Help prevent identity theft from phishing scams

Most phishing scams are sent through e-mail. By following these guidelines, you can help protect yourself from these tricky scams.

Do report suspicious e-mail. If you suspect you might have received phishing e-mail designed to steal your identity, report the e-mail to the faked or "spoofed" organization. Contact the organization directly—not through the e-mail you received—and ask for confirmation. If it would make you more comfortable, call the organization's toll-free number (if one exists) and speak to a customer service representative. You should also report the e-mail to the proper authorities including the FBI, the Federal Trade Commission (FTC), and the Anti-Phishing Working Group. For more information on how to report phishing scams, read What to do if you've responded to a phishing scam. If you think you've received a phishing e-mail message, do not respond to it.

Do be wary of clicking on links in e-mail messages. Links in phishing e-mail messages often take you directly to phony sites where you could unwittingly transmit personal or financial information to con artists. Avoid clicking on a link in an e-mail message unless you are sure of the destination. Even if the address bar displays the correct Web address, don't be fooled. There are several ways for con artists to display a fake URL in the address bar on your browser. To see an example of this, read How can I tell if an e-mail message is fraudulent?

Do type addresses directly into your browser or use your personal bookmarks. If you need to update your account information or change your password, visit the Web site by using your personal bookmark or by typing the URL directly into your browser.

Do check the security certificate when you are entering personal or financial information into a Web site. Before you enter personal or financial information into a Web site, make sure the site is secure. In Internet Explorer, you can do this by checking the yellow lock icon on the status bar as shown in the following example.

Example of a secure site lock icon. If the lock is closed, then the site uses encryption.

The closed lock icon signifies that the Web site uses encryption to help protect any sensitive, personal information that you enter, such as your credit card number, Social Security number, or payment details. It's important to note that this symbol doesn't need to appear on every page of a site, only on those pages that request personal information. Unfortunately, even the lock symbol can be faked. To help increase your safety, double-click the lock icon to display the security certificate for the site. The name following Issued to should match the name of the site. If the name differs, you might be on a fake site, also called a "spoofed" site. If you're not sure whether a certificate is legitimate, don't enter any personal information. Play it safe and leave.

Tip:  If you don't see the status bar at the bottom of your browser window, click on View at the top of the browser, and then select Status Bar to activate it.

Don't enter personal or financial information into pop-up windows. One common phishing technique is to launch a fake pop-up window when someone clicks on a link in a phishing e-mail message. To make the pop-up window look more convincing, it might be displayed over a window you trust. Even if the pop-up window looks official or claims to be secure, you should avoid entering sensitive information, because there is no way to check the security certificate. Close pop-up windows by clicking on the red X in the top right corner (a "cancel" button might not work as you'd expect).

Do update your computer software. At Microsoft, we continue to make improvements to our software to help protect your computer. Visit Windows Update to scan your computer and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them. For more information, visit the Protect Your PC site.

To learn what steps you should take if you have unwittingly responded to a phishing e-mail message, read What to do if you've responded to a phishing scam.

Top of page

3 of 4