Phishing scams: Everything you need to know

Phishing (pronounced “fishing”) is a type of online identity theft. It uses email and fraudulent websites that are designed to steal your personal data or information such as credit card numbers, passwords, account data, or other information.

Con artists might send millions of fraudulent email messages with links to fraudulent websites that appear to come from websites you trust, like your bank or credit card company, and request that you provide personal information. Criminals can use this information for many different types of fraud, such as to steal money from your account, to open new accounts in your name, or to obtain official documents using your identity.

Common phishing scams:

• Spoofs of businesses that you know and trust. These are e-mail messages that purport to be from companies or services that you know and trust such as your bank and could contain urgent messages with threats of account closures or other alarming consequences.
• Lottery scams and other advanced fee fraud scams. For example, an e-mail message might request your help in a financial transaction such as the transfer of a large sum of money into your account. Or a message might contain a claim that you have received a large inheritance from someone you do not know or that you have won a lottery that you did not enter. For more information, see Scams that promise money, gifts, or prizes.
• Rogue security software scams. These are e-mail messages, Web sites, or pop-up windows that tell you that your computer is unsafe. If you download the software they offer so you can receive help, you could damage your system or waste money on software that you don’t need.

You might see a phishing scam:

• In e-mail messages, even if the messages appear to be from a coworker or someone you know.
• On social networking Web sites.
• On Web sites that appear to accept donations for charity.
• On Web sites that spoof familiar sites but that use slightly different Web addresses.
• In your instant message (IM) program.
• On your cell phone or other mobile device.

Six signs of a scam

• Generic greetings such as “Dear Customer,” which indicate that the sender does not know you and should not be trusted.
• Alarming or urgent statements that require you to respond immediately.
• Requests for personal or financial information, such as user names, passwords, credit card or bank account numbers, social security numbers, dates of birth, or other information that can be used to steal your identity.
• Misspellings and grammatical errors, including Web addresses. The Web address might look very similar to the address of a legitimate business, but with a minor alteration. For example, instead of www.microsoft.com, the scammer might use www.micrsoft.com. For more information, see Typos can cost you.
• The text of the link in the e-mail message to you is different from the Web address that you are directed to when you click the link. You can identify the actual Web address in a link by hovering over the link without clicking it. The Web address appears in a text box above the link.
• The “From” line in the original e-mail message to you shows a different Web address than the one that appears when you try to reply to the message.

How can I help prevent a scam from happening to me?

The following suggestions could help you avoid online fraud.

• Delete spam. Do not open it or reply to it, even to ask to be removed from a mailing list. When you reply, you confirm to the senders that they have reached an active e-mail account and make yourself vulnerable to further abuse.
• Use caution when you click links in e-mail messages, text messages, pop-up windows, or instant messages. Instead, type Web addresses in a Web browser, or use your online Favorites or bookmarks.
• Do not open e-mail attachments or click instant message download links unless you know who sent the message and you were expecting the attachment or link.
• Be cautious about providing your personal or financial information online. Do not fill out forms in e-mail messages that ask for personal or financial information.
• Create strong passwords and avoid using the same password for your bank and other important accounts. To test the strength of your password, use our Password Checker. For more information, see Creating a strong password for your e-mail account: why you should and how to do it.
• Use Internet Explorer 8 or similar Web browsers that include an additional layer of protection with sites that use Extended Validation (EV) SSL Certificates. With Internet Explorer 8, the address bar turns green to notify you that there is more information available about the Web site you are visiting. The identity of the Web site owner is also displayed on the address bar.
• Turn on SmartScreen Filter in Internet Explorer 8 to help detect unsafe and potentially unsafe Web sites as you browse. Read the messages warning messages that you see to decide if you want to proceed to a suspicious Web site or not.
• Visit Microsoft Update to install the latest security updates and turn on automatic updating.
• Make sure your computer’s firewall is turned on and that you use antivirus and antispyware software that is updated automatically, such as Microsoft Security Essentials. For more information, see Help protect your PC with Microsoft Security Essentials.
• Check your bank and credit card statements closely to identify and report any transactions that are not legitimate.
• Never pay bills, bank, shop, or conduct other financial transactions on a public or shared computer or over a public wireless network. If you do log on to public computers, look for computers on networks that require a password, which increases security.

What should I do with fraudulent e-mail messages?

If you think an e-mail message might be fraudulent, we recommend taking the following precautions.

• Delete the message. Do not respond or click links in it.
• Report any suspicious activity. (See below for contact information.)
• If you believe that someone is using your Windows Live account, you can reset your password. Go to http://login.live.com and click Forgot your password?
• Fraudulent e-mail messages sometimes contain unwanted or malicious software (also known as malware). If you think you might have malware on your computer, go to safety.live.com and scan your computer to check for and remove unwanted software.

For more information, see What to do if you’ve responded to a phishing scam.

Where to report suspicious activity

If you suspect that something is wrong, there are several ways to report the possible fraud.

Microsoft

• If you suspect that you’ve received a phishing e-mail message, click report phishing scam on the message toolbar in Windows Live Hotmail or report the message to Microsoft.
• To report the Microsoft Lottery fraud, send an e-mail message to lotfraud@microsoft.com.
• For any other suspicious activity, go to support.live.com.
• For Hotmail, go to the Hotmail Online Solutions Center.

United States agencies

Federal Trade Commission

or call toll free: (877) 438-4338 (877) 438-4338
To report other online scams or fraud in the United States, visit Filing a Complaint with the FTC, or call toll free: (877) 382-4357 (877) 382-4357