Yesterday was the first day of the availability of free credit reports as mandated by Congress, and by last night, according to NBC news crooks were trying to turn a positive benefit to a bad purpose by 'goin' phishing.'

Phishing, if you haven't heard, is a form of on-line piracy in which the bad guys use a false identity, usually that of a bank, credit card company, stock broker, or other reputable financial institution in an attempt to steal a consumer's identity or otherwise defraud him.


Phishing has been rampant for several months. This reporter has been spammed seven times since September by crooks claiming to represent Sun Trust, Citi, Smith Barney, and four other less well known financial institutions, none of which I patronize.

I have to admit, if I were a customer of any of these institutions, I might have been taken. These are very clever set-ups. The initial letter looks like it is fresh from the executive office of Sun Trust or Citi. There is nothing overtly suspicious, it does not ask for information or an email reply. Instead, it advises the target of a problem - an attempted identity theft, a computer audit ' and invites verification of account numbers and/or passwords. This is usually followed by a statement that accounts might be frozen or other dire consequences result from non-compliance. The target is directed to a website with an official sounding name and an official look, except, while these crooks are good at graphics, they are lousy at spelling. Phishing sites, possibly because many originate from non-English speaking offshore sites, are notorious for spelling and grammatical errors. Here is where the piracy takes place, where visitors are asked to log in and provide personal information.

Now, according to NBC, people are already receiving emails directing them to a site to order their 'free' credit report and where a look-alike set up will relieve them of critical information. The real website (www.AnnualCreditReport.com,) requests basic identifying information: date of birth, and current and previous home addresses, and Social Security Number. There is also a security feature, a window with a distorted set of numbers or letters designed to ensure that a real person not an automated program is completing the application. If you are sucked into a fraudulent site, (and it will look nearly identical to the real one, probably including the security feature) the identifying information you provide is enough for the phisher to obtain your credit report from the real site and probably enough, without the report, for him to open credit in your name.

Anti-phishing protection rules are as follows:

  • Real financial institutions NEVER ask their customers for account information via email. If you question the authenticity of an email or even a telephone call or letter, call your bank, credit union, credit card issuer, or stockbroker at the telephone number found on your most recent statement or in the phone book.
  • The three national credit bureaus are worried enough about a flood of requests for reports that they are rolling out access in three phases. Their priority is not to invite people to their site. If you receive an invitation, double check the website address (it will be very close to the actual) and contact security@AnnualCreditReport.com to report what you received.