Am I in any danger after this phishing attempt?
March 30, 2006 11:36 PM   Subscribe

I've fallen for a phishing attempt. Based on what they may have, what do I do now?

I normally consider myself at least competent at noticing phishing attempts in my email and forwarding them to the appropriate abuse address (hi, PayPal scams). However, after coming home tired earlier this week, I fell prey to a scam.

The email purported to be from Chase financial. It mentioned that my account had recently been accessed from several locations (which is true, I've done that) and that there had been a wrong password entered at least once (also true). It directed me to a page that I should have immediately noticed was suspicious -- it had text entry for my first and last name, social security number, and credit card number.

I don't have a credit card through that company so I kind of paused and looked at it. I had started to enter data before my brain clicked and I thought, "Wow, this isn't right." I had my name entered along with my SSN (which was auto-populated by my browser, damn that convenience). I entered nothing in the credit card fields. I was planning on closing the browser but then absent-mindedly clicked submit first. Then I slammed my head into the desk repeatedly.

Obviously I'm kicking myself for this entire thing, so be kind on the advice. I consider this a fluke and this is the only time in my life I've done such a thing -- I shy away from entering most information online, even on secure financial sites. My question is this: how much damage can a phishing operation do with my name and SSN? I am considering putting a fraud check on my credit, but this could be more of a pain than a cure since I have plans to open up at least one line of credit in the coming months. Without any other information, and with the knowledge that these individuals will likely be preoccupied with the credit card numbers they likely harvested, am I at that much of a risk? I can only guess that they could attempt to open new accounts with my name, but
I don't believe this is possible with the little information they have.
posted by anonymous to Computers & Internet (17 answers total)
Don't feel foolish even for a second - it can get even the best of us. I was one step away from giving away all my bank card info in a phishing attempt, the only thing that saved me was when I pressed the submit button, it didn't go through, complaining I still needed to fill in my ATM passcode. I'm thinking: "why the heck they need that info?" Then it dawned on me.

All it takes is to be preoccupied or distracted for a second and they got us.

As for taking any evasive action? I'm not sure you really need to. They have so little info on you (although it's not insignificant they have your SSN) that the scammers will probably tuck your SSN away for now and wait til they have more info on you.
posted by rinkjustice at 12:09 AM on March 31, 2006

Many credit card companies verify customer identity by asking for mother's maiden name or Social Security number; the thieves want your number to they can manipulate the account, change the address on record, apply for another card in your name, etc.... But if they don't have the credit card number, they'd have to find out what accounts you have.

It's likely the phishers will ignore your "incomplete" info and take advantage of the credit card numbers of people who did fill theirs in. A given thief/bunch of thieves send out many thousands of those phony letters, and they're going to get enough "good" replies that they won't need to bother with you.
posted by wryly at 12:17 AM on March 31, 2006

SSNs are not really private. This came to my attention when I found my own on display in my med school's parking office, next to my name, on a list of people who were authorized to park in certain spots.

SSN will never be used as proof of identity for this reason, and in fact you can often be required by law to disclose it. And for this reason, there's little that a malicious person can do if they have it; organizations in the position to compromise you (banks and credit card companies, for instance) are aware that your SSN is likely not private.

One of the research organizations I worked for actually briefly posted mine on the Internet, because it's part of my NIH-format CV that they just thoughtlessly dumped onto the department website. I complained and it was taken down, but it was really no big deal.
posted by ikkyu2 at 12:19 AM on March 31, 2006

The first thing you can do is download Google's Web Forgery phishing extension for Firefox.

Meanwhile, please to be aware that just because you don't hit submit doesn't mean anything nowadays. I can easily write up some AJAX that transmits every character you type in those fields, as you type them.

You could certainly consider subscribing to a fraud protection plan, like those offered by one of the Big Three credit bureaus. They'll monitor and let you know of any suspicious activity, and aren't grounds to reject you from a loan application.
posted by disillusioned at 1:08 AM on March 31, 2006

I can't really remember from my time in the states, but to apply for a credit card, isn't the only thing you need a name and an SSN? If this is the case, I would consider signing up for one of those credit-alert systems, where they send you an alert every time there is a hit to your credit record (ie by applying for a new credit card, etc). If it's NOT the case, and you do need more details, then I think you should be alright.
posted by antifuse at 2:21 AM on March 31, 2006

I asked a question along these lines just last week. Somebody broke into the house and stole my laptop, which had all my contact information and my social security number on it. What you need to do is call any one of the credit bureaus (Experian, TransUnion, or Equifax) and put a 'fraud alert' on your name. If anyone tries to use your social security number to open an account, the creditor will have to contact you first to confirm you want to do this. Any of the credit bureaus you call will contact the other two for you - although I was feeling paranoid and called all of them individually. Takes all of 15 minutes. It's automated.

Also, you'll need to close any accounts for which you've given the phishers information. Not a huge pain - your bank will automatically open new accounts for you and transfer all your money - but withdraw some cash first, 'cause you'll be without ATM access for a week or two.
posted by catesbie at 4:33 AM on March 31, 2006

I can't help you on the info, but just wanted to let you know that I got the same email and had the same reaction: "why yes, I have been accessing that account from more than one computer. And yeah, I do remember screwing up the password. Jeez, I better click on this email link that looks like it goes to Chase." I just stopped myself a tad before you did. That was a really good one, damnit.
posted by CunningLinguist at 5:06 AM on March 31, 2006

The best thing to do is to try and confuse them so the info will be useless. Go to the site several more times and enter your name and other SS#s.
posted by JJ86 at 5:48 AM on March 31, 2006

I would take comfort in the fact that the criminals were probably most interested in the credit card details, since those are the simplest to use fraudulently to order things online. Just having your name and SSN does mean they could potentially do evil but if they have a long list of stolen CC numbers it may be easier just to go for the low hanging fruit.

Your best bet is just to stay on top of your accounts -- read each statement in the coming months and look for anything out of the ordinary. You can order a free copy of your credit report from the bureaus -- I don't necessarily think you need to sign up for any kind of monitoring service (as those always seemed kind of scammy) when you can get the reports yourself for free or for low one-time costs.
posted by Rhomboid at 5:56 AM on March 31, 2006

Contact the credit bureaus and put a fraud flag on your reports. Contact your bank(s) and credit card companies, and let them know you've had a breach and add an extra layer of security to your accounts -- verbal passwords, for example, are an easy one if they're offered, but some banks are using the something like Bank of America's "Site Key" now so you may be covered. Keep an eye on your credit reports -- you may be lucky, because they may not use just your social security number, but they might do so anyway. Good luck.
posted by Medieval Maven at 7:27 AM on March 31, 2006

All they have is your first and last name, and SSN?

I'd say relax. That information is very, very easy to acquire about anyone. The hard part is the credit card number.

Just keep up to date with your credit report. There are some services which will keep you updated.
posted by delmoi at 8:22 AM on March 31, 2006

huh delmoi? Your credit card number is available to the kids manning the counter at the mall, sweaty gas station attendants, sketchy e-commerce sites, etc.

Second the fraud flag. Do that now with the big three credit reporting agencies.
posted by Saucy Intruder at 9:26 AM on March 31, 2006

"SSN will never be used as proof of identity for this reason, and in fact you can often be required by law to disclose it."

Maybe in your experience. I'm asked for just the last 4 of my social as verfication on a regular basis.

With your name and SSN the theives can (and likely will) open credit cards in your name. You should absolutely subscribe to a credit monitoring service. I hope that this doesn't come back to bite you, but the fact is- it could, and it could be at any point in the future.
posted by Four Flavors at 9:33 AM on March 31, 2006

Two rules:
1. do not click a link in an email--if the email claims to be from then type in your address box and login from there.
2. Do not be giving your SSN to anyone, ESPECIALLY ONLINE; they don't need it. Your health insurance might use it, that's about it.
posted by jockc at 10:15 AM on March 31, 2006

Do you happen to live in California? If so, you can put a security freeze on your credit reports. This means that no potential creditors will be able to request your credit info, preventing the phishers from obtaining new credit using your name and SSN.
posted by mr_roboto at 11:13 AM on March 31, 2006

That's interesting: I also got those Chase emails and realized they were fake because I had about 20 of them. But there have been a couple of replies in this thread where people who actually have Chase as a company got the emails. Did everyone else just automatically disregard them, or were they somehow sent to Chase customers? Perhaps I'm overly paranoid.
posted by artifarce at 1:21 PM on March 31, 2006

Also, a fraud alert can be placed by residents of many states. I was able to place one after my college accidently released socials. This government site explains the various procedures and also says "An initial alert is appropriate if your wallet has been stolen or if you've been taken in by a "phishing" scam. When you place an initial fraud alert on your credit report, you're entitled to one free credit report from each of the three nationwide consumer reporting companies..."
posted by artifarce at 1:30 PM on March 31, 2006

« Older a dramatic monologue, between stops   |   Why are retail prices of electronics cheaper than... Newer »
This thread is closed to new comments.