Internet use is certainly not safe these days, and it seems like there are new hazards lurking around the corner every day. Viruses are rampant, spam is clogging up mailboxes, and you can never be certain of what is really lying behind the link you are about to click. Whatever measures ISPs and software publishers come up with on Wednesday to battle these pests are seemingly useless on Thursday, because the bad guys are always ahead of the game.
One of the fastest growing problems is the phenomenon known as phishing. And this one packs a wallop – it can cost you money, and a lot of it. It preys on customer gullibility and is hard to combat. The scammers cast a wide net, tricking users into a trap that often costs them important financial data. Preventing the scams may be harder than anyone has imagined. Let’s take a look at the phenomenon, and how you can avoid getting tricked.
The Scam
Phishing is a term describing a specific type of e-mail scam. The goal is to get users to submit sensitive data, such as credit card information, to fraudulent web sites. The scam uses fake e-mail messages to lure the unsuspecting user into clicking on a link in the message, taking him to a fake web page, where he is requested to provide personal financial data such as credit card numbers, account usernames and passwords, social security numbers, or other personal information.
Very often, the approach is to hijack the name and logo of a trusted brand – often a financial institution – tricking the user into believing that he is dealing with a legitimate company. This way, the con-artist can obtain personal information, such as credit card data, and use it for his own sinister purposes. If the phishing scam is well done, many users will never become suspicious. Among the favorite companies used, are credit card providers such as Visa, retailers like Amazon.com and eBay, banks like Citibank or HSBC and online payment companies like PayPal, which is used by a majority of eBay shoppers.
Another strategy is to set up a generic e-commerce site, offering financial services, mortgages, or selling products. Sometimes a site like this can stay open and operational for an entire month – tricking many customers into providing sensitive information, or actually transferring money to pay for non-existing products. The average life cycle is much shorter, usually around one week, before the site is exposed, or taken down by the scam artists themselves to avoid getting caught. While in theory slightly different from phishing scams, these frauds are counted in the same category.
Growing, and Growing Fast
According to a report by research firm Gartner, published in May this year, there have been 1.8 million reported phishing scams in the United States. Over half resulted in the fraudulent use of credit cards or other financial data. In the U.S., more than 57 million have received phishing e-mails, and phishing has caused losses of $1.2 billion annually in credit card scams, according to the Gartner report. The scam-fighting organization Anti-Phishing Working Group (APWG) estimates that the number of phishing scams grew by 50 percent in each of the first six months of 2004.
“Phishing is on the rise,” Gartner’s Avivah Litan, who conducted the survey, told Wired Magazine recently. He feels that global solutions must be sought – combining the efforts of consumers, ISPs, software makers and web site owners, something which will take a lot of time and resources. There is no real safety from phishing scams until consumers are educated and safetyconscious. Some of the technical solutions that would help immensely, would be copy protection, or digital watermarking, of web sites to ensure authenticity, and digital signatures in all email communication from companies dealing with customer transactions and sensitive personal information. Standards have to be developed, and the technologies have to be implemented, which will take time and resources.
An American Thing?
In Norway, the problem is still unknown to most Internet users because the scams are largely directed towards the U.S. markets, and almost all scam e-mail messages are in English. But as more and more Norwegians shop online at international retail sites, they are increasingly susceptible to malevolent schemes. “This hasn’t really become a big problem for us yet, although we have warned our customers about international scams twice. So far, we haven’t seen any scams specifically targeting Norwegians,” Jacob Nodt, spokesman for Visa Norway told Computerworld recently.
Other countries have begun to see local variations on the theme; in Germany, customers of Postbank, the country’s largest retail bank, responded to an e-mail that claimed to be from the bank and led them to a fake Web page. They were tricked into providing their account numbers, personal identification numbers, and transaction codes – and the phishers got away with 21,000 euros of their money.
French and Spanish users have experienced similar things, and the problem is now growing all over the world. With growing internationalization of communication and information comes global crime – and targeted Norwegian scams are surely not far away. Some of us have already been exposed to the well-known Nigerian scam, or Advance Fee Fraud, you know how it goes:
You are offered $2.5 million from the Nigerian Petroleum Exploration Company, because they have $25 million they want to transfer abroad, but they can’t due to government regulations. So if you would be so kind as to send us your account information, we can use your account as a waystation, and you get 10 percent for your troubles. What happens, of course, is that your account gets emptied instead. This is only one of many. So how can you protect yourself from bad phishermen?
Distributed Crime
According to an APWG report, about a third of the web sites from which phishing attacks are launched, are hosted in the United States. Another third is located in China, Korea or Taiwan, while the last third is distributed across the globe, with countries like Russia, UK, and Mexico hosting a significant amount of phishing scams. The problem, like the Internet itself, is global, and has to be dealt with as such.
According to APWG, over a third of all phishing sites are hosted on hacked Web servers, without the owners knowing about them. This is consistent with the trend that there are clear connections between different kinds of Internet crime – spammers, virusmakers and phishers work together, and the same people often run several kinds of criminal operations.
Protect Yourself
First of all: Be suspicious of any email with requests for personal financial information. Never give out information unless you are sure about who’s receiving it, and in what context. Serious, legitimate companies should have their e-mails digitally signed, and as a rule they should be sent to you personally, not as a bulk mailing.
- Don’t click on web links in email messages if you suspect foul play.
- Avoid filling out forms in email messages or on websites that ask for personal financial information, unless you trust the site and the company provides a secure web page. Any serious retailer should provide secure transactions. Avoid any that don’t.
- Install a browser toolbar that blocks out known phisher websites. A good free toolbar, the EarthLink Scamtracker, can be found at http://www.earthlink. net/earthlinktoolbar.
- Regularly check your online accounts, and check your financial statements regularly.
- Keep your browser up to date with the latest security patches.
Most importantly: Use common sense! People who get caught in the phisherman’s net have generally not followed basic safety precautions. And don’t ever get impressed by messages purporting to be a sure-fire way to quick riches. Like they say, there’s one born every day! Don’t be that one.
Do you have any comments to this articel, please let us know:
Please be civil.