In 'phishing' scams, purported acquaintances claim to be stranded abroad

(Luci Gutierrez for The Washington Post)
  Enlarge Photo    
By Christopher Elliott
Special to The Washington Post
Sunday, June 13, 2010

A stolen bag. Lost cash. A missing passport.

It had all the hallmarks of a trip from hell. And the e-mail, which ostensibly came from a reader I had corresponded with back in 2008, seemed equally genuine. "I really don't mean to inconvenience you right now," he wrote. But he was stuck in London. Would I be willing to wire him $940 so he could get home?

Only it wasn't real.

As it turns out, the "Lost Luggage in London" scam is a derivative of a so-called "phishing" fraud first identified on the social networking site Facebook last year. Phishing is the act of sending a message that claims to be from a friend in an effort to obtain personal data or money.

"When it comes to travelers, cybercrime and scamming opportunities abound," said E.J. Hilbert, a former FBI special agent who is now the president of Online Intelligence, a New York-based company that specializes in stopping Internet fraud. "One scam will easily lead to several others, simply because the traveler is traveling, thus giving the fraudster time to work, knowing that many travelers will not notice the cybercrime has taken place until they get back from their trip."

You don't even have to travel to get taken. The "lost luggage" con, for example, preys on people who know others who travel often. I was in my office when I received the fraudulent appeal.

Online crimes are a growing problem. Americans lost more than half a billion dollars from fraud perpetrated through the Internet last year, up from $264 million in 2008, according to the FBI's Internet Crime Complaint Center (ICCC). Travelers were hit particularly hard, according to Don Gray, the chief security strategist for the Omaha-based information security company Solutionary. "In many ways," he said, "we're at a bigger risk when traveling."

Apparently, so are the people we know. Michael Sands, a media consultant in Los Angeles, received an urgent e-mail from an acquaintance's address, claiming that she needed $2,500 after leaving her wallet in a London taxi. (Sound familiar?) "I knew the e-mail was fake because the person who [allegedly] sent it to me would never ask me for $2,500 in an e-mail," he said.

Sands forwarded the message to the ICCC Web site (, which records scams and warns others about them. "I feel one good deed deserves another," he said.

Security experts refer to the kind of e-mail Sands received as "spear phishing," because it's customized to a group of users or a single user, and it's that precision that renders it so dangerous. For a moment, at least, he believed that his friend was in trouble, just as I thought that one of my readers had lost his luggage and needed a hand.

Phishing scams are not the only traps that await travelers. They're also vulnerable to losing their passwords to keystroke-logging software, which records each character typed on a computer in a public place, such as a hotel business center or an Internet cafe, and transmits it to a cybercriminal.

CONTINUED     1        >

© 2010 The Washington Post Company