Gone Phishing: How Spammers & Scammers Set the Bait, Switch the Trap

by Martin England

Inside the belly of Internet fraud exists a new monster, one which preys on people’s fear of identity theft to lure its victims. In an age where personal information is readily stolen and used maliciously, phishing is the latest and greatest threat facing Internet users who employ the worldwide web for online banking, bill paying, or to simply to place a bid at an online auction.
According to a web definition listed on Google.com, phishing (pronounced “fishing”) is “an attack where a fraudster spams the Internet with e-mail claiming to be from a reputable financial institution or e-commerce site. The e-mail message urges the recipient to click on a link to update their personal profile or to carry out some transaction. The link takes the victim to a fake website designed to look like the real thing. However, any personal or financial information entered is routed directly to the spammer.”

Case-in-point: since 2003, several rounds of similar spam have been unleashed on unsuspecting eBay users (and some non-users as well), asking them to update their eBay credit card information. This spam is pushed through in large volumes, thereby increasing the likelihood that at least a percentage of the recipients have credit card numbers associated with eBay. The relative ease of creating websites that look eerily similar to the original tricks users into thinking the website is legitimate. Even in an age of advanced technology, people still tend to believe what they see. (Source: Webopedia.com)

Phishing is not limited to the Internet. Other scams involve fraudulent credit card companies who call card holders at their residences, telling them that their credit card has been compromised, and that several purchases have been made on the card. The caller then asks if the card holder authorized the purchases, and once the card holder says no, the caller continues and states that their account will be credited on their next statement. The caller will then ask the card holder to verify the three-digit security number on the back of the card (they never ask for the card number itself; they already have this information). Once given, the caller will say something like “That is correct. I just needed to verify that the card has not been lost or stolen, and that you still have your card. Do you have any other questions? Don’t hesitate to call back if you do.” The real phishing begins once this information is secured, for these are the numbers Internet companies often ask for to ensure the person purchasing goods or services is indeed in possession of the card. The fraudulent credit card company will then charge the card every three days, usually at an amount under $500, which is just under the flag limit for most credit card companies. While the card holder waits for their statement to view the so-called credit, it is usually too late to file a fraud report. (Source: Urbanlegends.about.com)

Avoiding the Worm
Minimizing identity theft risk requires energy, but is well worth the effort. Here are some suggestions provided by the Federal Trade Commission (available in detail at www.ftc.gov) to avoid getting duped by a phishing scam:

• If you get an e-mail or pop-up message that asks for personal or financial information, do not reply. And don’t click on the link in the message, either.

• Use anti-virus software and a firewall, and keep them up to date.

• Do not e-mail personal or financial information.

• Review credit card and bank account statements as soon as you receive them to check for unauthorized charges.

• Be cautious about opening any attachment or downloading any files from e-mails you receive, regardless of who sent them.

• Forward spam that is phishing for information to spam@uce.govand to the company, bank, or organization impersonated in the phishing e-mail.

• If you believe you have been scammed, file your complaint at ftc.gov, and then visit the FTC’s Identity Theft website at www.consumer.gov/idtheft.

Other Resources
• The New Hampshire Better Business Bureau has an Identity Theft Quiz on their website: www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm. This quiz will give visitors a decent idea where they stand in relation to information security practices.

• www.stopidentitythefttoday.com is a great website with a myriad of safe practices and ways to avoid identity theft.

• http://www.antiphishing.org contains a Phishing report mechanism, and protects businesses and users alike.

• Microsoft.com also has information on identity theft prevention: www.microsoft.com/athome/security/email/phishing.mspx

• Yet another great article on phishing exists at:
www.honeynet.org/papers/phishing.

-Published in October 2005