Phishing is a relatively new form of online fraud that focuses on fooling the victim into providing sensitive financial or personal information to a bogus website that bears a significant resemblance to a tried and true online brand (such as a Bank, a Credit Card Company or even AuctionArms.com). Typically, the victim provides information into a form on the imposter site, which then relays the information to the fraudster.

Although this form of fraud is relatively new, its prevalence is exploding. From November 2003 to May 2004, Phishing attacks have increased by 4000%. Compounding the issue of increasing volume, response rates for phishing attacks are disturbingly high, sometimes as high as 5%, and are most effective against new internet users who are less sophisticated about spotting potential fraud in their inbox.

We are concerned with this threat and believe it is important to reassure and educate our customers

  When a hacker impersonates our company, then our company’s reputation and brand may be tarnished or ruined because customers feel that they can no longer trust the organization with their sensitive information. We will strive diligently to battle and defeat phishers and notify you, our customer if and when a phishing expedition is underway involving AuctionArms.com

 Many phishing attacks are actually sent on an individual basis to users not protected by cutting edge spam detection technologies. Other attacks are distributed through online email accounts such as Yahoo! Mail, Gmail, MSN, and others. In short, technology alone cannot solve the phishing problem. customers must be educated about phishing and how to spot fraudulent emails and websites.

Phishing Example 1 – USBank

Reassuring and Educating Customers

Once a consumer receives a fraudulent email that appears to come from a trusted company, he or she may never trust that company’s email communications again. That is damage that is not easily undone. It is essential that organizations communicate openly and frequently about how customers can identify legitimate email communications, and the need to report fraudulent ones.

We believe in communicating information about these sorts of threats because companies that make efforts to educate their customers about phishing are much less attractive targets than those who make no efforts at all. Some examples of organizations that have developed extensive policies around this issue are:

• USBank
• Wells Fargo Bank
• Citibank
• Auctionarms.com

Phishing Example 2 – Citibank

Protecting the Company Brand

Each time a phishing attack is launched, a legitimate company’s trademark is tarnished and brand equity is eroded. The more attacks a company suffers, the less consumers feel they can trust the company’s legitimate email communications or websites. The value of this trust is difficult to quantify – at least until a company begins to lose customers. When customers no longer trust the company’s ability to protect their personal information, they often defect to competitors or opt to use more expensive commercial options such as telesales or retail locations.

Clearly our  goal is to convince the fraudsters that our customers will not fall for the scam. This is why having an obvious anti-phishing program that is public for all to see is very effective. The fraudsters tend to follow the path of least resistance. Seeing that customers are well informed of how to avoid phishing attacks, the perpetrators simply turn their attention to other “softer” targets.

Preventing compromise of customer sensitive information

Customers must be educated not only about phishing generally, but also about how fraudsters might use social engineering and other methods to entice customers to divulge sensitive information to hackers.

With a little knowledge of an organization’s business methods, hackers can easily distribute hundreds or even thousands of spoofed messages to an companies customers. The messages may ask for network passwords and usernames, or may attempt to fool customers into providing sensitive information to hackers.

It is as important to us as it is to you that you know about what information is appropriate to share through email, and specifically what steps you should take if they are unsure about the authenticity of a request for information.

Information gleaned by fraudsters from customers can be used in a variety of nefarious ways. For example criminals can use credit card information  to deduct money straight from accounts of unsuspecting victims. Hackers with infomration you might provide unwittingly could seize control of your AuctionArms.com account and your email account (especially if you use the same password on both)and redirect payment

What to Do If You Are the Victim of a Phishing Scam

If you become aware of fraudsters imitating AuctionArms.com (our other institutions) to commit phishing fraud, you should:

• Immediately notify AuctionArms.com (or the imitated institution)
• If it is an AuctionArms.com imitator, we will immediately educate our customers on how they can correctly identify the phish through this forum.
• Notify the authorities of your situation. Phishing Fraudsters may have violated all or some of the following Federal Laws:
  • 18 U.S.C. 1028(a)(7) – Identity Theft
  • 18 U.S.C. 1343 – Wire Fraud
  • 18 U.S.C. 1029 – Credit-card Fraud
  • 18 U.S.C. 1344 – Bank Fraud
  • 18 U.S.C. 1030 (a)(4) – Computer Fraud
  • 18 U.S.C. 1037 – CAN-SPAM Act
  • 18 U.S.C. 1028(a)(5) – Damage to computer systems and files
• We will prosecute the criminals – when Spammers use our trademarks to commit fraud, they are violating U.S. Trademark laws as well as anti-fraud laws. AuctionArms.com has the right to and will defend its mark in court.

If you find that you are personally the victim of a phishing scam, then you should identify what information was compromised and then:

• If the fraudster obtained your Bank Account, Credit, ATM or Debit Card information:
  • Report the theft to your card issuer, and cancel the account
  • Check your statements for any unauthorized charges and follow up with your financial institution regarding their procedures for minimizing your liability to the charges
• If the fraudster has obtained your personal identification information
  • Contact the credit reporting agencies:
    • Experian
    • Equifax
    • Trans Union
  • Request that a fraud alert be placed on your record
  • Request a copy of your credit report and follow up on any unauthorized credit inquiries
  • Request that unauthorized credit inquiries be erased from your record
  • Notify your bank of potential fraud
  • File a police report with your local police department
  • File a report with the Social Security Administration
  • Notify the Department of Motor Vehicles and determine if an unauthorized driver’s license number has been issued in your name
  • Notify the Federal Trade Commission (www.ftc.gov)
  • File a complaint with the Internet Fraud Complaint Center (www.ifccfbi.gov/index.asp)

    Additional Internet Fraud Sites

    • www.cybercrime.gov
    • www.consumer.gov/idtheft/
    • www.identity-theft-help.us/
    • www.identitytheft.org/
    • www.usdoj.gov/criminal/fraud/idtheft.html
    • www.usdoj.gov/criminal/fraud/idquiz.html
    • www.ifccfbi.gov/index.asp