Phishing lines more clever, more prevalent

By John Wilkens

PHISHING LINE

Fishing is all about tricking the prey into taking a bite at something it thinks is real. So is phishing.

Many of us have seen the bait float past in recent years. It arrives via e-mail, with an official-looking logo from a bank or credit union or retail company:

"We recently reviewed your account, and suspect it has been accessed by an unauthorized third party. As a result, your account has been frozen. To regain access, please take these steps ...

Our Technical Services Department has installed new security software. To upgrade your account, please do the following ...

There is a pending charge on your account. If you dispute this charge, you must ... "

The e-mail then instructs you to click on a link that will take you to a Web site - again, very official looking - where you're asked to log-in with your password, verify your date of birth and social security number, and so on.

Take the bait and you're well on your way to having your identity stolen, a potentially costly and time-consuming aggravation.

Financial institutions, government agencies, computer experts and the media have been warning people about phishing for several years. There's even a global consortium, the Anti-Phishing Working Group, to combat the problem.

But it persists. A record 20,109 unique phishing "attacks" - each involving e-mail sent to thousands of potential victims - were reported in May to the Anti-Phishing Working Group. That was up from 17,490 attacks in April.

About 80 percent of the May attacks involved attempts to mimic e-mail from 20 major "brand" companies, such as Bank of America, Washington Mutual, Chase Manhattan, PayPal and eBay. (In all, a record 137 brands were "hijacked" in May.)

Paul Stephens, a policy analyst with the Privacy Rights Clearinghouse, a consumer-protection agency, said phishers use well-known companies because more people are likely to have relationships with those firms, and therefore are more likely to take the bait.

"If enough e-mails go out, chances are they'll hit you with something that seems like it belongs to you," he said. "They just keep getting more and more clever."

Peter Cassidy, secretary general at the Anti-Phishing Working Group, which is based in Cambridge, Mass., said "what keeps us up at night" is the increasing use of "crimeware" by identity thieves.

"Crimeware" is a tracking program that gets secretly installed on a computer when the victim clicks on a link in a phishing e-mail and is directed to a fraudulent Web site. The tracking program enables thieves to learn passwords and account numbers when the victim later visits legitimate sites.

Cassidy said the best way to prevent being phished is "to use all that stuff people have been yelling at you about for years: anti-virus programs, spyware blockers, firewalls. They really matter now. And make sure they're updated."

Other tips:

- Be wary of e-mail with urgent requests for personal financial information. Call the company on the telephone to verify that the e-mail is legitimate.

- Be careful using links in e-mail to get to Web pages, especially those involving financial accounts. Use your Web browser to make sure the site is genuine.

- Always make sure you're using a secure Web site when transmitting credit card numbers or account information - look for "https://" in the address bar, not just "http," and look for the padlock icon in the lower right corner.

- Regularly check your bank and credit-card statements to make sure transactions are legitimate.

More information is available from the Anti-Phishing Working Group (antiphishing.org) and the Privacy Rights Clearinghouse (privacyrights.org). To test your phishing IQ, Mailfrontier, a computer security company, offers a quiz at survey.mailfrontier.com/survey.