NEW YORK (CNN/Money) -
Someday soon, if it hasn't happened already, you'll open an e-mail from eBay (or Citibank or Visa or another merchant or financial institution) informing you that your account has a problem. It will ask you to visit the company's Web site to straighten it out.
You hit a link to what you think is the company Web site and fill out requested forms.
But you didn't solve a small problem, you helped create a big one. You just got "phished," then "spoofed," and will soon be taken to the cleaners.
You never landed on the company Web site, though it sure looked like it. You went to a fake one where you gave personal information to a crook who will obtain credit cards and write checks in your name, try to bust out your bank accounts, ruin your credit rating, and make your life hell.
Phishing is any mass e-mailing or pop-up angled at tricking recipients into hitting false links that land them at fake Web sites.
Spoofing is the counterfeiting of legitimate Web pages or logos to fool victims into thinking they're dealing with a legitimate company on its Web site.
Criminals phish for victims with e-mails and lure the unwary ones to spoofed Web sites where they reel them in.
"It's a very serious problem," says Dan Maier, spokesman for the Anti-Phishing Working Group (APWG). The APWG reported nearly 1,200 unique phishing attacks in May, 2004; some hit as many as 8 million people.
It's also growing, explosively; an April 2004 Gartner Research survey found an estimated 57 million Americans think they have received phish-mail. Some 1.8 million people gave up confidential information to the phishers and more than half of these suffered identity-theft fraud, amounting to more than $1.2 billion in losses.
Teach a man to phish...
Phishers and spoofers have "gotten really good," says Maier. That makes them more likely to succeed in their primary goal: to scare the pants off their recipients and excite them into doing something foolish.
Here's an example of a fresh phish sent out in late June gleaned from the Web site of the APWG, which maintains an archive:
"We regret to inform you, that we had to block your Wells Fargo account because . . . [it] may have been compromised by outside parties. We have noticed some activity . . . that indicates that other parties may have access and or control of your information in your account . . . verify your identity by clicking on the link . . . Until we can verify your identity, no further access to your account will be allowed."
Spoofed Web sites are also more sophisticated. "Not only do they look genuine, but they can now hide Web addresses," said Maier. That used to be the last resort, to look at the Web address and make sure it was right."
Phishing is cheap enough that cybercriminals can use a scattershot approach, sending out huge schools of phish. Most consumers who receive them have no business relationship with the companies they purportedly come from. Only a fraction of phishes have to hit actual, say, eBay customers, and a miniscule percentage of these recipients have to take the bait, to make it worth doing.
Don't get hooked
Pete Brust, head of the cyber-crime section of the FBI advises:
- Be suspicious of all unsolicited e-mails. Never give out any personal information -- social security and driver's license numbers, bank accounts, anything -- in response to an e-mail.
- Never follow links provided in e-mails. Even if you really think the e-mail is genuine, make a habit of typing in the company's address in the address bar yourself or use your bookmarks or favorites list. That way you won't wind up on spoofed Web pages.
|
YOUR E-MAIL ALERTS
|
Follow the news that matters to you. Create your own alert to be notified on topics you're interested in.
Or, visit Popular Alerts for suggestions.
|
|
|
- If you receive a suspicious e-mail, call the company's customer service department directly. Find the phone number independently by calling information or making sure you get it from the real Web site. Don't give up any information before you confirm the need to do so.
- Check credit reports quarterly. If your identity has been stolen -- by any method -- and new accounts opened in your name, it will show up there.
- Review bank records often. Look for any unexpected charges or changes.
|