Phishing Schemes Scar Victims

By Brian Krebs Staff Writer
Thursday, November 18, 2004; 6:36 AM

Nancy Boyle woke up one morning last December to discover that someone had stolen $1,800 from her online bank account. Then came the $800 credit card charge for escort services that she and her husband Dan never ordered.

The Boyles, who run a window treatment business out of their home in Racine, Wis., were getting a crash course in phishing.

The first e-mail appeared to come from Bank One, warning that Mrs. Boyle's account would be suspended unless she updated her information to conform with the company's new anti-fraud measures. She clicked on the link that came with the e-mail and entered the data on the Web site. Then the money disappeared from her account.

Not long after that, she got another message that looked like it came from eBay. It warned of fraudulent activity on her account and urged her to verify her details. She handed over her bank account number, Social Security number and her mother's maiden name -- the keys to her identity.

For the Boyles, the timing could not have been worse. The scams hit less than a week before Christmas. Mr. Boyle's mother had recently been diagnosed with cancer. The Internal Revenue Service had just begun an audit of their finances. The police got involved, but the evidence trail ran cold after investigators traced the scam to "somewhere in Egypt."

The experience left them wiser to the dangers of the Internet, the Boyles said, but it stirs bitter emotions.

"This kind of thing makes you feel so violated, just leaves you with such an awful feeling," said Mr. Boyle. "It sounds mean, but for a while there we just wanted these people dead."

The Boyles were two of an estimated 1.8 million Americans who gave out personal information in a phishing scam in the last year. It is becoming one of the most prevalent means of identity theft, according to the Federal Trade Commission.

Phishing scams usually start with an e-mail that looks like it comes from a bank, Internet service provider or e-commerce company. It often tells recipients that they need to update their account information by clicking on a link provided in the e-mail. If they do not, the mail warns, their accounts could be terminated or they could be subject to some other negative consequence. This, experts say, is because the Web sites remain online for only a few hours or days before investigators shut them down.

In the first six months of 2004, the number of unique phishing attacks increased by more than 800 percent -- from 176 in January 2004 to 1,422 in June 2004, according to the Anti-Phishing Working Group. Computer security experts said phishing is fueled by new alliances between computer virus writers, junk e-mail artists and international organized crime rings.

In a report last year, the FTC said the average identity theft victim could expect to lose roughly $500 per incident. But experts said that a person who falls for a phishing scam is exposed to far more fraudulent activity than someone who loses a credit card, in part because phishing victims give their personal data directly to people who are most likely to defraud them.

Michael Gibbons, 38, of Houston, Texas, last December responded to an e-mail he thought was from eBay, urging him to update his account information for "security reasons." After clicking on a link in the e-mail, Gibbons, who buys and sells books and other kinds of merchandise online, was taken to a bogus eBay site.

CONTINUED     1           >

© 2004 The Washington Post Company