Avoid Phishing Scams

Impersonated Web Pages

You can find web pages that exist for the sole purpose of collecting Yahoo! IDs and passwords. These pages mimic the Yahoo! sign-in screens, and are sometimes referred to as "spoof" or "password phishing" pages.

Do not enter your Yahoo! ID or password on any web page unless you are on the Yahoo! network and your intent was to visit a Yahoo! sign-in page or a Yahoo! service that requires you to be signed in.

You can quickly see if you are on the Yahoo! network by looking at the address box (circled in the picture below). Web pages on the Yahoo! network have URLs that start with: http://uk.yahoo.com/". There may be an additional word after ‘uk’, which will correspond with the Yahoo! Service you are visiting. For example, the address for Yahoo! Mail is http://uk.mail.yahoo.com/

Make sure a "trailing slash" appears after "uk.yahoo.com" -- sites that impersonate Yahoo! will not have the "trailing slash." For example, "http://uk.yahoo.com:login&mode=secure&i=b35870c196e2fd4a&q=1@16909060" is a bogus URL.

If you aren't sure you are on the Yahoo! network, go to the Yahoo! home page by typing "uk.yahoo.com" in the Address box. Once you're there, click the "Sign In" link in the middle of the Yahoo! home page.

Impersonated Emails

You may receive an email from someone claiming to be a Yahoo! employee who asks for your password for any number of reasons - to help recover your account, prevent your account from being deleted, or identify your account are a few or the more popular scams. The person may ask you to reply with your password or may direct you to a fake sign-in screen. These are scams. Please forward the email to mail-spoof@cc.yahoo-inc.com. Include the full email headers and the HTML source code of the email you received.

If you are directed to a web page by an email, make sure the web page is in the Yahoo! network, as mentioned above.

Social Engineering

"Social Engineering" is a term that describes non-technical methods used to gain get access to accounts, passwords, credit card numbers, National Insurance numbers, names, addresses or other personal and confidential information. These methods mostly involve an actual person contacting you. They can be separated into two types.

Con Games

In a con game, the social engineer will try to convince you to share your password. They may impersonate Yahoo! (as mentioned above), claim to be with the police or someone else of authority, or they may befriend you to gain your confidence and offer to help solve problems you may be having with your account.

• Never share your password. Your password is confidential and should not be given to anyone.
• Most online services, including Yahoo!, hold you responsible if you do not properly safeguard your password and your account is used by another person. If you lose a password from another company or online service, you may have that company email your password to you. Thus, if someone else has the password to your Yahoo! Mail account, they may be able to read these emails and be able to access online accounts from other companies.

Victim Knowledge

A social engineer may also use information they know about you to guess your password or use our password lookup utility to gain access to your account.

• To reduce the chance of someone guessing your password, choose your password wisely. Read "Choosing your password" for more information.
• To reset your Yahoo! password, a person needs to know your date of birth and post code. To learn your new password, a person also needs access to your alternate email account or know the answer to your secret question. That's why it is important to pick a secret answer only you know.
• Choose a security question and answer wisely. When you register with Yahoo!, you can choose a special question and answer that will allow you to access your account if you forget your password. Make sure you choose information someone else cannot guess. (Remember, it's possible for anyone who knows your Yahoo! ID and your birthday to see your security question and attempt to answer it.)
• Be careful about what you post publicly and who you share personal information with. Social engineers may take months to gain your trust, get to know you better, and gather information about you.

For more information, visit the Social Engineering category in the Yahoo! Directory.

Such scams are not targeted only at Yahoo! members. The more popular your Internet service is, the more likely it is that someone has set up fake log-in pages to collect IDs and passwords. Only give your ID or password when you know you're on a legitimate and trusted web site.

Reporting Password Scams:

• Email: If you receive an email impersonating Yahoo!, please forward the Please forward the email to mail-spoof@cc.yahoo-inc.com. Include the full email headers and the HTML source code of the email you received.
  .
• Web page: If you see a web page asking for your Yahoo! ID and password and you feel it is a scam, please report it to Yahoo!. Include the full URL of the web page collecting passwords.

If you have already been tricked into giving your password, please contact Yahoo! and supply as much detail as possible.

If you entered credit card or bank account numbers, you should immediately contact your bank or building society.

If you feel your life is in danger, call your local police station immediately.