How to avoid the phish hook

The CIO-level business angle on the latest tech

Do you know someone who has fallen hook, line and sinker for a phishing scam? Unfortunately, some of the scams are getting quite sophisticated, and it takes a savvy surfer to avoid falling prey.

While phishing schemes are usually aimed at individuals, we are beginning to see instances where they may be at play within enterprises, attempting to harvest information yielding access to internal corporate networks. Whether the information is personal, such as an account number or Social Security Number, or a corporate asset, such as a network login ID, phish scams are nothing to fool with.

Identity fraud is the fastest-growing crime in the U.S., affecting an estimated 10 million people over the past year, according to a 2003 study published by the Federal Trade Commission. Financial losses from these schemes run into the billions of dollars. Not all identity theft occurs via the Internet, of course, but phish scams are increasing in instances and sophistication.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Do you know someone who has fallen hook, line and sinker for a phishing scam? Unfortunately, some of the scams are getting quite sophisticated, and it takes a savvy surfer to avoid falling prey.

While phishing schemes are usually aimed at individuals, we are beginning to see instances where they may be at play within enterprises, attempting to harvest information yielding access to internal corporate networks. Whether the information is personal, such as an account number or Social Security Number, or a corporate asset, such as a network login ID, phish scams are nothing to fool with.

Identity fraud is the fastest-growing crime in the U.S., affecting an estimated 10 million people over the past year, according to a 2003 study published by the Federal Trade Commission. Financial losses from these schemes run into the billions of dollars. Not all identity theft occurs via the Internet, of course, but phish scams are increasing in instances and sophistication.

E-mail security company MessageLabs first noticed the trend in August 2003, when it intercepted 14 phish e-mails. By January 2004, the company had trapped more than 290,000 such messages. Here we are today, seven months later, and the trend has accelerated even more. Just this week, my anti-spam software caught several confirmed phish messages lurking in my e-mail account.

PayPal, U.S. Bank, eBay, Citibank, AOL and MSN are some of the more prominent companies whose names have been sullied in phish schemes, but the list doesn't stop there. Most major financial institutions have found their names used illegally in order to dupe unsuspecting customers into revealing sensitive information.

In recognition of the burgeoning problems of personal information and identity theft, President Bush recently signed the Identity Theft Penalty Enhancement Act (ITPEA). This law enhances previously established punishment guidelines for anyone who possesses someone else's identification-related information with intent to commit a crime. Identity or personal information theft via phishing is covered in this legislation.

As I always say, legislation is necessary for prosecution of a crime after the fact. However, prevention is the better way to fight the problem. Thus, it's important to help your friends and colleagues learn to recognize a scam and be skeptical of any unsolicited communication that requests personal or account information. I know that an IT executive like you always practices "safe hex," but many trusting computer users don't always use the best judgment. Here, then, are some tips you can pass along to your user base to keep them from taking the bait. (Credit goes to U.S. Bank and MailFrontier for providing some of these tips.)

1. To increase the number of responses, cyber-criminals include upsetting or exciting statements in their e-mail. They want people to react immediately and respond with the desired information without thinking. To protect yourself, take the time to examine the claims made in the e-mail. If you receive an e-mail requesting sensitive information, check its authenticity by contacting the company that appears to be the originator.

Linda Musthaler is a principal analyst with Essential Solutions Corporation.