In a report last year, the FTC said the average identity theft victim could expect to lose roughly $500 per incident. But experts said that a person who falls for a phishing scam is exposed to far more fraudulent activity than someone who loses a credit card, in part because phishing victims give their personal data directly to people who are most likely to defraud them.
Michael Gibbons, 38, of Houston, Texas, last December responded to an e-mail he thought was from eBay, urging him to update his account information for "security reasons." After clicking on a link in the e-mail, Gibbons, who buys and sells books and other kinds of merchandise online, was taken to a bogus eBay site.
Transcript: Brian Krebs hosted Dave Jevans, chairman of the Anti-Phishing Working Group.
In a lapse of judgment that he would later describe as the "beginning of a long, major life lesson," Gibbons entered his eBay ID and password, his address, checking and credit card account numbers and expiration dates, bank routing and Social Security numbers, his birthday, his mother's maiden name and his bank card PIN.
Within hours, scammers siphoned $1,500 from his debit card account and changed his e-mail and eBay account passwords. They even locked Gibbons out of his bank account by securing it with a password of their own.
Gibbons's bank eventually agreed that the charges were fraudulent. A bank investigator told him it appeared that they were coming from somewhere in Russia to pay for computer equipment and Web site domain name registrations. Experts say the scammers likely were reinvesting cash they stole from him to pay for equipment and resources needed to launch more phishing scams.
It took several months for Gibbons to close out his bank accounts and credit cards. Following the advice given to fraud victims, he filed a police report and placed a fraud watch on his file with the three major credit bureaus.
A little more than two months ago, a woman from the credit bureau called. The scammers had struck again. This time they tried to open a $25,000 line of credit in his name.
Gibbons said he learned the hard way that banks and e-commerce companies will never ask for personal information from their customers in an e-mail. But consumers who are unaware of that are an easy mark for e-mail scammers because many of the phishing lures in use today are increasingly difficult to distinguish from legitimate communications.
Consider the experiment conducted by Palo Alto, Calif.-based e-mail security firm MailFrontier. In July, the company posted a "phishing IQ test" on its Web site that displays 10 e-mail messages and asks visitors to decide whether they are scams or legitimate messages sent by companies to their customers.
To date, most of the 230,000 people who have taken the test got seven out of 10 right. Only one in 10 answered all the questions correctly.