September 2006
Don't bite at phishers' e-mail bait
Cyberscammers are constantly innovating. Be alert to the latest rip-off schemes
It starts with an e-mail containing the bait--an ominous note such as this one that made the rounds in June:
"We recently noticed one or more attempts to log in to your EvergreenBank account from a foreign IP address. If you recently accessed your account while traveling, the unusual log-in attempts may have been initiated by you. However, if you did not initiate the log-ins, please visit EvergreenBank as soon as possible to verify your identity."
Concerned recipients, unable to resist the lure, were instructed to click on a link, which took them to a bogus Web page that appeared to be the Evergreen Bank site. A form on the page requested Social Security and charge-card numbers. With that information, the phishers had what they needed to take out loans or open up credit accounts in the victim's name.
Common targets
Most phishing attacks the financial-services industry, but auction sites like eBay, telephone companies, Internet service providers, and Internet retailers--any online locations where people provide information useful to identity thieves--are also frequently spoofed. Enterprising phishers have even used the government as their cover. Consider, for example, this recent scam e-mail: "In cooperation with the Department Of Homeland Security, Federal, State and Local Governments your account has been denied insurance from the Federal Deposit Insurance Corporation due to suspected violations of the Patriot Act."
Unsuspecting targets were directed to a Web site where they were told to type in the name of their bank and their account number, as well as to list their credit cards.
In May 2006, a record 20,109 unique phishing campaigns were reported, up from roughly 17,500 the month before, according to the Anti-Phishing Working Group (www.antiphishing.org), an international private-sector and law-enforcement consortium. Nearly 140 companies and brands were impersonated in May, reflecting the fact that a single bogus site can support dozens of e-mail attacks. Indeed, California's attorney general, Bill Lockyer, reported that as of early April, his department had received 236 separate phishing e-mail messages related to Chase Bank.
Perhaps the primary reasons for the popularity of phishing are that it is relatively inexpensive to do and the returns can be significant. According to the 2006 Consumer Reports State of the Net survey, the median cost per victim is $850 over the past two years. When projected to the total number of online households, the damage amounts to $630 million.
Typically, phishers purchase lists of known e-mail addresses for a few hundred dollars or use software that can create endless permutations of possible e-mail addresses, and then blast out about a million messages at once. "Many of these will go to people who don't have an account with the company that supposedly sent the message or won't get to a live e-mail address," says Devin Redmond, a senior product manager at Websense, which makes Web security and filtering software. "But if the response rate is a fraction of a percent--say 5,000 to 10,000 people--identity thieves can turn that into a lot of expensive stolen merchandise."
In fact, the response may be quite a bit higher than that. Our survey, conducted by the Consumer Reports National Research Center, found that 8 percent of the respondents provided personal information after receiving phony e-mail messages. Part of the problem is that most people can't tell the difference between a real Web site and a phony one, despite such obvious clues as amateurish spelling and grammar and long Internet addresses with unusual combinations of characters. In a 2006 study by researchers at Harvard University and the University of California, Berkeley, 22 people were shown 20 Web sites, 13 of which were spoofs. On average, participants were unable to accurately identify a genuine or fraudulent page 40 percent of the time. And when participants were presented with what the researchers had called "good phishing Web sites," the failure rate more than doubled.
"Consumer education is essential to alert people to how serious phishing is and to make sure that they become more vigilant about knowing which e-mails they respond to," says Susan Grant, director of the National Consumers League's National Fraud Information Center. "But it's not an easy task. Even if a consumer can reasonably guess that their bank won't ask for personal details over the Web, would that same person neglect a note, for instance, from a retailer that he or she is familiar with asking to provide confidential information to confirm a transaction?"
The worst is yet to come
Attempts to clamp down on Internet schemers have taken on increased urgency recently because there are disturbing signs that new snooping technology could soon make today's phishing seem like child's play by comparison. The latest tactic, according to the APWG, is to attach so-called crimeware to a computer when a person simply clicks on the link in a scam e-mail, without inputting anything else. Once embedded, the programs monitor keystrokes, snatching up log-in and account passwords. Or in an activity known as pharming, crimeware can redirect an Internet user who has typed in a proper Web address to a counterfeit site that appears to be an exact replica of the page he or she was seeking.
The one bright spot in all of this is that it's relatively easy to avoid becoming a phisher's prey. Follow these steps:
Never click on links in e-mail that asks for confidential information, and don't reply to the message. Only a small number of companies will request personal data via e-mail. If you think that the message may be legitimate, handle the matter over the phone. But make sure that you are using a verified telephone number. One recent phishing campaign targeting customers of Santa Barbara Bank & Trust directed people to a fraudulent phone number answered by a recorded message that asked for account information. Before deleting the bogus message from your computer, alert law enforcement by forwarding it to spam@uce.gov. Also send it to the Anti-Phishing Working Group (reportphishing@antiphishing.org).
Install antivirus and Internet security software on your computer, and keep it up to date with current virus definitions. Make sure the program has a firewall, which can help prevent crimeware from entering your computer. Although most security software isn't programmed to detect phishing e-mail--unless they are viewed as spam and are separated out through the junk-mail filter--developers are beginning to include aspects of this capability in new applications. For example, Microsoft has released a free Phishing Filter Add-In (addins.msn.com/phishingfilter), which will display a red warning bar above a Web page that is a confirmed phishing site; no data input from the user will be allowed. A yellow warning bar means that the site is suspected of being a phishing site. And Symantec, the largest antivirus-software company, is planning to introduce a similar program in fall 2006 to be called Norton Confidential.
Don't allow ignorance to be your excuse. Go to Websense Alerts (www.websense.com/securitylabs/alerts) to view a list of recent phishing scams. OnGuard Online (onguardonline.gov/index.html), a site maintained by the Federal Trade Commission and the technology industry, provides updated information about how to avoid Web fraud. For more information about how to protect yourself online, go to www.consumerreports.org/security.
