November 17, 2004 4:00 AM PST

Caught in a phishing trap

For Steve Krabill, a 33-year-old Oklahoma engineer, the answer to phishing scams is simple: Trust nobody.

Faced with an online test that presents him with 10 different e-mails, some of which are examples of phishing scams, his answer is to label every single one a fake. Three turn out to be the genuine article--but in the engineer's mind, he's passed the test either way.

"Companies I do business with online don't send me e-mails looking for my personal information, it's that easy," said Krabill, who works at Osborn Engineering, a Tulsa-based maker of metal recycling equipment. "I know that I'm not going to get scammed if I don't reply to any of them."

Phishing is one of the fastest-growing forms of personal fraud in the world. While consumers are the most obvious victims, the damage spreads far wider--hurting companies' finances and reputation and potentially undermining consumer confidence in the safety of e-commerce.

"Phishers hijack brands for the purpose of fraud and degrade consumers' trust in those brands. That's what makes phishing so different than other types of online threats," Kim Legelis, director of industry solutions at security software maker Symantec, said.

The scammers typically send out an e-mail that appears to come from a trusted company such as a bank or an e-commerce Web site. The phishing messages attempt to lure people to a bogus Web site, where they're asked to divulge sensitive personal information. The attackers can then use those details to steal money from the victims' accounts.

According to a report from online privacy watchdog Truste, 7 out of 10 people who go online have received phishing e-mails, and 15 percent of those have successfully been duped into providing personal information.

The financial services industry has borne the brunt of those scams, an Anti-Phishing Working Group survey found, with Citibank leading the list of companies targeted. Online businesses such as eBay's Paypal online payment subsidiary and Google's Gmail Web mail operation have also suffered.

Related feature
Have you been phished?
Check here to see whether an e-mail that appears to be from your bank or an online merchant is actually an attempt to defraud you.
"For many of these financial services companies, and undoubtedly for e-commerce providers, the Web is a very important channel for acquiring new business, growing revenue, and mitigating costs for customer service," Legelis said. "If consumers lose confidence in that channel, it will have a wide-ranging negative impact on these businesses."

Companies are paying a hefty amount to fix phishing damage. In many cases, they make good on their customers' losses. Money is also going to efforts to educate customers about fraud prevention, and the cost of polishing up a tarnished brand is hard to estimate.

The threat to business means that's money well spent. In a recent study by e-mail security company MailFrontier, 40 percent of American consumers surveyed said they would switch to a bank or credit card company that offers better protection from online identity theft. Ninety-four percent said it's the responsibility of their financial institution to shield them from phishing and similar scams, and 52 percent felt that their providers are not doing enough to safeguard their information.

The multiple problems caused by phishing do not have a simple solution. Some businesses hope education will lead to more wary customers like Krabill. Others are pinning their hopes on jointly looking for technical solutions, such as address-verification schemes and software filters to sort valid e-mail messages from scams.

Cooperation across the IT and e-commerce industries has led to a number of trade organizations being launched to combat phishing. One is the Anti-Phishing Working Group (APWG), made up of experts from a range

CONTINUED:
Page 1 | 2

8 comments

Join the conversation!
Add your comment
People are the problem
Even the best of us can make a mistake, and these days you only need to make one to loose control of your identity. How many log into an account, but forget to log out when we leave the room? Would you open the email from a trusted friend, even though the email was infected? Can you even trust your bank?
What we need are computers that are taught not to trust people. Not anybody. A truly paranoid system can't be caught off guard, and will adapt faster to new tricks than humans.
If anyone can figure out how to do this, tell me how.
Posted by Marcus Westrup (630 comments )
Reply Link Flag
People are the problem
Even the best of us can make a mistake, and these days you only need to make one to loose control of your identity. How many log into an account, but forget to log out when we leave the room? Would you open the email from a trusted friend, even though the email was infected? Can you even trust your bank?
What we need are computers that are taught not to trust people. Not anybody. A truly paranoid system can't be caught off guard, and will adapt faster to new tricks than humans.
If anyone can figure out how to do this, tell me how.
Posted by Marcus Westrup (630 comments )
Reply Link Flag
Let the phishers continue
Like AOL users, people who trick out their civics, and business majors, this is yet another opportunity to weed out people from the gene pool.

Like the situations mentioned above, people who allow themselves to be scammed online should get the word stupid tattooed on their foreheads, sterilize them, and sterilize any children they have blundered into so far.
Posted by (242 comments )
Reply Link Flag
AOL users
<a class="jive-link-external" href="http://www.analogstereo.com/jeep_cherokee_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/jeep_cherokee_owners_manual.htm</a>
Posted by Ubber geek (325 comments )
Link Flag
Let the phishers continue
Like AOL users, people who trick out their civics, and business majors, this is yet another opportunity to weed out people from the gene pool.

Like the situations mentioned above, people who allow themselves to be scammed online should get the word stupid tattooed on their foreheads, sterilize them, and sterilize any children they have blundered into so far.
Posted by (242 comments )
Reply Link Flag
AOL users
<a class="jive-link-external" href="http://www.analogstereo.com/jeep_cherokee_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/jeep_cherokee_owners_manual.htm</a>
Posted by Ubber geek (325 comments )
Link Flag
GET BACK
What would happen if we all replied to the phishers with erroneous information. wrong account number, wrong credit card number, wrong name, wrong taxid number, wrong pin. Evenually doing what spammers do to us, overload them. They won't be able to determinine what's good and what's bad. They would be caught easier with them trying to use erroneous numbers. Right now they get some to answer with valid information and others don't answer. Flood them with more then they can handle and make them figure out what's good and what's bad, rather then us!
Posted by (2 comments )
Reply Link Flag
GET BACK
What would happen if we all replied to the phishers with erroneous information. wrong account number, wrong credit card number, wrong name, wrong taxid number, wrong pin. Evenually doing what spammers do to us, overload them. They won't be able to determinine what's good and what's bad. They would be caught easier with them trying to use erroneous numbers. Right now they get some to answer with valid information and others don't answer. Flood them with more then they can handle and make them figure out what's good and what's bad, rather then us!
Posted by (2 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.