Listen to the Computerworld TechCast: Phishing
In Shakespeare's Othello Iago says: "But he that filches from me my good name/Robs me of that which not enriches him/And makes me poor indeed." Unfortunately, technology and our ever-more-connected society now contradict the first assertion of that statement, because today, stealing another's good name can enrich the thief considerably.
Identity theft is the name of the game. If someone can get vital authentication information, that person may be able to access another's bank accounts, charge accounts or credit information. In 1998, Congress passed the Identity Theft and Assumption Deterrence Act, which made identity theft a federal crime subject to as many as 15 years in prison. Still, identity theft flourishes, and one easy and increasingly popular way of capturing personal data is called phishing.
Phishing isn't really new -- it's a type of scam that has been around for years and in fact predates computers. Malicious crackers did it over the phone for years and called it social engineering. What is new is its contemporary delivery vehicle -- spam and faked Web pages.
Phishing (sometimes called carding or brand spoofing) uses e-mail messages that purport to come from legitimate businesses that one might have dealings with -- banks such as Citibank; online organizations such as eBay and PayPal; Internet service providers such as AOL, MSN, Yahoo and EarthLink; online retailers such as Best Buy; and insurance agencies. The messages may look quite authentic, featuring corporate logos and formats similar to the ones used for legitimate messages. Typically, they ask for verification of certain information, such as account numbers and passwords, allegedly for auditing purposes. And because these e-mails look so official, up to 20% of unsuspecting recipients may respond to them, resulting in financial losses, identity theft and other fraudulent activity against them.
The Phishing Lure
Here's an example of how phishing works. On Nov. 17, 2003, many eBay Inc. customers received e-mail notifications that their accounts had been compromised and were being restricted. In the message was a hyperlink to what appeared to be an eBay Web page where they could re-register. The top of the page looked just like eBay's home page and incorporated all the eBay internal links. To re-register, the customers were told, they had to provide credit card data, ATM personal identification numbers, Social Security number, date of birth and their mother's maiden name. The problem was, eBay hadn't sent the original e-mail, and the Web page didn't belong to eBay -- it was a prime example of phishing.
In September 2003, the Federal Trade Commission reported that 9.9 million U.S. residents have been victims of identify theft during the past year, costing businesses and financial institutions $48 billion and consumers $5 billion in out-of-pocket expenses.
In an online interview in July with The Washington Post, J. Howard Beales, director of the FTC's Bureau of Consumer Protection, said ID theft is the No. 1 complaint his organization receives, accounting for 43% of calls.
According to the Anti-Phishing Working Group, an industry organization started by Redwood City, Calif.-based Tumbleweed Communications Corp., most major banks in the U.S., the U.K. and Australia have been misrepresented to customers during phishing attacks.
Cutting the Line
Even before phishing became so prevalent, legitimate businesses and financial institutions would hardly ever ask for personal information via e-mail. If you receive such a request, call the organization and ask if it's legitimate or check its legitimate Web site.
Look for misspellings and bad grammar. While an occasional typo can slip by any organization, more than one is a tip-off to beware.
If the e-mail refers you to a Web site, look carefully at the URL. It's easy to disguise a link to a site. Beware of the @ symbol in a URL. Most browsers will ignore all characters preceding the @ symbol, so this Web address -- http://email@example.com -- may look to the unsuspecting user like a page of Respected Company's site. But it actually takes visitors to thisisascam.com. The longer the URL, the easier it is to conceal the true destination address. Other ways to disguise URLs include substituting similar-looking characters, so that paypal.com could be (and has been) spoofed as paypaI.com or paypa1.com. Similarly, a zero can be substituted for the letter O within a URL.
Kay is a Computerworld contributing writer in Worcester, Mass. Contact him at firstname.lastname@example.org
See additional Computerworld QuickStudies