* In late October, the U.S. Secret Service and overseas authorities announced the arrest of 28 people on suspicion of running Web sites that were designed to steal, sell and forge credit cards and identification documents.
* In August, the FBI, the Federal Trade Commission and the Postal Inspection Service announced the arrests or convictions of more than 150 people in a nationwide crackdown on Internet fraud, including a Ukrainian man who allegedly used Internet chat rooms and his own Web site to buy and sell stolen credit card data.
Transcript: Brian Krebs hosted Dave Jevans, chairman of the Anti-Phishing Working Group.
In addition, federal investigators now have stronger legal tools at their disposal. The Identity Theft Penalty Enhancement Act, signed into law by President Bush on July 15, prescribes stiff prison terms for those who use identity theft to commit other crimes.
Banking customers are among phishers' favorite marks, but some consumer advocates and security experts said banks are not investing enough money and other resources in fighting online fraud.
Fran Maier, executive director and president of TRUSTe, a nonprofit privacy group in San Francisco, has spent several months trying to persuade the nation's largest financial institutions to pony up a few hundred thousand dollars each to fund a $10 million public-service ad campaign to alert consumers. So far, she said, some have expressed interest in the idea, though none has pledged funding.
"We have to go back to the advertising playbook by using reach and repetition through television, radio and billboards," Maier said. "And it can't be done in just an e-mail or Web-based campaign, because that's exactly where people are getting phished."
Marcus Sachs, a former White House cyber-security adviser and current director of the SANS Internet Storm Center, said marketing departments at many banks do not heed their companies' own advice. Too often, he said, banks send e-mails to customers offering balance transfers and other deals by asking them to click on a Web site link and enter their information.
"If the corporate policy is never to send e-mails that contain links to Web sites asking for your personal information then these businesses need to work harder to normalize their behavior so that consumers will know what's abnormal," Sachs said. "The fact is some banks still send out e-mails that look remarkably like phishing scams."
Sachs said online merchants, banks and credit card companies need to invest in technologies used by most European banks that require customers to use one-time "identity tokens" or smart cards -- in addition to user names and passwords -- to get their financial information over the Web.
For now, U.S. banks are relying on warning their customers about phishing through mailings sent with their monthly statements. They say that they never ask for personal information in an e-mail message. Citibank recently joined other financial institutions, including Suntrust Banks Inc. and Washington Mutual Inc., in posting fraud advisories on their Internet home pages.
But some disenchanted customers are choosing the most effective phishing cure: no more online banking or shopping.
Rhonda Gifford, 37, said she has "had it" with e-commerce after getting hooked by a phishing scam. Weeks after she entered her personal information at a faked PayPal site, fraudulent charges for adult Web sites and a new Internet account in Saskatchewan showed up on her credit card. The scammers also wired more than $800 out of the Olive Hill, Ky., resident's checking account via Western Union to somewhere in Pakistan.
After she canceled her accounts and filed a fraud report with credit-reporting bureaus and local police, Gifford's bank suggested she refrain from online banking -- at least for a while. The bank told her that before too long, someone would probably try to open new lines of credit in her name. These days, she just waits for the next attack.
"I used to shop with my credit card online all the time for all sorts of different things that aren't available in this rural community," she said. "Now, it's like, forget it, not any more."