To restore your account
access, please take the following steps to ensure that your account has
not been compromised:". It continues with a link to a webpage, which
looks very similar to original web page of the bank.
The misleading web site
appears authentic with familiar graphics and logos. The wordings are
professional right down to the legal disclaimer at the bottom of the
If you happened to be
holding an account of the claimed bank, followed the instructions of the
email and input your account, pin, password, etc. you are doomed. You
just have handed over access to your account to a con artist, who, in a
matter of days, will drain off all the money available in that account.
This new scam, which is
proliferating in a very rapid pace, is called "Phishing". Phishing is a
form of identity theft, where a con artist with the help of official
looking email containing link to phony web pages capable of harvesting
information, tricks an unsuspecting victim into divulging sensitive
personal data. Scammers use these data to bilk victims out of their
One of the most common
phishing campaigns being waged has targeted users of Web auction giant
eBay and its PayPal division with financial services giant Citibank
serving as another popular target. However, recently, every major bank
has been hit with this scam. Crooks send out huge amounts of emails with
an expectation that some of these email address owners may have online
access to their accounts at the bank.
The term "Phishing" is
a deviation of the word "Fishing". In hackersí lexicon, in many words,
"F" becomes "Ph". The term derives from the fact that scammers use
sophisticated bait as they "fish" for usersí personal information.
According to Gartner, a
research firm, illegal access to checking accounts gained via phishing
has become into the fastest growing type of consumer theft in the United
States. Roughly 1.98 million people reported that their checking account
was breached in one way or another during the last year and US$ 2.4
billion were defrauded from the victims!
Gartner also estimated
that 57 million U.S. Internet users have received phishing emails and 3
percent of them may have fooled into revealing their personal sensitive
Working Group has also spotted a dramatic increase in reports of
phishing attacks in recent months. Since November, 2003 phishing scams
increase by about 110 percent each month. In April alone, the group
identified 1125 unique phishing scams, a sharp lift of 178 percent from
the previous month.
Message Labs, a company
that watches phishing scams closely, has noted an even more dramatic
increase in number of phishing emails. It claims to see phishing
messages jump from just 279 in September, 2003 to a staggering 215,643
in March of 2004.
The scammers also
started to use more sophisticated technologies in recent months. The
latest generation of phishing scammers uses several methods to trick
users, including pop-up graphics to mast the true web URL of the
phishing site and the installation of Spywares and Trojans on victimís
computer. The perpetrators also take advantage of security bugs in web
browsers, in which the URL in the address bar appears to be for one site
but is, in fact, a link to a totally different site.
A new Windows worm
under the name "Korgo" is able to infiltrate into victimís system with a
key logging Trojan, steal information that the victim input in web forms
and secretly transmit to designated server. There are a number of
variants of this worm and they are spreading rapidly. However, Microsoft
in April came up with a patch to seal this glitch. Many computers
without the patch are still vulnerable to this potentially dangerous
A U.S. Treasury report
provides consumers with steps to prevent and report phishing scams:
- Do not respond to or
open any e-mail that warns that an account is about to be closed.
Contact the company directly by phone and inquire of this e-mail.
- Do not submit
financial information unless there is a symbol for a locked padlock on
the browser's status bar. Also look for the https:// at the beginning
of the Web address. If both of these signs are absent, the Web site is
- Always review your
bank statement and credit card statements immediately upon receipt.
- Verify the domestic
telephone number listed on the Web site through directory assistance or
other reliable sources and call the number. Many phishing attacks have
originated outside the U.S. and don't have a domestic number.
- Report suspicious
activity or if you have been defrauded to the FTC and the FBI in the US
or the Fraud Squad in the UK or local Police station.
- Phishing e-mails can
be forwarded to firstname.lastname@example.org. Complaints can be filed at www.ftc.gov.
Phishing attacks can also be reported to the Internet Fraud Complaint
Center at www.ifccfbi.gov.
cautionary measures you should take in order to protect yourself are:
- Since most of the
phishing emails come through spam, get a spam filter and install on
- If you suspect a
phishing attempt, report immediately to the bank. Every bank web site
has a link or a toll-free number to report scams. Don't be ashamed if
you were tricked into divulging account information. If you report it
immediately, your account will be protected until you receive a new
- Change your password
and PINs regularly. Banks advise that you use separate PINs and
passwords for different accounts, that way if one gets compromised,
your entire financial life wonít be revealed. - If you are a frequent
user of EBay, download its Web browser toolbar, a small program that
runs with a user's Web browser. It flashes red when the user visits a
possible spoof site. The toolbar uses a database of spoof site URLs,
submitted by customers and is updated quite often.
- Check your computer
frequently for possible Trojan virus.