Thursday, October 27, 2005

By hook or by crook, phishing lures victims

Scams on the Internet are just a click away, so don't be tricked out of credit card numbers.

By Mike Musgrove / Washington Post

Phishing on the rise • Phishing attacks grew 28 percent from May 2004 to May 2005. • About 73 million adult e-mail users reported more than 50 phishing e-mails during the 12-month period. • 2.42 million adults reported losing money because of phishing attacks. • Since May 2003, nearly 11 million recipients of phishing e-mail clicked on the links. Of those, 1.8 million recalled filling out the information requested. • Victims recovered 87 percent of their funds. Source: Gartner Inc. Don't take the bait • Do you have an account with the "company" that sent you the e-mail? If not, this is a phishing scam. • Never click on a link from an unknown person; viruses and spyware can be transmitted. • Don't reply to a possible phishing e-mail. If you do, you have just told the scammer that he has reached a good e-mail address, and that has invited even more spam and scams into your inbox. • If you think the request for information may be legitimate, do not click on the link, but instead open a new Internet browser and go directly to that company's site. • Before entering your personal information or credit card numbers on a Web site, look for signs that the site is secure. Sometimes it will be a "locked" yellow padlock icon, usually in the lower right corner. Also, Web addresses for secured sites usually begin with "https," the "s" being the letter that tells you the site is secure. • Keep tabs on credit card usage and report any unfamiliar activity. Comment on this story Send this story to a friend Get Home Delivery

WASHINGTON -- If you get an e-mail asking you to donate to the victims of Hurricane Wilma, be careful. A scammer may be "phishing" in your e-mail inbox.

"Phishing" scams, in which e-mails and Web sites made to look official are used to trick people out of their credit card numbers or other personal information, are on the rise.

And with people continuing to fall victim and new opportunities to put a different face on the same scam -- the hurricane relief efforts among the latest -- it appears that phishing attacks are here to stay.

The number of attacks was up 28 percent between May 2004 and May 2005, according to a study by research firm Gartner Inc.

An estimated 2.4 million Americans were victims during the 12-month period, resulting in financial losses of about $929 million.

The classic phishing scams seem to come around again and again, with little variation: Your eBay account is about to expire, the sender of the e-mail warns you. Click on the link and resubmit your credit card information to avoid any loss of service.

Of course, when you click, it's not an eBay site that you'll be visiting -- although it probably looks very much like it. And it won't be eBay's billing department that will have your credit card information, either.

PayPal, eBay and Citibank top Gartner's list of the top spoofed sites, but plenty of others are out there. The hurricane or tsunami relief efforts are only one form. Others pretend to be your company's tech department or security officials from your e-mail provider. A growing number pretends to be lottery or sweepstakes prize departments.

And it's not always personal information that they're asking for. A new form of phishing, called "spear phishing," targets members of a particular organization and claims to be its e-mail provider.

The link will prompt you to download special software, which could install spyware or adware that records personal information later.

Experts have long warned consumers about the dangers of phishing scams and how to avoid them.

Still, it's not enough.

Internet providers and security software makers have tried to come up with tools to prevent people from falling victim to such cons. Microsoft has started building anti-phishing safeguards into the Internet Explorer browser, for example, giving the software tools that check a site for common phishing characteristics.

At least one Internet service provider -- America Online -- is blocking identified phishing e-mails instead of just issuing warnings.

But wiping out this type of scam altogether can be a tough job to pull off because the scams rely more on persuasive psychological trickery than on technology.

Laws designed to spook such scammers may be on the way, in the same way legislators tried to wipe out spam a few years ago. California Gov. Arnold Schwarzenegger approved legislation last month specifically outlawing such scams.

But it's still too early to measure whether such laws will be effective at curbing phishing attacks. Until then, consumers should continue to click carefully.