Don't be "Phish" Bait--Easy Steps to Protect Yourself

-- An email, supposedly from my bank, asks me to click over to their Web site and re-enter my user name and password.

-- A different email, supposedly from an online auction service, tells me that they've lost my credit card number and need me to go to a Web site and re-enter it.

-- Another email, supposedly from an Internet Service Provider, tells me that I've been accused of sending pornography and I need to go to a Web site to verify personal information.

They look different, but those emails have one thing in common. They are fake attempts to get me to share critical information, such as account numbers, credit card numbers, passwords, with someone who's not authorized to have them.

It's called "phishing," spelled with a "ph." Sometimes, it's called "brand spoofing." Those are cute names. What they represent is anything but cute.

Phishing or brand spoofing (I'll use phishing for the balance of this column), is an attempt to get you to share critical information with what you believe is a trusted party. The person trying to get your information impersonates an institution like your bank, or e-Bay, or someone else you may do business with. They ask you for critical information. If you give it to them, they will be able to use it to steal your money or even your identity.

The Federal Trade Commission (FTC) says that identity theft costs consumers sixty billion dollars a year. According to Christopher Wray, an Assistant Attorney General at the Justice Department, "Identity theft is the single greatest type of consumer fraud, and phishing is the identity theft du jour."

Consumers aren't the only ones losing out to phishing. Phishing costs businesses a ton. Every time there is a phishing scam that uses an Earthlink address or involves Earthlink accounts, that company fields more than twenty thousand phone calls. When a bank is the victim of a phishing scam, it costs that bank between a hundred and a hundred-fifty thousand dollars to answer the calls, handle the accounts, and settle any claims.

Banks and consumers may not like phishing much, but criminals like it, because it is easy and cheap to do and almost as easy to get away with. It can also be immensely profitable.

Phishing is one of those ways where it's easier to do a scam on the Internet than it is in real life. Face it, it's not likely that someone is going to sit down and make up a whole bunch of letters that look exactly like your bank's letters, and then send them out with requests for you to update your critical data at an 800 number or by sending back a form. It would be expensive and would be too easy to get caught before you could gather up your winnings and slink off into the night.

On the Internet, though, it's easy. All the phisher has to do is send off an email with a couple of fake headers and an alarming request. That alarming request, such as your account being about to be closed, should urge you to action.

The action that they want you to take is to click on a particular link, which will take you to a site that looks a lot like a trusted institution. Banks are the biggest favorite, but not the only ones.

If you follow that link, and enter your information, then what you are actually doing is handing over that information to someone with criminal intent. They might use your credit card number to make purchases. They might use bank account information to get cash. They might use your Social Security number and other information to do a more extensive version of identity theft. Whatever it will be, you can bet it won't be good.

Fraud investigators estimate that somewhere around five percent of the folks who get these phishing emails actually respond and share information. Since it costs the scoundrels virtually nothing to send out millions of emails, this can be pretty profitable.

That's probably why phishing incidents are increasing. The Anti-Phishing Working Group (APWG), an industry group that shares information and develops tactics to defeat phishing fraud, tracks new scams. In January, 2004, there were one hundred seventy-six. In February, that had jumped to two hundred eighty-two.

Phishing isn't new. What's new is the intensity and technical sophistication. Phishing actually started on America Online (AOL) way back a decade or so ago.

In those days, America Online charged users by the minute. There were lots of folks who wanted to be online, didn't have the money to pay for it, and didn't have any scruples about using other people's money.

Those folks would fire off instant messages to other AOL users online. The instant messages would claim to be from AOL security or AOL billing. They would ask for a user's password. The phisher could use the password and user name to stay online at someone else's expense.

That got to be so common that AOL started posting standard messages that they would never ask you for your password. Most online institutions have a similar policy.

When AOL went to flat rate billing the initial versions of phishing disappeared. But phishing was soon back, this time using email.

The first phishing emails that I remember seeing were almost funny. They often got company names wrong. The English was simply awful and sometimes laughable. After a while, the phishers got better.

About two years ago, phishing activity began to pick up dramatically. Since then, a couple of things have changed. As recently as two years ago, more than half of the folks who got caught for phishing schemes were less than eighteen year old. A significant number of the phishers were solo operators.

Bruce Towsend, Deputy Assistant Director at the Office of Investigations of the Secret Service, says that "The kids in school and the old lady in her basement make great copy, but this has transformed into something done by organized criminal groups."

The shift to organized crime means that the phishing is getting a lot more sophisticated. And more and more of it is coming from outside the United States. The Anti-Phishing Working Group estimates that two thirds or more of the phishers operate out of Eastern Europe.

That presents a real problem for law enforcement. It's hard enough to track down these folks when they and their computers are within U. S. jurisdiction. It's quite another thing when they are in some far off land, and you've got to get the cooperation of the local constabulary.

So, what can you do? Well, let's start with some things you probably shouldn't do.

Don't count on this going away all by itself. The profitability, the ease of mounting a phishing operation, and the difficulty of prosecution all mean that we'll probably see continuing dramatic increases in this type of fraud.

You probably also shouldn't figure on trying to master the technical details. It's true that many of these scams can be spotted because of technical things that you can look for in the link or in the message headers. But the fact is that most of us don't have the technical sophistication for that and don't have the energy or time to track the moving target of technological development.

Here's what you can do. Be skeptical. Be very skeptical. The fact is that no reputable institution is going to ask you for what these phishing messages ask you for.

Your bank will not tell you that you need to click over to a Web site and re-enter your account number and password. The auction site you use will not suddenly lose your information. Your credit card company will not need you to re-enter your card number, password, and personal details.

When you get an email that requests something like that, do one of two things. Ignore it. If you don't want to ignore it, then contact the institution directly to ask about it. Don't use the email, Web link, or phone number in the message you get. Contact them in your usual way.

Phishing is a big deal and a dangerous deal that can cost you - and the companies you deal with - a lot of money. It will be up to you to be the kind of skeptical and savvy consumer that keeps your own information safe. Don't take the bait.

Resources

Here are the two most-recommended sites to find out more about phishing.

The Anti-Phishing Working Group (https://www.antiphishing.org/)

The Federal Trade Commission (https://www.ftc.gov/news-events/media-resources/identity-theft-and-data-security/phishing-scams)

You may also want to check out the Identity Theft Resource Center (https://www.idtheftcenter.org/)

[Editor's note: here's a more up-to-date resource: https://www.ftc.gov/news-events/media-resources/identity-theft-and-data-security/phishing-scams]

This article originally appeared in Wally Bock's Monday Memo and is used by permission. Get your free subscription at https://www.bockinfo.com/. I have been subscribing for many years and find it informative, going off the usual beat while building a strong connection from the publisher to readers. I highly recommend it.
--Shel Horowitz, owner of FrugalMarketing.com and FrugalFun.com

Wally Bock is a speaker, author and consultant who helps individuals and businesses improve their results in the Digital Age. His commentary, "Postcards from the Digital Age" originates on WHQR, public radio in Wilmington, North Carolina and his resource Web site is at https://www.bockinfo.com. Reach him at wbock@bockinfo.com