Anti-Phishing 101

Identity theft and fraud are, perhaps, the two most serious problems facing the Internet. Direct economic losses in the United States totaled over $574 million in 2004, according to the Federal Trade Commission. If not curbed, these crimes have the potential to make the Internet so untrustworthy that electronic commerce might slow considerably.

All the good things weve come to appreciate about the Internet are in danger of being taken away from us by international criminals. And technology is only a partial solution to protecting Internet users.

The "social engineering" nature of many of these attacks may be resisted by educated users who are unwilling to fall for scams perpetrated by criminals "phishing" for personal data. But the growing sophistication of the worlds criminals demands technology, banking, and law enforcement solutions as well.

It can be a perplexing problem. As Microsofts Jim Allchin told me recently at WinHEC about the phishing threat, "If someone wants to click on a link, can we stop them?"

Viruses, hackers and spyware can all be dealt with through mostly technological means. But how can technology help someone whos decided to click on a link that appears to be part of a message from his or her bank—but really isnt?

While e-mail and Web sites can be authenticated to help deal with the phishing problem, wide adoption of that technology—or even agreement as to what technology to use—has yet to be achieved. In the meantime, our best defense may be the educated user, who is also protected by the latest anti-virus, anti-spyware, firewall and privacy-protection software.

/zimages/5/28571.gifClick here to read more about the latest phishing strategy, in which infected systems are turned into DNS servers.

I am writing this column as an answer to the people who write me asking how to deal with phishing and identity theft issues. Some have asked for detailed advice, which I hope this column will provide. Please feel free to forward it to anyone who might benefit. You are welcome to print it, quote from it, link to it, anything that will help get the word out. All I ask is a credit for eWEEK.com.

Recently, I spoke with John Norman, who works for a company called the Advanced Systems Group, a Denver-based systems. He did an excellent presentation during an eSeminar I moderated last month that dealt with phishing and identity theft.

"Fraud and identity theft are not new," Norman told the seminar attendees. "But the Internet is making it accessible to more criminals."

He cited Federal Trade Commission statistics showing that 635,000 complaints were received from victims of ID theft and fraud during 2004. The average consumer spends 28 hours resolving an identity theft case, the FTC said.

Next Page: How to avoid getting phished: tips for self-protection.