Copyright 2004 washingtonpost.com . all rights reserved.

Phishing Schemes Scar Victims

By Brian Krebs
washingtonpost.com Staff Writer
Thursday, November 18, 2004; 6:36 AM

Nancy Boyle woke up one morning last December to discover that someone had stolen $1,800 from her online bank account. Then came the $800 credit card charge for escort services that she and her husband Dan never ordered.

The Boyles, who run a window treatment business out of their home in Racine, Wis., were getting a crash course in phishing.

The first e-mail appeared to come from Bank One, warning that Mrs. Boyle's account would be suspended unless she updated her information to conform with the company's new anti-fraud measures. She clicked on the link that came with the e-mail and entered the data on the Web site. Then the money disappeared from her account.

Not long after that, she got another message that looked like it came from eBay. It warned of fraudulent activity on her account and urged her to verify her details. She handed over her bank account number, Social Security number and her mother's maiden name -- the keys to her identity.

For the Boyles, the timing could not have been worse. The scams hit less than a week before Christmas. Mr. Boyle's mother had recently been diagnosed with cancer. The Internal Revenue Service had just begun an audit of their finances. The police got involved, but the evidence trail ran cold after investigators traced the scam to "somewhere in Egypt."

The experience left them wiser to the dangers of the Internet, the Boyles said, but it stirs bitter emotions.

"This kind of thing makes you feel so violated, just leaves you with such an awful feeling," said Mr. Boyle. "It sounds mean, but for a while there we just wanted these people dead."

The Boyles were two of an estimated 1.8 million Americans who gave out personal information in a phishing scam in the last year. It is becoming one of the most prevalent means of identity theft, according to the Federal Trade Commission.

Phishing scams usually start with an e-mail that looks like it comes from a bank, Internet service provider or e-commerce company. It often tells recipients that they need to update their account information by clicking on a link provided in the e-mail. If they do not, the mail warns, their accounts could be terminated or they could be subject to some other negative consequence. This, experts say, is because the Web sites remain online for only a few hours or days before investigators shut them down.

In the first six months of 2004, the number of unique phishing attacks increased by more than 800 percent -- from 176 in January 2004 to 1,422 in June 2004, according to the Anti-Phishing Working Group. Computer security experts said phishing is fueled by new alliances between computer virus writers, junk e-mail artists and international organized crime rings.

In a report last year, the FTC said the average identity theft victim could expect to lose roughly $500 per incident. But experts said that a person who falls for a phishing scam is exposed to far more fraudulent activity than someone who loses a credit card, in part because phishing victims give their personal data directly to people who are most likely to defraud them.

Michael Gibbons, 38, of Houston, Texas, last December responded to an e-mail he thought was from eBay, urging him to update his account information for "security reasons." After clicking on a link in the e-mail, Gibbons, who buys and sells books and other kinds of merchandise online, was taken to a bogus eBay site.

In a lapse of judgment that he would later describe as the "beginning of a long, major life lesson," Gibbons entered his eBay ID and password, his address, checking and credit card account numbers and expiration dates, bank routing and Social Security numbers, his birthday, his mother's maiden name and his bank card PIN.

Within hours, scammers siphoned $1,500 from his debit card account and changed his e-mail and eBay account passwords. They even locked Gibbons out of his bank account by securing it with a password of their own.

Gibbons's bank eventually agreed that the charges were fraudulent. A bank investigator told him it appeared that they were coming from somewhere in Russia to pay for computer equipment and Web site domain name registrations. Experts say the scammers likely were reinvesting cash they stole from him to pay for equipment and resources needed to launch more phishing scams.

It took several months for Gibbons to close out his bank accounts and credit cards. Following the advice given to fraud victims, he filed a police report and placed a fraud watch on his file with the three major credit bureaus.

A little more than two months ago, a woman from the credit bureau called. The scammers had struck again. This time they tried to open a $25,000 line of credit in his name.

Gibbons said he learned the hard way that banks and e-commerce companies will never ask for personal information from their customers in an e-mail. But consumers who are unaware of that are an easy mark for e-mail scammers because many of the phishing lures in use today are increasingly difficult to distinguish from legitimate communications.

Consider the experiment conducted by Palo Alto, Calif.-based e-mail security firm MailFrontier. In July, the company posted a "phishing IQ test" on its Web site that displays 10 e-mail messages and asks visitors to decide whether they are scams or legitimate messages sent by companies to their customers.

To date, most of the 230,000 people who have taken the test got seven out of 10 right. Only one in 10 answered all the questions correctly.

The study shows that online scams are weakening e-mail as a trustworthy method of communication between companies and their customers, said Andy Klein, MailFrontier's anti-fraud product manager.

"The scammers are really beginning to poison the well of e-commerce to the point where many people can no longer tell the difference between what's fake and what's legitimate," Klein said.

Delores Hanes, 77, is one of those people. The Vancouver, Wash., resident fell victim to a phishing scam targeting customers of PayPal, eBay's online payment subsidiary.

"It had the PayPal pictures all over," Hanes said. "On the surface at least it looked like everything else I'd seen from them."

Hanes and her husband Bob, 80, first realized something was amiss when a woman from Western Union called to confirm that they authorized a $200 electronic payment to someone in Germany. Soon, checking charges appeared for amounts ranging from $50 to $150, including a request to open a new Internet service account with America Online, Hanes said.

"For days I couldn't eat, couldn't sleep at night, I was so upset," Hanes said.

Even after countless hours on the phone with her bank, the charges kept coming. Mrs. Hanes said the experience so rattled her that she and her husband have sworn off e-commerce for good.

"I guess we just decided we were done with the whole thing," she said.

It may be tempting to assume that most victims are like the Haneses -- the elderly and the technophobic. But according to a study of more than 1,330 Internet users conducted in September by the Tucson, Ariz.-based Ponemon Institute, 18- to 25-year-olds are nearly three times more likely to get hooked than any other age group.

Larry Ponemon, the institute's founder and an adjunct professor of privacy and ethics at Carnegie Mellon University in Pittsburgh, said people in that age group probably spend more time online and are more likely to bank online. But follow-up interviews with the young phishing victims in the study pointed to another difference.

"They seem to be more complacent about those risks than other age groups," Ponemon said. "Their attitude seems to be more one of a general acceptance that bad things will happen online, and that they'll just deal with it when it happens and move on."

Jennifer Gillespie, of Brooklyn, N.Y., was 25 when she was taken by a phishing scam targeting Citibank customers. She learned she had been conned when the company called to report an unusual flurry of activity on her account. Now 26, Gillespie was one of the lucky ones; the fraudsters would have had a hard time fleecing her account.

"My card was almost maxed out anyways," Gillespie said.

Still, she continues to shop online. "It's been frustrating and annoying, but it really wasn't that big a deal. It didn't end up costing me anything," she said.

Approximately 60 percent of those surveyed by the Ponemon institute said they had inadvertently visited a fake or spoofed site, and more than 15 percent admitted providing data to what they later realized was a phishing site. Of those who fell for the scams, 68 percent provided credit card numbers, and 62 percent handed over their Social Security numbers. Slightly more than half who fell for the phish realized they got scammed within a week of giving out their personal information, Ponemon said.

Timothy May, a 44 year-old salesman from Tomball, Texas, learned the phishers had hooked him shortly after his credit card was declined at a business lunch with a client.

"You can't imagine how embarrassing that was," May said. "Plus, I didn't even know the extent of the whole scam at that point."

May says he can't recall when or how it went down, but he remembers responding to an e-mail warning him that his bank account would be cancelled unless he updated his financial information. Later, someone tapped his checking account to buy $5,000 worth of auto parts from a store in Brooklyn. After that, fraudsters in California used his credit card number to purchase a batch of new Dell computers.

Like many other phishing victims interviewed for this series, May's experience has convinced him that the Internet is too treacherous and unpredictable a place for conducting business.

"I'll surf the Web and look at stuff, but I don't buy anything online anymore. It's just not worth it."

© 2004 TechNews.com