Phishing, Vishing, Pharming, or Spoofing?

Terms abound for the schemes criminals use to defraud, the following are the most common.


Phishing involves using a communication medium (typically e-mail) to illegally masquerade as a financial institution or well-recognized financial entity to trick consumers or industry employees into releasing personal or confidential information by way of the Internet.  These attacks often direct the victim to a fraudulent web page that appears identical to the institution’s valid site.  Upon entering personal information such as account numbers, PINs, or passwords, the attacker then has the information required to perform identity theft and commit fraud.


Vishing, or voice phishing, uses the same elements of phishing, but employs the telephone system rather than the Internet.  Instead of directing a consumer to a fraudulent web site, vishers establish fraudulent phone numbers and use equipment that can interpret and store telephone keystrokes.  Like a phish, an attack can be initiated by sending blast e-mails to many individuals in the hopes of receiving a small number of responses.


A pharmer redirects a consumer from a legitimate commercial web site he or she had intended to visit to a criminal one.  The bogus site, to which the victim is redirected without his or her knowledge or consent, will likely look the same as a genuine site.  But when a user enters his or her login name and password, the information is captured by the criminal.

Web Spoofing

Web spoofing happens when a scam artist creates a copy of a web site on the Internet.  This copy looks the same as the real site, but is used in spoofing attacks to confuse and mislead the web site’s visitors; however, the scam artist controls the false web site to gain access to the following information:

  • User identification logons
  • User passwords
  • Personal information
  • Internet usage habits

How to react to a phishing attack

Consumers who want to avoid being taken in by phishing attacks should:

  • Beware of e-mail requests to “verify” your account information online.  Your bank already knows your account number and does not need to verify it.  In the event of a security breach or computer problem, most banks contact their customer in writing or by telephone.
  • Be suspicious of any e-mail that contains urgent requests for personal information.  Phishers typically include upsetting or exciting, but false, statements in their e-mails to get people to react immediately.
  • Don’t use Internet links contained in a suspicious e-mail to reach a Web page.  Instead, visit the company’s Web site directly by typing the address into a Web browser, or call the company by phone.
  • If you believe you have been the victim of one of these attacks, contact:
  • The FBI, 111 Washington Ave S, Suite 1100, Minneapolis, MN 55401   (612) 376-3200
  • The Federal Trade Commission’s Consumer Response Center, 600 Pennsylvania Ave NW, Washington, DC 20580  1-877-382-4357 (
  • The US Secret Service, 300 S 4th St, Suite 750, Minneapolis, MN 55415  (612) 348-1800

We want to reassure you that the Credit Union will NEVER ask you to verify personal information via the Internet.  These requests will be done in writing.