Inman

The dark side of the Web

If you’ve ever received an unsolicited e-mail that appeared to be from Citibank or PayPal and that asked you to update or verify an account, you’ve been targeted by the growing wave of “phishing” scams that transform spam from a minor annoyance into outright fraud.

Phishing occurs when fraudsters try to trick people into giving them personal financial data, such as credit card numbers, bank account information, passwords or Social Security numbers. Perpetrators use e-mail and fraudulent Web sites to fool victims into thinking their bank or another legitimate business is asking them to update account information.

Victims suffer from identity theft, credit-card fraud and financial losses.

Financial companies currently are the most targeted industry in phishing attacks, according to the Anti-Phishing Working Group, an industry association that aims to eliminate fraud associated with phishing and e-mail spoofs. Perpetrators mask themselves as banks or credit companies to try to trick recipients into giving up account information with those companies.

Experts say the schemes may grow to include all types of companies whose identities are hijacked for the purpose of tricking consumers. 

Rami Habal, senior project manager at Proofpoint, an anti-spam vendor, characterizes phishing as spam attacks that are pure fraud. All types of companies are vulnerable to phishers using their identities to defraud consumers.

“Every single company in the world faces this problem because as long as your domain is on the Internet, you’re a target,” Habal said.

The problem has grown and is growing in part because a number of the attacks are successful in getting credit card and bank account info. Phishing has also increased because technology used to generate spam has become more readily available.

The Anti-Phishing Working Group estimated that up to 5 percent of people who receive these spoof e-mails respond to them. The number of phishing attacks exploded 180 percent from 402, or 13 per day on average, in March to 1,125, or 37 per day on average, in April.

Phishing schemes have been around for nearly a decade, but the techniques perpetrators use are becoming more sophisticated, according to Ray Everett-Church, chief privacy officer of TurnTide, an anti-spam product vendor.

“The reality is that phishing is really very much a game of identity theft,” Everett-Church said. “First the phisher is stealing the identity of the corporation, then (the recipient’s) ID to destroy their credit or use their banking information.”

Part of the reason the volume of spam has increased is because phishing scammers are trying to increase the reach of their attacks by sending more e-mail messages to more people, he said. Some spam filters can detect phishing e-mails as spam, but the more mail they must filter, the harder the server has to work.

“Many folks end up having to turn off (spam) filters because they get so overloaded,” Everett-Church said.

Spammers and phishers know that if they increase the volume of sent mail, they increase their odds of getting through spam filters.

The typical phishing e-mail looks like it came from a legitimate company. The top five most targeted companies currently are Citibank, eBay, Paypal, US Bank and Barclays, according to the Anti-Phishing Working Group. An e-mail from Citibank, for example, would show an official-looking company address and company logo within the body.

“The phisher will send an e-mail out claiming to be your bank, insurance company or credit-card company, and directing you to a Web site where you need to log in to an account,” Everett-Church said.

The Web page to which the e-mail recipient is directed will be a near-perfect replica of the legitimate Web site. In most cases, the spoof Web site is hosted by an Internet server in a foreign country, which makes it more difficult to track. Any data a victim enters into the falsified Web site lands directly in the fraudster’s database.

Most phishing attacks involve a large group of individuals, according to Lance James, chief security officer of Secure Science Corp., an online security company. One group may focus on creating the duplicate Web site and the e-mail message while another group may focus on sending the messages and another may concentrate on selling the captured credit-card numbers.

“It’s fraud. The speed of what they can do is the damaging part,” James said.

It’s difficult to catch phishers until they use the information they’ve gathered from victims, he added.

Secure Science Corp. tracks phishing attack patterns and can predict when some will strike next. The company in November released a paper that gave an in-depth look at a common scam that used Citibank’s identity to skim information from customers. 

“After our paper went out, the group we were tracking stopped,” James said.

He couldn’t comment on whether any phishing groups had been caught, but said investigations are ongoing.

***

Send tips or a Letter to the Editor to jessica@inman.com or call (510) 658-9252, ext. 133.