Latest word from the FBI: Never click on a link in an email that looks like it’s from your bank or another financial institution — unless you know for sure it’s real.

Yesterday, the FBI announced it had broken up a couple of high-level phishing rings stretching from Romania to Los Angeles. Before it got shut down, the ring swindled thousands of consumers and banks out of millions of dollars.

According to the FBI’s website, here’s how it worked:

  1. Fraudsters working primarily out of Romania (known as the “suppliers”) went phishing and obtained thousands of credit and debit card accounts and related personal information by sending out masses of spam.

  2. These suppliers then sent their ill-gotten financial data to their partners in the U.S. (the so-called “cashiers”) through Internet chat and e-mail messages.

  3. By using some sophisticated but readily available software and technologies, the cashiers manufactured their own credit, debit, and gift cards encoded with the stolen information, giving them unfettered access to large amounts of money via ATMs and point-of-sale terminals.

  4. Before these cards were used, cashiers directed “runners” to test the cards by checking balances or withdrawing small amounts of money from ATMs. Then, these “cashable” cards were used on the most lucrative accounts.

  5. To bring the scheme full circle, the cashiers wired a percentage of the illegal proceeds back to the suppliers.

Phishing costs consumers and businesses hundreds of millions of dollars every year. The sophistication of these con artists means it’s virtually impossible to know if the Bank of America email you just received is real or not. (EBay has trouble telling its true emails from phishing emails and they have thousands of people working in their anti-fraud unit.)

Since you can’t know if an email or text message is real, don’t respond to it. Instead, go to your browser and type in the address for your bank or financial institution. That way you’ll know the contact is real.

Also, and I can’t stress this strongly enough, get some hardcore virus protection on your hard drive. Make sure you run the updates every day. That’s the only way to protect yourself — unless you disconnect from the Internet.

May 20, 2008