The Official Portal for the State of Georgia

Department of Banking and Finance

MobileMobile | FAQ | Site Map | Jobs | Online Services | Contact Us  

Home

Phishing and Identity Theft

 

 

Phishing (pronounced fishing) e-mail messages have targeted countless consumers, especially customers of larger, high profile banks.  A typical phish message will attempt to steer a customer to another Internet site (or a pop-up site) that appears to be the site of the customer’s institution. The customer will be encouraged in the original phish message to provide their personal financial and account information on the unauthorized Web site, thereby leading to identity theft. These unauthorized phish Web sites have become increasingly authentic looking and have even targeted credit reporting agencies and bank regulators.

The phishers have been able to remain relatively anonymous so far due to the ability to spoof or fake e-mail messages. Various working groups are attempting to come up with authentication solutions to combat phishing. For now, financial institutions should caution their customers that their institution will not ask for personal customer information unsolicited, such as social security numbers in an e-mail message. Whenever the customer is unsure of an unsolicited e-mail or other request, they should be encouraged to contact their institution first.

In addition to phishing e-mails, customers have been victims of identity theft through telephone calls and regular mailings. For example, one scheme involves sending a survey form to an institution’s customer, requesting personal information along with survey responses.

Below you will find links to various websites with information on phishing and others scams targeted towards obtaining consumers' personal information.  For information specific to Identity Theft, you may also want to reference our Identity Theft page under Subject of Your Inquiry.

The Federal Deposit Insurance Corporation issued broad phishing guidance in FIL 103-2004 at:
http://www.fdic.gov/news/news/financial/2004/fil10304.html

The Federal Deposit Insurance Corporation (FDIC), a participant in the government-wide Identity Theft Task Force, provided a direct link to the centralized government Web site on identity theft.  The site, www.idtheft.gov, was launched on April 23, 2007. The Strategic Plan, which represents the input of 17 Federal agencies, including the FDIC, sets out recommendations to prevent identity theft, to assist identity theft victims in recovering from those crimes, and to prosecute and punish identity theft-related criminals. 

The Federal Reserve Board issued its guidance in SR 04-14 at:
http://www.federalreserve.gov/boarddocs/SRLETTERS/2004/sr0414.htm

Credit unions can obtain guidance in National Credit Union Administration Letter 04-CU-12, available at http://www.ncua.gov/.

Institutions and customers are also encouraged to review the Federal Deposit Insurance Corporation’s Consumer Alert Web page for comprehensive phishing information at: http://www.fdic.gov/consumers/consumer/alerts/index.html

On the above site, a helpful informational brochure can be downloaded and provided to customers at:
http://www.fdic.gov/consumers/consumer/fighttheft/index.html

ONLINE FRAUD, “PHARMING”

FDIC Discusses Pharming

The FDIC issued guidance in 2005 to help banks guard against “pharming” fraud where bank customers are redirected to false Web sites to capture personal information. The agency said while pharming is similar to phishing, they represent different approaches in how victims are lured to bogus Web sites. For example, pharming may be used on an Internet banking customer who routinely logs in to his/her online banking Web site and is redirected to an illegitimate Web site. FDIC said pharming may occur in these four ways: Static domain name spoofing where the criminal attempts to take advantage of slight misspellings in domain names to trick users into inadvertently visiting the pharmer's Web site; malicious virus software that secretly captures data on consumers' personal computers to redirect the users; domain hijacking where the hacker steals the legitimate Web site; and DNA poisoning where Internet Domain Name Servers are corrupted and direct users to a Web site other than the one requested. To help prevent pharming attacks, FDIC called on banks to use digital certificates, diligently manage their domain names, monitor for DNS poisoning and educate consumers. Read more http://www.fdic.gov/news/news/financial/2005/fil6405a.html

WHAT TO LOOK FOR, WHAT CAN BE DONE?

Pharming, another form of identity theft, is accomplished by redirecting Web users from legitimate commercial Web sites to fake ones. A number of techniques are used to accomplish this, including viruses that change settings on the end user's computers and DNS poisoning. DNS stands for the Domain Name System. The DNS translates Web or e-mail addresses into numerical strings making it possible for end users to type in “XYZbank.com” rather than a string of numbers. If a DNS directory is altered to contain false information regarding which Web address is associated with a numeric string, users can be sent to an illegitimate Web site even if the correct address was typed. It's difficult for even the most computer-savvy user to detect it's a fake site.

OTHER INFORMATION RESOURCES/WEBSITES:

http://www.ftc.gov/bcp/edu/microsites/idtheft/

http://www.antiphishing.org/

http://onguardonline.gov/index.html

http://www.phishinginfo.org/

https://www.donotcall.gov/

http://www.idtheftcenter.org/

http://www.ic3.gov/

Associated Document(s):

word file DemandDraftFraud_gar.doc
 
pdf file Pharmingarticle.pdf

PrintPrint this

georgia.gov | Agencies | Privacy/Security | Notices | Accessibility | Español | Survey | Contact 1.800.georgia