By Mike Musgrove
Washington Post Staff Writer
Saturday, October 22, 2005
If you see an e-mail this weekend asking you to donate to the victims of Hurricane Wilma, be careful. A scammer may be "phishing" in your e-mail inbox.
"Phishing" scams, in which e-mails and Web sites made to look official are used to trick people out of their credit card numbers or other personal information, are on the rise.
And with people continuing to fall victim and new opportunities to put a different face on the same scam -- the hurricane relief efforts among the latest -- it appears that phishing attacks are here to stay.
The number of attacks was up 28 percent between May 2004 and May 2005, according to a study by research firm Gartner Inc. An estimated 2.4 million Americans were victims during the 12-month period, resulting in financial losses of about $929 million.
The classic phishing scams seem to come around again and again, with little variation: Your eBay account is about to expire, the sender of the e-mail warns you. Click on the link and resubmit your credit card information to avoid any loss of service.
Of course, when you click, it's not an eBay site that you'll be visiting -- though it probably looks very much like it. And it won't be eBay's billing department that will have your credit card information, either.
PayPal, eBay and Citibank top Gartner's list of the top spoofed sites, but plenty of others are out there. The hurricane or tsunami relief efforts are only one form. Others pretend to be your company's tech department or security officials from your e-mail provider. A growing number pretend to be lottery or sweepstakes prize departments.
And it's not always personal information that they're asking for. A new form of phishing, called "spear phishing," targets members of a particular organization and claims to be its e-mail provider. The link will prompt you to download special software, which could install spyware or adware that records personal information later.
Experts have long warned consumers about the dangers of phishing scams and how to avoid them.
Still, it's not enough.
Internet providers and security software makers have tried to come up with tools to prevent people from falling victim to such cons. Microsoft has started building anti-phishing safeguards into the Internet Explorer browser, for example, giving the software tools that check a site for common phishing characteristics. At least one Internet service provider -- America Online -- is blocking identified phishing e-mails instead of just issuing warnings.
But wiping out this type of scam altogether can be a tough job to pull off because the scams rely more on persuasive psychological trickery than on technology.
Laws designed to spook such scammers may be on the way, in the same way legislators tried to wipe out spam a few years ago. California Gov. Arnold Schwarzenegger approved legislation last month specifically outlawing such scams, giving prosecutors another tool to pursue the fraudulent.
But it's still too early to measure whether such laws will be effective at curbing phishing attacks. Until then, consumers should continue to click carefully and be cautious about how and where they hand over personal information.