Phishers Sinking to New Lows
Sunday, August 28, 2005
Don't get me started on spam. But the other day, scanning the dregs of my spam filter, there was this one that stood out from the hundreds of unsolicited commercial e-mails that pitch porn, get-rich-quick schemes, cheap pharmaceuticals, urgent business proposals and sure-thing investments. All no-brainer deletes. Click, click, click.
But this one stopped me cold. It raised images of stressed-out and distraught military families stunned by the message that their bank accounts had been breached (all the more troubling after last week's news that someone had indeed hacked an Air Force nonfinancial database containing 33,000 Social Security numbers). Recipients could follow the message's instructions, click on a link to a Web site, and divulge their passwords and confidential information.
Only, that urgent notice isn't from their bank. It's from a crook.
You probably knew that already. Those daily spams, supposedly from eBay, AOL or PayPal? Saying your account has been corrupted? If you don't have eBay, AOL or PayPal accounts, they're easy rip-offs to recognize. Click, click, click. Gone.
But if your thoughts are halfway around the world, in a war zone where every day is a life-or-death matter for a loved one, and your bank is the Armed Forces Bank, then just maybe you get fooled this one time. Just takes once. Low-life scammers count on it -- all the way to the bank.
"It's big business. And it is hard to track and really hard to shut down," says David Jevans, chairman of the Anti-Phishing Working Group (APWG), an association of more than 1,100 companies and law enforcement groups worldwide trying to eliminate online fraud and identity theft scams.
"Phishing," you may recall, is a type of e-mail con that shotguns millions of something's-wrong alerts to inboxes. The message, seemingly from a financial institution, instructs you to log on at a Web site that looks like the real institution's Web site -- but isn't. There, you're asked to provide your password or financial info -- which the scammers use for fraud and identity theft.
Over the past couple of years, phishing has become one of the top consumer crimes. A Gartner Inc. report in June estimated that 1.98 million Americans were victimized from May 2004 to May 2005 by phishing scams that stole $2.4 billion from their checking accounts. And APWG's phishing reports indicate that reported scams in 2005 have almost doubled in some months over last year's. They're such a threat that the new edition of the Oxford English Dictionary has added the term "phishing" to its pages.
The Armed Forces Bank scam is part of a growing trend in phishing to focus on smaller financial institutions, such as credit unions, smaller banks and insurance companies, Jevans said. "Basically, they are spreading out to smaller companies that are not as prepared to deal with it. There is a lot of testing out there to see who has systems that they can cash in on. . . . They're trying to stay ahead of spam filters, phishing filters, and they're trying different social engineering techniques."
In the Armed Forces Bank scam, the crooks mutated the message at least six times -- about every five or six days -- which the APWG says is business as usual. When the spam started appearing in late July, the ploy was: "You have received this e-mail because you or someone had used your account from different locations." Several variations later, it began: "We recently noticed one or more attempts to log in your Armed Forces Bank account from a foreign IP address and we have reasons to believe that your account was hijacked by a third party without your authorization."
Jevans said phishing is getting more sophisticated, both in its ability to trick consumers and in its technological threat. Most counterfeit phishing Web sites, long past the days when simple words were regularly misspelled, are harder to detect by the average consumer. And there's also an increase in cases where clicking the link in the spam or at the counterfeit Web sites infects your computer with "crimeware" -- hidden programs that steal data directly, often using technology to intercept the consumer's log-on names and passwords by recording someone's keyboard strokes.
Many institutions are reluctant to address phishing attacks that abuse their name. Executives at the Armed Forces Bank didn't return calls regarding this scam. But the Armed Forces Bank Web site displays a prominent warning at the bottom of its home page: "Armed Forces Bank will never ask you for personal information via e-mail or lead you to a 'verification' page. If you receive such e-mail, forward it to email@example.com and then delete it."
The bank's Web site also provides what has become standard advice on how consumers can protect themselves from the growing variety of phishing scams: Be suspicious of e-mails asking for personal information; never click on a link in an e-mail or open an e-mail attachment from someone you don't know; never provide financial information, such as bank account or Social Security numbers, to someone who contacts you unsolicited; and, when in doubt, contact your financial institution by phone or via its Web site (typing in the online address yourself) and ask about the e-mail.
Keep in mind that practically no legitimate companies contact customers via e-mail asking for private information. So the best advice? Click, click, click -- gone.
"It's all a numbers game," said Jevans, explaining that the crooks figure on relatively few consumers a day not following that advice. Out of millions of spams sent, "if you can get a thousand accounts a day, and $1,000 from each account -- whether through an ATM or credit card fraud -- that's $1 million a day. And those seem to be the number now."
Got questions? A consumer complaint? A helpful tip? E-mail details firstname.lastname@example.org write Don Oldenburg, The Washington Post, 1150 15th St. NW, Washington, D.C. 20071.