Thursday, August 12, 2004

new internet threat: Phishing for your financial information

Internet Fraud: Phishers Want to Take Your Money
The scams usually begin with an e-mail telling you that you urgently
need to address some matter in one of your financial accounts. Here's
how to avoid becoming a victim.
Aug 11 2004
By David Kirkpatrick
Fortune.com


The Internet bad guys are after your wallet. You have up to now been
inconvenienced and annoyed by spam, but the fastest-growing online
threat, and probably a more pernicious one, is phishing. Suddenly it's
on the lips of almost everyone I talk to. And the phishers want to
take your money.

Phishing refers to scams that usually begin with an e-mail telling you
that you urgently need to address some matter in one of your financial
accounts. Most often you get an e-mail saying your Citibank account
needs updating or something like that, and if you don't correct the
data your account risks being frozen. Since Citi is so big, you
probably get e-mails about Citi accounts even if you don't have one.

If you follow the links in these mails you will be taken to a
fraudulent website that will attempt to get you to input critical
personal data—account and credit card numbers, Social Security
numbers, or passwords. Once the phishers have this data, they can take
your money. And they will.

Phishing attacks grew 52% in June over May, according to Tumbleweed
Communications, a company that sells software to secure and
authenticate Internet messages. It is working with The Anti-Phishing
Working Group to compile data about the growing scams. The phishers
use fake return e-mail addresses 92% of the time, so you can't trust
what it says in the sender line. In a separate report, the Gartner
research firm recently calculated that 57 million Americans were
exposed to phishing attacks in the last year—meaning they got e-mail
from phishers. But more worrisome is that 19% of the people who are
attacked click on URLs in the e-mails, Gartner found.

"We think this is going to hurt the most deep-pocketed and
undereducated group-50- to 70-year-old computer users—the baby boom,"
says David Moll, CEO of Webroot, a software company that is about to
launch a free anti-phishing software tool for consumers in September.
When he says "undereducated" he doesn't mean people who didn't attend
college, but rather people who are technically naive. The key fact is
that these are often the people with money. "The average scam today is
about $1,200," says Moll. "What happens when it's somebody's entire
401(k)?"

Moll says that there have been $1.2 billion in losses from phishing so
far, mostly in the last six months. The losses are being felt most by
financial institutions, since consumer liability—for instance, for
fraudulent use of credit cards—is often limited by law.

Webroot's strategy is to gain traction among consumers with its free
tool and then to become a supplier to the banks and investment
institutions who will soon want to offer anti-phishing software to
their customers.

The Pax World Fund, a socially and environmentally responsible mutual
fund, put out a release on Tuesday acknowledging that it had been the
victim of a phishing scam in June. The phishers hosted a look-alike
website that promised extra-high returns.

Pax suggests six steps consumers can take to reduce the risk of being
victimized by phishing:

1) Watch carefully for high-pressure e-mails urging you to divulge
personal financial information or to start making financial
transactions at a new website page.

2) Make sure you only conduct web transactions on a secure page, with
"https" in the address line. That "s" means secure. But Pax adds that
this check is not foolproof, because some con artists can fake such
security.

3) Watch for suspicious website addresses that are not the same ones
you've used before. If you have any doubt, close your browser, reopen
it and go to the address you've used in the past.

4) Review statements from financial institutions carefully to see if
there may be unauthorized trades or withdrawals.

5) Use the latest technology—keep your browser and operating system
software up to date. A special Windows patch that may help protect
against phishing is available at microsoft.com/security. Use
technology like Earthlink ScamBlocker, a free browser toolbar.
Webroot's tool is also likely to be useful, I'd say, and another
company called WholeSecurity claims to have a proven downloadable
toolbar that will be available next week. (This field is
hot—everything's happening all of a sudden.)

6) Report the problem by letting your financial institution know it
has been targeted.

Moll of Webroot says that while it's a good idea to alert your
financial institutions, this in itself is becoming a huge headache for
many banks, credit card companies, and investment groups. Since
phishers indiscriminately send out spam in the name of financial firms
hoping to hit someone who actually has an account there, Moll says
some institutions are finding that half of all phishing complaints are
coming from people who aren't even their customers.

One of the most scary things that Moll told me is that phishers now
have developed something called "script injection." It enables them to
control just a portion of an otherwise legitimate website. So you
might be navigating around a legitimate website, but when you put your
info into a little window on the screen, that data may go to a
fraudster. Moll told me this in part because his upcoming software
will be able to detect and prevent this.

But there is not likely to be any permanent solution, he concedes.
"It's another arms race, like with the virus writers," he says.

Another promising weapon for fighting phishing fraud will be
authenticated e-mail like Tumbleweed's, or like the Mailblocks
software recently acquired by AOL. If senders have to authenticate
themselves before sending you mail, you will presumably stop getting
the lion's share of phishing-related e-mails. But so far the
percentage of people using such tools is minuscule. Authentication
means inconveniencing, at least briefly, those who send you mail. Many
of us have, at least up until now, been reluctant to do that.

But our attitudes may start changing quickly. This is serious stuff.
Identity theft has inconvenienced and hurt hundreds of thousands of
people. Estimates range from 200,000 to 700,000 Americans annually.
And the related impacts of phishing are numerous. For example,
credit-card numbers stolen in this way are increasingly being used to
defraud online merchants. And while it's known that organized crime is
hugely involved in phishing and online fraud, there is some evidence
that terrorists may be getting in on it, too.

Some are beginning to darkly suggest that with spam, viruses, and
phishing growing at such a rapid pace, the entire future of the
Internet as a common destination may be in jeopardy. The Web is now a
huge factor in modern life. If we can no longer have confidence in the
technologies we've come to trust, the entire economy could take a hit.
You're going to be hearing a lot more about phishing and online fraud.

No comments: