Tuesday, June 29, 2004

Scam perpetrated by spam

Bogus e-mails ask for account information

By Justin Fenton
Enquirer staff writer

"Dear U.S. Bank account holder, We want your online experience to be enjoyable and worry-free."

That's how the e-mail begins, before asking the recipient to pass on personal information lest the account be suspended.

By the time users have filled out their ATM numbers' expiration dates, PIN numbers and Social Security information, they have fallen into the hands of Internet con artists.

How it works

• People trying to get an individual's financial information start by sending out an e-mail telling the recipient their information needs to be updated because it has changed or is incomplete.

• The customer is directed to a Web page that looks like a legitimate page. Often the pages feature corporate logos and appropriate corporate colors.

• The customer is asked for personal financial information, such as checking and savings account numbers, or check and ATM numbers.

The examples above and right are information requests sent by Internet scammers.

Fighting phishing

This month, Cincinnati's Better Business Bureau, Call for Action, the Federal Trade Commission and Visa USA announced a joint campaign to warn consumers about spam traps. Some of their tips:

• Treat unsolicited e-mail requests for financial information or other personal data with suspicion.

• Enter personal information on only a secure Web site that you know to be legitimate.

• When entering personal data at a Web site, look for a "locked padlock" in the lower right-hand corner of the browser or "https" at the beginning of the Web site address to make sure the site is secure.

• Contact the business that apparently sent the e-mail to verify their request for information.

• Update anti-virus software and security patches to system software regularly: Phishing e-mails can contain viruses that may harm your computer if opened.

• Check your monthly bank statements to verify all transactions. Notify your bank immediately of any erroneous or suspicious transactions.

• Forward suspicious e-mails to the Federal Trade Commission at uce@ftc.gov or file a complaint with the FTC at www.ftc.gov.

• Use browsing tool bars that detect fake Web sites, such as: Spoofstick, Spoofguard, Ebay, or Earthlink.

• Check out the Anti-Phishing Working Group's archive of scams, with detailed breakdowns of what they are and what makes them fakes: www.antiphishing.org

Source: Enquirer research

This kind of e-mail scam - known as "phishing" - is becoming more and more prevalent, with Internet swindlers using the names of major companies such as eBay, PayPal, Microsoft, Earthlink, AOL, Citibank and nearly a dozen other major banks in an attempt to snatch private information.

And the sophistication of phish e-mails also is increasing - they feature company logos and links, without the mangled grammar and spelling that signaled scams in the past.

The surprisingly large number of victims - nearly 2 million - has banks and other e-commerce companies scrambling to educate consumers about the dangers of sending personal information over the Internet while maintaining the security of their own, legitimate Web sites.

"When you see the (logos) and the masthead you're familiar with, and the colors you're familiar with, you feel perfectly comfortable," said Jocile Ehrlich, president of the Cincinnati Better Business Bureau. "And you shouldn't.

"It comes across just as well done as any of the best Web sites, and that's why it's so easy to fall for them."

Recent reports indicate phishing grew by more than 180 percent between March and April alone, according to the Anti-Phishing Working Group, an industry association.

In the past year, 20 percent of Internet users clicked on a phish e-mail, with nearly 2 million sending private information, according to Gartner Inc., a Connecticut-based research and analysis company.

The cost to companies whose names are used in such scams: a whopping $2.4 billion in 2003, according to Gartner. That's because banks usually refund amounts customers lost when forwarding their bank account numbers.

"We've seen a tremendous increase in the professionalism of these attacks in the past nine months," said Dan Maier, director of product marketing at Tumbleweed Communications and a spokesman for the Anti-Phishing Working Group. "It used to be amateur hour - you could tell a fake very easily. The grammar was poor, the branding didn't match the company it was spoofing.

New breed of swindling

"But we've started to see quite a bit of extremely professional e-mails that look plausible in every regard," he said, adding that even the Anti-Phishing Working Group has had to dig deep into a Web page's coding to determine the authenticity.

Phishing is a relatively new breed of Internet-based swindling. Departing from traditional scams such as the tearful pleas for financial assistance from Nigerian businessmen, these e-mails are straightforward and formulaic, just like a giant corporation with millions of customers might send out.

The e-mail comes from an address that appears to be from the company and links to a credible-looking Web site, instructing users that their information has become either lost or outdated and that the customer must update it.

"Some are very slick, posing with identical layouts to the customer service pages at the real Web sites," said Geoff Gulley, a 39-year-old disc jockey and producer from Northside who said he has received 10 scam e-mails in the past two months, including two that appeared to be from Citibank.

"I'm not a Citibank customer, and the e-mail is just a regular text e-mail that has incredibly poor English and dozens of misspelled words," he said. "It's quite humorous."

Others are less obvious. Cheviot resident Valerie Thinnes said she has received invoices from Internet service provider Earthlink asking her to update her account for billing purposes. Thinnes, 44, is an Earthlink user, and the e-mails seemed to come from Earthlink.

But Thinnes said she passed the e-mails on to Earthlink, which confirmed the message had not come from them.

"People need to think before just responding to e-mails," she said. "It is not safe to send any information like that in an e-mail."

That's the message Jeff Lyttle of Bank One, another bank whose name is used in such scams, has for Internet banking customers - it doesn't matter who the e-mail came from or how real the site looks. It's what they're asking for.

"Whether it's Bank One or any other bank, they would not be seeking your personal account information in the manner in which these thieves are trying to get it," he said.

Among the technical tricks employed by phishers is making e-mail addresses appear to be from the company and concealing the address bar, so while it may appear as though "www.ebay.com" is loading in the Web browser, another site is actually being called up.

Hard to track down

Maier said there are few things a company can do to protect content on its site from being duplicated. Other than conducting informational campaigns and contacting authorities, companies are relatively helpless, since phishing does not involve the company's actual Web site.

"They aren't hacking into our site, and they are not accessing any information," said U.S. Bank spokesman Steve Dale. "Unfortunately, it's individuals who unknowingly give the information out."

Law enforcement agencies also have difficulty tracking down offenders. Consumers rarely realize they've been taken until after they receive their monthly bills, and the fake Web sites are often taken down after a few hours or hosted on Web servers that have been hacked.

For now, phishers mostly use large companies. But about two-thirds of the Cincinnati Better Business Bureau's 3,500 members incorporate the Internet into their business operations, said Ehrlich, and smaller businesses must be wary.

"Any business that does e-commerce is at risk of having their Web site targeted for a phishing expedition," she said.

And while corporations are stepping up to combat phishing, expect phishers to keep finding new tricks.

"I think that hackers have stepped up their game, and the banks are tracking behind them," said Maier. "It's a continual game of cat and mouse."

Consumers who think they have received a phishing e-mail can contact the Federal Trade Commission at uce@ftc.gov, the Anti-Phishing Working Group at reportphishing@antiphishing.org or the company the e-mail claims to be from.


E-mail jfenton@enquirer.com

Pilcher: Trashed computers are Double Trouble
Scam perpetrated by spam
Sony's S2 a summer necessity
Google no gold mine for Wall St. brokers
Camera phone makes slick pix

DHL wanted Ohio all along, Ky. says
Argosy betting on bigger casino
Erpenbeck trio faces sentencing
Local workers praise bosses
Franchise buyer goes for noodles
Insurer asks SEC exemption
Tristate summary
Calif. cracking down on dairy cow manure
Labor union leaders well-paid
Striking truckers boycott U.S. ports
United Airlines loses bid for loan guarantee
Business digest