Have your bank asked you for your debit card number and PIN? If so, that’s not an April Fool’s Day joke, it’s a phishing attempt and your personal information might be in jeopardy.
It has been happening for a while now, and every now and then comes back again. This time it was Chase. When trying to log into the account, my partner was presented a “verification” page which asked him for his debit card number, PIN, and other personal information.
This is not a real Chase page, it’s a phishing attempt. I’ve written about phishing before, and you should always be careful. There are certain things banks would never ask you for, and if you’re being asked for this information – close your web browser and call your bank immediately.
Information that should never be asked by the bank includes the following:
- Account, card and social security numbers – financial institutions would never ask for that once the account has been opened.
- Passwords and PIN’s – no bank or financial institution would ever ask for your PIN or password other than when actually logging in or using your card at an ATM. Not by phone, not by email, not “for verification”. NEVER.
- Personal identifying information – if the bank needs to verify your identity – they will ask you to call them. Sometimes they do call, when there’s a fraud suspicion, but they would never ask you information, they would tell and ask to confirm. In any case, you can always ask to call back, and call back the number on the back of your card to continue the conversation.
- Never ever a bank will ask you to email anything outside of the banks’ secure email system that is only accessible after you’ve logged in.
How to verify that the site is genuine and not imposing? Several things:
- Don’t click on links in emails. If you want to go to your bank’s webpage – type the address (like www.chase.com for chase or www.paypal.com for PayPal), don’t click on links in emails.
- Look for the “lock sign” that means the address you’re browsing to has been verified. Clicking on that sign will show you more information, including what the actual web address is (compare to what you wanted it to be), and whom it belongs to (compare to what you expect). If the “lock sign” doesn’t appear or the information is not what you’re expecting – close the browser and call the bank.
Below are some examples for verified site information. Note the blue shade on the left of the web address and the “https” prefix – that’s Firefox signaling the site has been verified. Click on it to get the information screen.
Chase.com (Internet Explorer example):
Paypal (Firefox example):
Here’s an example of a phishing site for Google. First, note the discrepancy in the email. The link in the email seems genuine. But when you put your mouse courser over it, you can see the actual link address in the status bar of the browser – you can see that it’s different from the text you see in the email. That’s the first and major sign of the email being a phishing attempt.
When you click on it you get to some other place, not a youtube site. It’s a malware site, which I suggest you not to go to. It might be a site that “looks and feels” like the original, it’s really easy to make a site to look exactly the same like your bank landing page, or Gmail login page. But, you won’t see the identity verification sign that I’ve shown you above, and that’s how you know its fake, even if it looks the same.
Another example of a phishing site for Chase can be found here, here, here and here. Of course, Chase and Paypal are just examples here because I use them a lot; same can, and does, happen to any bank or financial institution.
What can you do to protect yourself?
1. Pay attention; verify the sites using the browser “lock sign” feature (may look different between various different browsers, look above for examples for Internet Explorer and Firefox).
2. Think before you type. Does it seem right? Should you be answering such questions? Is there a reason to think that the bank needs this information from you?
3. Install an anti-virus, most of the modern products also protect against phishing attempts.
4. Listen to your browser – most of the up-to-date browsers have a phishing detection module that warns you when you reach suspicious sites.