Internet Attackers on Phishing Expeditions

When asked to update your Citibank account online, or reverify personal info for PayPal, just say: "no!" Like spam though, this Internet scam only needs a few people to bite in order to pay for itself.

As I said in my 2004 Outlook column, our e-mail accounts are now filled with some recent advances in the field of "phishing." If you havent been paying attention, the term refers to a particular type of Internet scam in which a user is tricked into giving up personal information, like bank account information.

According to Wordspy, the term phishing comes from the fact that attackers are "fishing" for data. Why "ph"? Wordspy says something about using sophisticated techniques. If thats where it comes from, its a pretty lame etymology. According to an FTC advisory on the problem, the technique is also known as "carding." The FTC alert has some good guidelines for non-technical consumers.

/zimages/4/28571.gifCheck out eWEEK Labs Tech Outlook 2004: A Look Ahead at Security for more views on the future of security.

In the past, phishing attacks usually appeared as e-mail from some legitimate company; Citibank and PayPal are frequent targets, for example. The e-mail usually says something to the effect that the company is reverifying account information and needs you to re-enter it. The e-mail will either have a link to a similarly fraudulent Web site or perhaps an HTML form directly in it.

Plenty of people fall for these e-mails, even though its not hard for a more-sophisticated user to see right through them. I found it easy to tell that the Citibank e-mail about my account was phony since Im not a Citibank customer. However, many people who receive such e-mails must assume that some mistake was made and chalk it up to mega-corporate incompetence.

Ive received many such messages myself, and in almost every case by the time Ive received the e-mail, the corresponding Web site is already down. Thats because the big companies that are targeted by these attacks are pretty good at contacting (threatening) the hosts of the offending pages and persuading them take the page down.

At the same time, there are a few things you can look at for guidance if you suspect youre being phished. The first thing to look for is if the message asks you to send personal information directly in e-mail. This is a really bad idea, although its not actually proof that the requestor is a scammer.

I once had a hosting account at Hostway and contacted technical support. The support person actually asked me in e-mail for my username and password. That was the moment that I decided to take my hosting business elsewhere.

If the message doesnt come from an address at the company it supposedly represents, thats also suspicious, but not dispositive. Sometimes real companies will hire third parties to send out bulk mailings for them. There are good ways and bad ways to handle this of course, but it means you have to dig a little deeper.

Next: How to pick out the phish.