Chapter 6. How "Phishing" Attacks Can Steal Your Identityand How to Protect Against Them
Perhaps the most lucrative type of Internet attacks are so-called phishing attacksattacks in which you're sent an email from what appears to be a bank; financial institution; or commerce site such as PayPal, Amazon, or eBay, but which is in fact forged. The term phishing was invented by hackers who were "fishing" to steal account information from AOL users. Hackers frequently replace the letter f with ph, and that's how the term was created. The emails warn that you must log on to your account, perhaps to verifyinformation or perhaps to ensure your account does not expire. You're told to click a link to get to the site. When you get to the site, it looks like the real thing, but it's a spoof. Log on, and all your information is stolen.
Why has phishing become so widespread? Because it pays off, big-time. Fraudsters can collect massive amounts of revenue by draining bank accounts and participating in identity theft.
The research group Gartner, for example, claims that identity theft initiated by phishing cost U.S. banks and credit card issuers approximately $1.2 billion in 2003. And the numbers rise every year.
How widespread have the attacks become? They're nearly ubiquitous. You've probably gotten numerous phishing attempts in the past year, as has just about everyone you know.
Worse yet, people fall for them. A Gartner survey in April, 2004, found that nearly 11 million adults, or about 19% of those who have received phishing attacks, clicked a link in a phishing email. And nearly 1.8 million Americans, or 3% of those attacks, actually entered financial or personal information such as credit card numbers or billing addresses on the spoofed websites.
Phishers mostly aren't caught by the authorities, but every once in a while they are. And sometimes, victimized companies sue phishers. For example, Microsoft and Amazon filed a joint suit against Gold Disk Canada, Inc., and co-defendants Barry Head and his two sons.The suit claimed the defendants sent out millions of pieces of phishing email. The case has not yet been decided in court, as of this writing.
While phishing fraud is widespread, it's actually not that difficult to protect against. Spam filters catch most phishing attempts, and some email programs, such as Outlook, now include built-in antiphishing tools. Additionally, browsers include antiphishing tools that warn you when you're about to go to a website that is most likely a spoof. Additionally, there are browser add-ins you can install that fight spoofs and phishing.
But the best protection is the simplest: Never click a link in an email that claims to be from a financial institution, no matter how legitimate the email seems. Phishers are very clever forgers, so you can never be sure whether the email is real or not. Instead, call the financial institution yourself or use your browser to visit the site, apart from the email. That way, you'll be safe.