Do you know someone who has fallen hook, line and sinker for a phishing scam? Unfortunately, some of the scams are getting quite sophisticated, and it takes a savvy surfer to avoid falling prey.
While phishing schemes are usually aimed at individuals, we are beginning to see instances where they may be at play within enterprises, attempting to harvest information yielding access to internal corporate networks. Whether the information is personal, such as an account number or Social Security Number, or a corporate asset, such as a network login ID, phish scams are nothing to fool with.
Identity fraud is the fastest-growing crime in the U.S., affecting an estimated 10 million people over the past year, according to a 2003 study published by the Federal Trade Commission. Financial losses from these schemes run into the billions of dollars. Not all identity theft occurs via the Internet, of course, but phish scams are increasing in instances and sophistication.
E-mail security company MessageLabs first noticed the trend in August 2003, when it intercepted 14 phish e-mails. By January 2004, the company had trapped more than 290,000 such messages. Here we are today, seven months later, and the trend has accelerated even more. Just this week, my anti-spam software caught several confirmed phish messages lurking in my e-mail account.
PayPal, U.S. Bank, eBay, Citibank, AOL and MSN are some of the more prominent companies whose names have been sullied in phish schemes, but the list doesn't stop there. Most major financial institutions have found their names used illegally in order to dupe unsuspecting customers into revealing sensitive information.
In recognition of the burgeoning problems of personal information and identity theft, President Bush recently signed the Identity Theft Penalty Enhancement Act (ITPEA). This law enhances previously established punishment guidelines for anyone who possesses someone else's identification-related information with intent to commit a crime. Identity or personal information theft via phishing is covered in this legislation.
As I always say, legislation is necessary for prosecution of a crime after the fact. However, prevention is the better way to fight the problem. Thus, it's important to help your friends and colleagues learn to recognize a scam and be skeptical of any unsolicited communication that requests personal or account information. I know that an IT executive like you always practices "safe hex," but many trusting computer users don't always use the best judgment. Here, then, are some tips you can pass along to your user base to keep them from taking the bait. (Credit goes to U.S. Bank and MailFrontier for providing some of these tips.)
1. To increase the number of responses, cyber-criminals include upsetting or exciting statements in their e-mail. They want people to react immediately and respond with the desired information without thinking. To protect yourself, take the time to examine the claims made in the e-mail. If you receive an e-mail requesting sensitive information, check its authenticity by contacting the company that appears to be the originator.
2. Be cautious when clicking on a link in an e-mail. It may be fraudulent, even though the URL may be identical to the actual company's Web site. To check the ownership of the destination page, open a new browser window and manually type in the URL provided in the e-mail. If they don't match, immediately delete the e-mail with the suspicious link.
3. Practice safe logins; don't log in to update account information using a link sent via e-mail. Instead, log in to accounts directly from your browser with the links you normally use to update account information. Open a new browser window to log in.
4. Recognize that legitimate businesses won't initiate a request for sensitive information from you via e-mail (i.e., Social Security Number, personal ID, password, PIN or account number). Do not share your personal ID, password, PIN or account number with anyone, ever.
5. Legitimate businesses won't include unsolicited attachments for you to open. Delete them immediately.
6. Keep your browser software up-to-date with the latest security patches. For example, one of the security patches for Microsoft Internet Explorer eliminates masked URLs and displays the actual URL or URLs used in fraudulent e-mail and Web site scams.
As an IT professional, you can keep up-to-date with phishing trends by reading the Phishing Attack Trends Report published monthly by the Anti-Phishing Working Group (see link below).