Internet scammers have a new bait to help catch unsuspecting victims. It's called phishing.
Phishing is a new Internet scam designed to trick people into giving up their credit card numbers, account information, passwords or other personal information over the Web.
Experts say phishing scams are on the rise because of a vulnerability recently discovered in Microsoft's Internet Explorer browser allowing scammers to send an e-mail with a link to a phony web site.
When phishing, scammers send out e-mails or pop-up messages that claim to be from a business or organization you regularly do business with.
The messages say you need to validate or update account information. Many times they threaten you with account suspension if you don't respond.
The messages also contain a link to a phony site that looks exactly like the official site. These copies are called spoofed Web sites.
The most common companies that have been spoofed in the scam include: eBay, Paypal, Earthlink, Amazon.com, Wells Fargo, Bank One and Citibank, said Matt Bauer, an operations support specialist at Data Doctors corporate office.
Believing the messages to be legitimate, unsuspecting people respond to the e-mail requests for financial information by clicking on the link. Once at the spoof site any information entered can be transferred to the person who created the counterfeit site. That person can then use the information to purchase goods, apply for credit cards, or steal one's identity.
"The Internet is all about anonymity, which is why it's so hard to pinpoint where all these messages are coming from," Bauer said.
A growing problem
The phishers send out millions of e-mails. According to The Anti-Phishing Working Group, about 5 percent of people respond to the messages.
Phoenix restaurant manager Michael Waring is part of that 5 percent. About three months ago Waring received an e-mail message from someone claiming to be from eBay, a company he regularly does business with.
The e-mail told him he needed to update his account information or he would be suspended from doing business on the site.
"It looked completely legitimate," Waring said. "I clicked on the link without giving it a second thought."
The e-mail directed him to a spoof site where he was asked to enter his username and password. He did. The phony site then asked him to "verify" his name, address and credit card information.
"It felt suspicious, so I tried going to eBay directly without using the link," Waring said.
After logging on to the real eBay, Waring discovered that the company had not requested that he update his account. Waring said it was then he realized it was a scam.
"I thought I had dodged a bullet" he said. "But about a month later I discovered I was blocked from eBay."
Just Waring's user name and password gave the phishers enough information to steal his eBay identity. They broke into his eBay account and attempted to use his name and reputation to rip off other unsuspecting victims.
More people may have been conned and Waring held responsible, except that eBay caught on and froze his account. However, because the scammers had changed the e-mail address eBay sent updates to, Waring had no idea.
"It took about a week to clear up; it was very frustrating," he said.
An eBay tech support technician was able to pinpoint the phishing e-mail as the likely cause of the fraud.
"I was just glad I didn't give up my credit card information," Waring said.
If he had entered that information he might have had more than just a frustrating week, he might have had a stack of charges on his next bill he hadn't authorized.
Spam mail accounted for four out of five e-mail messages sent during 2004, and the proportion of virus infected e-mail tripled to 1.5 percent last year. Additionally, about 1 percent of spam messages are phishing scams, according to a study by Postini Inc., a California company that screens about 400 million e-mails a day.
Avoid trouble
There are things that can be done to make sure you don't get hooked by this new scam.
Jon Rock, senior engineer and manager of Data Doctors in Chandler recommends never responding to requests about personal information through e-mail.
"No companies or banks will ask for credit card or contact information through an e-mail," Rock said. "If you think it is legitimate, contact the company directly to make sure."
Also, routinely review credit card and bank statements. "If you pay attention to your accounts, you may be able to discover a problem before too much damage is done," Rock said.
Bauer recommends visiting Web sites by typing the URL address directly into the address bar.
"Don't ever click on a link from an e-mail," Bauer said, "especially if they're asking for your information."
Additionally, if you have a hard time telling which messages are legitimate, Data Doctors has a free download on their Web site, datadoctors.com, to help combat phishing.
The program is called Phish Guard, and it automatically prevents you from clicking on those links that are associated with known counterfeit sites.
Finally, report suspected abuses of personal information to proper authorities such as the FBI Internet fraud complaint center at ifccfbi.gov or the Anti Phishing Working Group at antiphishing.org, Bauer said.
"Just delete it," he said. "Then, report it."
Shanna Hogan is a contributor to the Web Devil. Reach her at shanna.hogan@asu.edu.
