Something Smells Phishy...

2004-05-12
Reprinted from Triangle Technical Journal

You're checking your email and amongst the various offers to help you get rich in a month, lose 30 pounds in a week, and enlarge your assets — there's one from your bank, Citibank to be exact. And it reads something like this:
…This email was sent by the Citibank server to verify your email address. You must complete this process by clicking on the link below and entering in the small window your Citibank ATM/Debit card number and PIN that you use at the ATM…
So you click on the Web link and are taken to what appears to be the Citibank Web site — and being Web savvy, you even verify that the Web address in the address bar of your browser is Citibank's. Secure in its authenticity, you enter your ATM card number and PIN. And you have just been scammed — Phish On!

That's right — you have just “given” your personal authentication information to a professional cyber criminal who is now happily skipping down identity theft lane. And you aren't alone — the Federal Trade Commission reported that 9.9 million US residents have been victims of identity theft during 2003, costing businesses and financial institutions $48 billion and consumers $5 billion in out-of-pocket expenses.

Phishing, also referred to as brand spoofing or carding, is a variation on “fishing,” the idea being that bait is thrown out with the hopes that while most will ignore the bait, some will be tempted into biting. The scam uses email messages that appear to come from legitimate businesses that one might have dealings with — banks such as Citibank and Wells Fargo; online organizations such as eBay and PayPal; Internet service providers such as AOL, MSN, Yahoo, and Earthlink; and insurance agencies. The messages look authentic and include corporate logos and formats similar to the ones used for legitimate messages. And as we've seen, they ask for verification of certain information, such as account numbers and passwords. And because these emails look so official, up to 20% of the recipients may respond to them.

Phishing attacks worldwide soared 60 percent in February 2004, with 282 different attacks worldwide in February compared with 176 in January, according to the Anti-Phishing Working Group.

So who are some of the lures? Financial services is the most targeted industry with most major banks in the US, the UK, and Australia having already been misrepresented to customers during phishing attacks. Most recently, Wells Fargo was the victim of two phishing attacks — where customers were sent emails alerting them that they have important email in the bank's online system and in order to access it, they must click on a link and enter personal information about their accounts. With 104 separate phishing attacks, eBay was the most common single target of phishing in February, followed by Citibank and PayPal.

To avoid getting hooked by a phisher, the FTC, the nation's consumer protection agency, offers this guidance:

  • If you receive an email that warns you, with little or not notice, that an account of yours will be shut down unless you reconfirm your billing information, do not reply or click on the link in the email. Instead, contact the company cited in the email by phone.
  • Avoid emailing personal and financial information. Before submitting financial information through a Web site, look for the “lock” icon on the browser's status bar. It signals that your information is secure during transmission.
  • Review credit card and bank account statements as soon as you receive them to determine whether there are any unauthorized charges. If your statement is late by more than a couple of days, call your credit card company or bank to confirm your billing address and account balances.
  • Customers who think that they might have been victimized should call their credit card company or bank and report it to protect their accounts. Wells Fargo, for example, guarantees accounts against loss from fraud if reported.
  • Report suspicious activity to the FTC. Send the actual spam to uce@ftc.gov . If you believe you have been scammed, file your complaint at www.ftc.gov , and then visit the FTC's Identity Theft Web site ( www.ftc.gov/idtheft ) to learn how to minimize your risk of damage from identity theft.

In the end, you should be suspicious of any email that asks you to verify confidential information. The idea is for each of us to be cynical and ask: “Why would my bank/retailer/ISP/insurance company/etc. be sending me this email?” The truth of the matter is that no reputable company will blindly ask for account information through email or phone. Our most potent weapon against phishing scams is to be educated customers.