By Robert MacMillan
washingtonpost.com Staff Writer
Monday, August 22, 2005 8:00 AM
Sitting in the midst of the technology and business desks here at washingtonpost.com, it seems to me that everyone must know what "phishing" is and how it can put more than a crimp in your day.
As a technology reporter, I live and breathe stories dealing with cyber-security, phishing, identity theft and other dangers of the Internet. Still, just because I know what these terms mean doesn't mean that you do.
This became apparent to me when, as I reported in Friday's edition, I wrote about an e-mail that my editor received from the Wall Street Journal's online customer care team warning readers about the dangers of phishing as if the problem had just been discovered the night before.
If I learned anything from your responses, it's that I need to go outside more often. Phishing is still a threat to the "average" Internet user, and these readers said they were glad for the most part to see that the Journal took the time to spell out the danger in simple language. Some said that they had not heard the term before:
* Margaret McCann in Huetamo, Michoacan, Mexico is a prime example: "I myself have never heard of the term. Any kind of information that will protect people is always worth its weight in gold."
Here are some other reader responses:
* Elly Reister, West Salem, Wis.: "WSJ is right to bring it up. Everyone is alert to the bank come-on, but an online news service? A well-known charity? A church? Vigilance can't hurt, especially now that my mother does banking online (though she needs 24/7 tech support).
* Richard Miller, Provo, Utah: "Though the readership of the WSJ Online (not tooting my own horn) is probably fairly computer-savvy, it makes perfect sense to send out a descriptive ('dumbified') e-mail. This e-mail will help the minority at the bottom of the spectrum that is clueless about phishing and it will also reinforce and appropriately educate the mainstream readers who probably know that 'phishing is bad' or 'akin to spyware' or 'I should avoid it' but never took the time to really learn what it is. It also clearly delineates the WSJ's policies on using the user's name, not asking for them to enter credit card information in an email, etc. It's never a bad thing to reeducate; we get into trouble when we believe we know everything and aren't willing to listen because we might risk hearing something we already know."
* Cathy Woods, who didn't list a hometown in her e-mail to me, wrote: "I am keenly aware of scam artists who try to intimidate or con a person into revealing private information about themselves. However, I never knew the name for such a person. I personally get a little tired of all the current slang for anything. And no, I don't find tech talk too intimidating; I instead find it trivial. Can't we just call things what they are?"
* Patsy Wells, Williamsburg, Va.: "There are too many people out there who are barely hanging on to the digital frontier only because they have a spouse, son, daughter or friend who keeps up on the latest scam. I believe that phishing information should be on the front page of every newspaper for these people."
* Daniel Goody, Edmonton, Alberta: "I am aware, in a broad sense, that there are online scams. I am not entirely certain of the large variety of means these e-thieves have at their disposal to wrest my hard-earned cash (or credit) from my person. I am also not learned in being able to discern the difference between the legitimate requests of companies and phishing endeavours."
* James Joseph of Gardnerville, Nev., sees it both ways: "There has been more than enough said, but the press always says it too late. And most people really don't spend their time online reading tech stuff. There are lots of people I know who have never heard of spybot, adware or spywareblaster."
* John B. Meyers, Louisville, Ky.: "I was on the road the other week and got an e-mail on my Treo 600 (love it) from 'AOL' saying there was some problem with my billing. As savvy as I think I am, I panicked and telephoned AOL -- nope, just phishing. If I'd been on my computer I could have known it was phishing, but my Treo displays e-mail differently."
* Gail King, also from Louisville: "I didn't know about phishing until I read your column. It is necessary to keep reminding folks about the dangers. The dangers are becoming more and more sophisticated. Are you you or someone else? How do we know in this day and age of trickery and shenanigans?"
* Lou Weiss from New York offers some practical advice for reporters: "There should be articles written on a continuous basis on the dangers of the Internet and specifically, phishing. Just last week, I received an e-mail from what looked like PayPal asking me to update my personal and banking information. Now I consider myself fairly expert on the Internet and do a lot of business with ebay, but I was almost deceived by this very professional-looking site."
* Donna Curran in Regina, Saskatchewan, is a "risk administrator" who refers readers to a site that I should have mentioned earlier: "In regards to the amount of communications around phishing being too much or not enough, I tend to side with the theory that there is never enough. I have worked in the private IT Security industry for over the past 5 years and the level of sophistication hackers has evolved to is quite significant. The trouble with phishing is that hackers use so many different avenues that it is hard to keep up. If you would really like to know how much phishing has impacted the world, check out the Anti-Phishing Working Group.
Laura H. Marshall in Oakland, Calif., asks the question that everyone else is afraid to ask: "I know what it is, but I have to wonder why they named it after a band that's broken up and whose drummer plays the vacuum cleaner." I'm not sure, so we'll just have to "suck it up" and deal.Speak and Spell
Gary Baldwin, the technology editor at HealthLeaders magazine, wrote to ask why "phishing" is spelled with "ph." That stumped me, so I asked my colleague Brian Krebs for an explanation. Brian, as I have noted before in this column, writes washingtonpost.com's SecurityFix blog and knows all there is to know about cyber-security. Here's the story of the spelling of phishing:
The "ph" in phishing is a nod to an older generation of hackers in the '70s and '80s known as "phreakers." They hacked telephones and the phone networks, usually to make free phone calls. The term "phishing" dates back to the '90s. It first was used to describe the practice of swiping someone's America Online account credentials to go online for free. In a typical AOL phishing scam, the bad guys would send the target an instant message masquerading as an AOL staffer, and try to convince targets to fork over their username and password.
Send links and comments to robertDOTmacmillanATwashingtonpost.com.