It may look like an e-mail from eBay, or PayPal, or Earthlink. It may sound like a simple request: fill in a form because the firm wants to update your personal information. But such e-mails are often cleverly disguised scams from computer criminals trying to steal your credit card number and other financial data. More and more, people are falling for the trick, authorities say. It’s a disturbing kind of identity theft — with victims just handing over their private information to the criminals.
The e-mail may have a few corporate logos and links back to the real company site. It may even urge recipients to click on a link which looks authentic. But the link really sends the victim to a criminal’s Web page, and a few clicks later, the victim’s personal data has slipped into the hands of an identity thief.
It’s called “phishing,” and while it’s been around for years, authorities say there’s been a huge spike in these crimes of late, so large a spike that it’s drawn the attention of federal authorities. The FBI, Federal Trade Commission, the National Consumers League and Earthlink held a joint press conference in Washington on Monday to call attention to the problem.
“This is the hot new fad amongst online con artists trying to pry money out of people’s wallets,” said FBI spokesman Bill Murray. “The first line of defense is with the consumer. The consumer has to be savvy.”
The FTC used the occasion to announce its first legal action against a “phisher” who sent an e-mail recently that appeared to be from America Online’s billing department. The suspect’s name was withheld because he was a minor, but settlement terms will bar him from sending out spam and force him to surrender about $3,500 he made through the scam.
“Phishing is a two-time scam,” said FTC chairman Timothy J. Muris. “Phishers first steal a company’s identity and then use it to victimize consumers by stealing their credit identities. This is the FTC’s first law enforcement action targeting phishing. It won’t be the last.”
Earthlink, too, said it had taken legal action, filing a lawsuit against an alleged phisher site spammer. But Earthlink spokeswoman Carla Shaw said today’s announcement was primarily to call attention to the problem.
“Most of all, we want consumers to be suspicious,” she said.
Identity theft is the fastest-growing white collar crime in the United States, according to Attorney General John Ashcroft. And e-mail harvesting seems to be a dangerously successful tool for identity thieves.
Criminals who send out such notes boast that hundreds of consumers fall for them each time. One who contacted MSNBC.com recently claimed that he always had a ready source of hacked eBay accounts thanks to such “phisher” e-mails.
Phisher e-mails can appear quite convincing. One note sent around the Internet last week purporting to be from eBay included a company logo on top, and even a “TrustE” logo on the bottom — which normally indicates the company that sent the e-mail has pledged to protect consumers’ privacy. But the e-mail was really from a criminal, who boldly asked for everything from eBay user name and password, to checking account information, to mother’s maiden name and ATM PIN. Like many such notes, the e-mail contains a threat designed to trick consumers into entering their information.
“We regret to inform you that your eBay account will be suspended,” the e-mail says. “According to our site policy you will have to confirm that you are the real owner of the eBay account by completing the following form or else your account will be deleted.”
Another phisher e-mail that began circulating this weekend claims to be from MSN.
“We regret to inform you that technical difficulties arose with our July 2003 updates. Unfortunately part of our customer database, and backup system became inactive,” it says. With an added touch of authenticity, it offers a toll-free telephone number in addition to a Web link, but includes a strong nudge toward clicking on the link to the scam Web site. “We will require you to enter your information in our online billing center at your convenience. Or by calling our customer support team (1-877-676-3678). The average hold time is 45 minutes.”
Consumers who receive such an e-mail shouldn’t reply to it, authorities said, since legitimate companies don’t usually ask for that kind of personal financial data via e-mail.
Consumers should be particularly wary of e-mails that urge consumers to click on a link to a Web pages that asks for financial information. Links appearing in HTML-based e-mails cannot be trusted — programmers can easily make a link to a criminal’s page appear to be a harmless link to a site like eBay.com or PayPal.com.
If there are account questions, consumers should either call the company or start with a clean Web browser and type in a known company address.
More tips on how to avoid falling for a phisher scam can be found on the Federal Trade Commission’s Web site.