‘Phishing’ on the Net: How to spot fake investment Web sites
High-pressure e-mails and phony Internet addresses that tout bogus mutual fund Web sites are a problem that investors must learn how to deal with in advance if they are to avoid being stung by such a scam, as officials at Portsmouth-based Pax World Funds know from firsthand experience.
Pax World, the nation’s first socially and environmentally responsible mutual fund, recently worked with the U.S. Securities and Exchange Commission to shut down an unauthorized version of the Pax World Funds Web site. The look-alike Pax Web site offered outlandish promises of returns on investments and also charged excessive and impermissible fees.
Pax is by no means the only investment fund to be hit by such a scam. In fact, it’s a growing phenomenon that has been named “phishing.”
A typical phishing scheme will use a seemingly legitimate e-mail to deceive the recipient into thinking it is a message from a legitimate company or government agency. In reality, it is the work of a con artist whose goal is to get the potential victim to disclose his or her account information, wire transfer details, credit card account numbers, Social Security number, passwords and other sensitive financial information. In the case of mutual funds phishing scams, an investor may actually be lured into making phony transactions on a Web site that looks something or exactly like the home page of a legitimate investment company.
In addition to mutual funds and credit card companies, recent phishing schemes have involved “cloned” e-mails and bogus Web pages falsely put forward in the name of government agencies, including the Federal Deposit Insurance Corp., the Office of the Comptroller of the Currency and the Securities Investor Protection Corp.
“Our eye-opening experience led us to conclude that mutual fund investors and investment companies need to know more about the dangers posed by phishing,” said Thomas W. Grant, president of the firm. That experience led the firm to come up with six “phishing tips,” based on “what we learned about phishing swindles and what people can do to protect themselves,” he said.
The tips are:
• Keep a sharp eye out for high-pressure e-mails urging you to divulge personal financial information or to start making transactions at a new Web site page. Phishers rely on urgent — and even upsetting — statements in their e-mails in order to goad people into taking immediate action. You may be asked to provide or verify user names, passwords, credit card numbers, checking account withdrawal codes, Social Security numbers, etc. If you get an e-mail that warns you, with little or no notice, that your mutual fund account will be shut down unless you reconfirm your information related to the account, do not reply or click on the link in the e-mail. Instead, contact the mutual fund company by phone or by going directly to its main Web site address, which most likely already is known to you. Check out the substance of the e-mail first instead of just automatically replying or clicking on the Web links in it.
• Make sure you only conduct Web-based transactions on a secure page. The most common mistake is replying via e-mail with your confidential financial or account information. No legitimate company is going to ask you to do that. Instead, they will send you to a Web page that has been made secure for e-commerce purposes. If an e-mail urges you to click through to what is supposedly a Web page for your mutual fund, look for evidence that it is a secure page. Among the positive signs that you may see is a URL starting with “https:” (instead of just “http:”) or a padlock icon on your browser frame.
While it is a good thing to check for such security, keep in mind that this is not a foolproof way to keep phishers at bay. Some phishers have legitimately acquired or forged such security. If you are uncertain about the actual level of security associated with a mutual fund transaction Web page, the best bet is to close your existing browser window, open a new browser window and then go through the main mutual fund company Web site page that is already known to you.
• Be on guard for suspicious Web addresses. Is the mutual fund Web site address that you are sent to different from the one that you have used before for your mutual fund account? Does the URL contain the mutual fund’s name (or some variation of it) along with other words or numbers? These are possible signs of a “cloned” or bogus mutual fund Web site page. (Another common situation in a phishing scheme is a Web page that includes some, but not all, of the art, icons and navigation system of the Web site that has been cloned.)
• Review your mutual fund account statement carefully. Are there trades missing? Has someone conducted trades that you did not authorize? Is your account statement late or missing altogether (possibly as a result of getting rerouted to the mailing address of a con artist)? Your account should only cover those transactions you have personally authorized and undertaken.
• Take advantage of the technology available to fight phishing schemes. Ensure that your browser is up to date and security patches applied. If you use Microsoft Internet Explorer, go to the Microsoft Security home page — microsoft.com/security/ — to download a special patch relating to certain phishing schemes. Consider installing a Web browser tool bar to help protect you from known phishing fraud Web sites. EarthLink ScamBlocker is part of a free browser toolbar that alerts you before you visit a Web page whether it is on Earthlink’s list of known fraudulent phisher Web sites. It’s free to all Internet users and can be downloaded at earthlink.net/earthlinktoolbar. Some phishing e-mails contain software that can harm your computer or track your activities on the Internet without your knowledge. Anti-virus software and a firewall can protect you from inadvertently accepting such unwanted files.
• Even if you only suspect that you have been approached by a phishing scheme, let your mutual fund company know immediately. Send your mutual fund a copy of the e-mail and the possibly bogus Web site address. (When forwarding e-mail messages, make sure to include the entire original e-mail with its original header information intact.) It also is a good idea to file a complaint with the FBI’s Internet Fraud Complaint Center at IFCCFBI.gov.