encoding and header information is preserved; otherwise the email will be of little use for investigative purposes.
- Also see: How to Forward eMail as an Attachment