© 2004 Microsoft Corporation. All rights reserved. Microsoft, MSN, the MSN logo, and Windows are either registered trademarks or trade-marks of Microsoft Corporation in the United States and/or other countries. The names and logos of actual companies and products mentioned herein may be the trademarks of their respective owners. The information contained in this brochure is provided for educational and informational purposes only. Microsoft, MSN, and the other spon-sors of these resources make no representations that the suggestions and recommendations provided will guard against phishing, identity theft or any other harmful conduct.

MSpotting a Phishsh

The message capitalizes on your trust of a respected brand by enticing you to click on one of its links. By doing so, you’re taken to an equally convincing (and equally fake) Web page or pop-up window that’s been set up to imitate the legitimate business. Once there, you’re asked to divulge sensitive personal information, such as your Social Security number, a bank account or credit card number, a validation code, a password, or a personal identifi cation number (PIN).

The scams are disarming and alarming in their ingenuity. For example, in 2003, millions of people received the following fake information in an e-mail:

> A “bank” requesting verifi cation of an $829.49 charge for a hotel in New Delhi, a scam so meticulous that it included company logos, as well as promises to safeguard privacy. When readers clicked on “STOP THIS PAYMENT,” they STOP THIS PAYMENT,” they STOP THIS PAYMENTwere taken to an equally convincing page where they would reveal the account information needed to “deny payment.”

> Their “cell phone company” saying that a charge to their credit card on fi le was declined. The message included this clincher: “Your account could be suspended unless you update your credit card information immediately.” A “helpful” link was provided to expedite the update.

> From “MSN” and addressed to “Darling MSN services client” informing readers that their MSN services would be “deactivated” if they didn’t confi rm their identities at once. Again, a link was provided.

The forged sites are so well crafted that in 2003, they successfully tricked almost 2 million people into revealing personal information, which put at risk their fi nancial status and credit rating.

What is Phishing?One way to hook a fi sh is to use a lure so realistic that the fi sh thinks it’s food. Phishing on the Web works the same way. Thieves send an e-mail or instant message that masquerades — right down to the sender’s e-mail address — as a message from a reputable company, such as Citibank, eBay, or MSN.

Learn how you can avoid phishing scams >

Protect Yourselffrom Spam Scams:Don’t Get Hooked by Phishing

> What is phishing?

> How can you protect yourself?

> What can you do if you’ve been phished?

ResourcesVisit the Anti-Phishing Working Group for the latest phishing schemes and statistics.www.antiphishing.org

MSN Safety is a great all-around resource.http://safety.msn.com

Safety Connection: Help protect your family, your information, your way of life. Brought to you by MSN.

If you’re unsure whether a message is genuine, contact the company using a phone number from a past statement or the phone book. Visit any Web sites by typing the Web address (URL) directly into your browser.

> 3: Make sure the Web site protects your personal information and is legitimate

Before you enter any personal information, fi nd out if the site uses encryption to protect your data and check to make sure you’re at the site you think you are. This is important because phishers and other online scam artists have ways of faking the address that is displayed. If you have even the slightest doubt about the site’s legitimacy, play it safe and leave immediately.

Check for signs of data encryption. Encryption is a security measure that helps protect sensitive data as it traverses the Internet. Be sure to look for “https” (“s” for secure) in the Web address and for a tiny closed padlock or an unbroken key.

Check to make sure you are where you think you are. On some systems, the padlock (and key) can be faked, so double-click it to display the security certifi cate for the site.

Think before You Click:Five Ways to Help Protect YourselfThough there’s no substitute for vigilance when giving out sensitive personal information, here are some simple guidelines to reduce your chances of getting hooked by a phisher scam.

> 1: Keep personal information personalDo not give it out in an e-mail, instant message, or a pop-up window.

Most legitimate businesses will not use these methods to ask for passwords, account or credit card numbers, or other sensitive personal information.

> 2: Be wary of clicking a link within an e-mail or a pop-up windowIf you receive an e-mail, instant message, or a pop-up that asks for personal information, do not click on any links. Doing so could take you to a phony site where any information you give may be sent to the scam artist who built it.

Report Suspected Fraudulent E-mailIf you think you’ve received phisher e-mail, always report it to the company being imitated as well as to the proper authorities.

SEND the fraudulent message to the company that’s being faked. The company may have a special e-mail address to report such abuse, also known as “spoofi ng.” For example, if you received phisher e-mail from a fake “MSN,” you would send it to abuse@msn.com. (And, remember to always type in the e-mail address yourself.)

REPORT the phishing scam by sending the fake e-mail message to the FBI through the Internet Fraud Complaint Center at http://www.ifccbi.gov,which works with law enforcement worldwide to shut down phishing sites and identify the perpetrators.You can also submit a report to the Anti-Phishing Working Group (an e-commerce industry trade association) at reportphishing@antiphishing.org.

How to report a suspect e-mail messageBuried in the header of an e-mail message is information that technical experts require in order to fl ush out the scam artist; without it they may be unable to pursue an investigation. To learn how to send an e-mail with its original header, go to http://safety.msn.com/phishing.

Take Action If You’ve Been a Phishing VictimIf you feel your personal information has been jeopardized:

CLOSE any accounts accessed or opened fraudulently.

CHANGE the passwords and PINs on all of your online accounts.

GO TO http://safety.msn.com/idtheft for infor-mation on what else you can do to minimize the damage, including how to fi le a complaint with the U.S. Federal Trade Commission (FTC).

> 4: Routinely review your fi nancial statementsTo make sure nothing is amiss, carefully check all your credit card and bank statements on a monthly basis and regularly log in to any online accounts.

> 5: Improve your computer’s securityYou can greatly reduce your risk by following Microsoft’s step-by-step instructions at http://safety.msn.com/protectpc.armx, which will help you use a fi rewall, install antivirus software and update it routinely, and keep your Windows® and Offi ce software up to date.

What Are the Warning Signs?It can be extremely diffi cult even for experts to distinguish between a slick scam and something authentic. Nevertheless, here are a few telltale signs of a phishing scam:

> Requests for personal information in an e-mail message Most legitimate businesses will not ask for personal information in an e-mail.

> Alarmist messages Criminals will attempt to create a sense of urgency so you’ll respond without thinking.

> Misspellings and grammatical errors Messages from legitimate businesses are expected to be error-free.

> A Web address that is slightly altered A close examination of a Web address might reveal deceptive spellings. For example, www.microsoft.com could appear as www.micosoft.com or www.mircosoft.com.

> If it sounds too good to be true, it probably is.

Tip 1 Https and the closed lock indicate that the site uses encryption. Look for a match between the name on the certifi -cate and in the address bar. If the name differs, you may be on a faked site.

Tip 2 Offi cial e-mail to Hotmail members from Microsoft Online Services always arrives with a butterfl y in this location. While a scam artist can add a butterfl y to the e-mail message itself, no one except Microsoft Online Services can put a but-terfl y on this page.