washingtonpost.com  > Columns > Consummate Consumer
Consummate Consumer

'Phishing' on the Rise, But Don't Take the Bait

By Don Oldenburg
Washington Post Staff Writer
Tuesday, November 9, 2004; Page C10

Jan Boldt can hardly believe the number of fake e-mail warnings she receives almost daily from crooks impersonating the security divisions at eBay, AOL, PayPal and other businesses. She usually deletes them without even looking.

"I'm not all that computer-literate, but when I start getting weird e-mails with gibberish addresses, I wonder what's going on," says the Falls Church reader, whose skepticism has saved her from being victimized by online scammers. "People need to be warned not to give any personal information over the Net unless they know and trust the recipients."

_____In Today's Post_____
'PHISHING' TIPS (The Washington Post, Nov 9, 2004)
Add Consummate Consumer to your personal home page.

_____Cyber-Crime Headlines_____
FBI Pursuing More Cyber-Crime Cases (washingtonpost.com, Nov 4, 2004)
28 Identity Theft Suspects Arrested in Transatlantic Sting (The Washington Post, Oct 29, 2004)
Police Arrest 28 in Online ID Theft Scams (washingtonpost.com, Oct 28, 2004)
More Cyber-Crime Headlines

The e-mail scam that Boldt and millions of Internet users now see regularly is called "phishing," and it is involved with the alarming rise in identity theft in this country. Since this column first reported on it last January, phishing has become one of the most prolific methods of duping people out of their private financial information.

The standard ploy impersonates an e-mail alert from a well-known business or financial institution warning recipients that their accounts have been breached or corrupted and asking that they verify their private information at the company's Web page. That bogus site mimics official logos and features of the company's real site to trick consumers into divulging their Social Security number, credit-card and bank-account numbers and passwords.

The news media, public education programs and TV ads such as Citibank's Emmy-winning campaign in which voices of identity thieves come from the mouths of their victims have helped make the public more aware of the need to protect personal information.

Yet the Anti-Phishing Working Group, an organization of 407 companies and 100 technology vendors collaborating to stop phishing, reports that up to 5 percent of consumers who receive phishing e-mails respond to them and provide private information.

Other consumer studies suggest the number could be higher, says David Zumwalt, chief executive of Privacy Inc., a Dallas-based Internet security company. "One out of five of the people who get these messages can be fooled," he says. "Response to phishing attacks is much higher than to [other] spam, where one out of 100,000 messages gets a response."

With "phishing attacks" on the rise, the scam is victimizing more people. APWG tracks the phishing trend and says there were 1,974 new unique phishing attacks -- a single phishing spam blast sent to millions of consumers targeting one company or organization -- in July alone, compared with 176 in January.

Phishing is not only escalating, it's also getting more sophisticated, says Zumwalt. The phony e-mails and Web sites are more convincing than ever, and phishers are using new technology such as key-logging spyware that invades computer and records passwords and other information.

Phishers are also expanding their corporate targets. Until last April, most of those fake e-mails and Web sites were impersonating eBay, according to APWG. That month, Citibank became the bull's-eye, and the top five through July were Citibank, U.S. Bank, eBay, PayPal and AOL.

"Mutual funds are now being targeted," he says, citing this summer's attack on Pax World Growth fund in which con artists created a bogus Pax Web site and lured new investors to it with the promise of big returns.

Industry and government are scurrying to thwart phishing. Companies such as the anti-virus firm McAfee and EarthLink, an Internet service provider, have developed protection programs that block phishing attacks. In December, Zumwalt's firm launched "My Privacy Policy" (MPP), which protects its users from phishing spam by using virtual e-mail addresses to block or flag messages originating from anyone other than approved or recognized sources.

On the government front, the House in October unanimously passed the "Internet Spyware Prevention Act" (I-SPY), which would add up to five years of prison time to the sentence of anyone convicted of using spyware or phishing schemes to commit a crime. The Senate hasn't gotten to the bill.

"We have worked hard on consumer education, which is really important. A person who has seen a phishing scam or knows about it is less likely to get caught," says Patricia H. Poss, an attorney with the Federal Trade Commission's Bureau of Consumer Protection, which has brought three legal actions against phishing operations.

Last year, identity theft was the FTC's No. 1 consumer complaint, says Poss. Overall, the FTC estimates, 27.3 million people over five years have been victimized by identity theft of various kinds. It reckons that 10 million identities were stolen last year, costing consumers nearly $5 billion and financial institutions and businesses $48 billion.

But most experts say recognizing a phishing e-mail and deleting it, as Jan Boldt does, is the most effective solution. "Update your virus software, get a firewall and update the security patches for your software," says Poss. "And don't respond. Don't click on the link. Don't e-mail your personal information. If you are concerned, contact that company in a way you know is real."

'PHISHING' TIPS

For more information on identity theft and how to protect yourself, see the FTC's Web site www.ftc.gov/bcp/idtheft_testing/index120177.html.

The FTC's brochure "How Not to Get Hooked by a 'Phishing' Scam" is available at www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm or call 877-FTC-HELP to order a copy.

The Anti-Phishing Working Group's Web site at www.antiphishing.org provides up-to-date information on phishing and is the Internet's most comprehensive archive of e-mail fraud and phishing attacks. Consumers can also report phishing attacks to APWG via e-mail at reportphishing@antiphishing.org.

Got questions? A consumer complaint? A helpful tip? E-mail details to oldenburgd@washpost.comor write Don Oldenburg, The Washington Post, 1150 15th St. NW, Washington, D.C. 20071.


© 2004 The Washington Post Company