Phear of phishing

Sophisticated e-mail scams are a potential disaster for Internet commerce.

These e-mails are fakes, frauds, phonies.

They are examples of phishing, a growing scourge that strikes at the very heart of Internet commerce by undermining the trust between e-commerce sites and their customers.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Dear Citibank member,
As part of our continuing commitment to protect your account and to reduce the instance of fraud on our Web site, we are undertaking a period review of our member accounts.
You are requested to visit our site, logon to your account and fill in the required information.

Dear AOL member,
We regret to inform you, but the credit card information for your account has expired.
To enjoy your AOL experience and keep your account active, you must enter new *valid* credit card information within 24 hours of receiving this e-mail.

Dear eBay user,
During our regular update and verification of the accounts, we couldn’t verify your current information. Either your information has changed or it is incomplete.
As a result, your access to bid or buy on eBay has been restricted. To start using your eBay account fully, please update and verify your information by clicking below:

These e-mails are fakes, frauds, phonies.

They are examples of phishing, a growing scourge that strikes at the very heart of Internet commerce by undermining the trust between e-commerce sites and their customers.

"What's at stake is all of e-commerce and our online way of life," says Fred Felman, vice president of marketing with Zone Labs.

DK Matai, executive chairman of mi2g, an electronic banking and security vendor in the U.K., puts it this way: "Brand protection is the key issue in the 21st century because it's the flip side of identity theft. Even if phishing's not their fault, online brands should be powerful and calculating enough to prevent consumers from making mistakes that cost them their identities."

David Remick, manager of enterprise information security for EarthLink, adds, "Phishers are a serious problem to our consumers. EarthLink has been committed to fighting phishers since we started picking up on the activity against our brand three years ago." EarthLink currently is offering a free scam-blocking toolbar that alerts consumers when they are about to visit a site that's on EarthLink's list known scammers.

Clearly, phishing has become more sophisticated and more prolific. "We got a phish last week with the eBay brand, and it took us 25 minutes to be sure it was actually a spoof. If we can't tell the good from the bad, then how can the consumer?" asks Cayce Ullman, CTO of secure messaging company PostX.

The number of phishes is skyrocketing. In April, the Anti-Phishing Working Group (AWG) detected 1,125 unique new phishes. That's a 180% increase over March, when 402 new phishes were reported.

Phishing is starting to take its toll. Consumer confidence in e-mail is at an all-time low, according to Pew Internet Life. In its March survey of 1,371 Internet users, 63% said they are less trusting of e-mail. Last June, that number was 52%.

In a recent online survey of 650 U.S. respondents, 75% said they are less likely to respond to e-mails from their bank because of phishing. Online market researcher Infosurv conducted the survey on behalf of anti-fraud vendor Cyota.

Experts say that unless businesses can stop the fraudulent use of their brands, they could lose their online channels altogether.

Step 1: Educate

Ask any big online brand what they're doing about the problem and they'll point to user education.

Citibank, one of the earliest brands phishers exploited, has a prominent link at the bottom of its home page about e-mail fraud. The link takes you to all known e-mail phishes forging the Citi brand name, and tells readers how to identify and report fraudulent e-mails.

Click to see: Citi example

But education isn't enough, analysts say. For starters, some customers are learning not to trust anything, so they're deleting your legitimate communications without reading them, says Brian Murray, vice-president of client services of Cyveillance, an online brand protection service provider.