Consumers still falling for phish
By Bob Sullivan
Confused by what's arriving in your inbox? You're not alone. Nearly one out
of three Internet users were unable to tell the difference between
fraudulent e-mails designed to steal their identities and legitimate
corporate e-mail, a new study finds. Anti-spam firm MailFrontier Inc. showed 1,000 consumers examples of
so-called "phishing" e-mail as well as legitimate e-mail from companies such
as eBay and PayPal. About 28 percent of the time, the consumers incorrectly
identified the phishing messages as legitimate.
What's more, the legitimate e-mails were often dismissed as potential fraud.
An e-mail message from the Federal Trade Commission was dismissed as a fraud
by 50 percent of the consumers. "We knew we'd fool a few people, but we're pretty surprised by 28 percent,"
said Anne Bonaparte, CEO of MailFrontier. "A number of (the phishing
e-mails used in the study) have been around for a while." 'We are losing on both ends' One reason the look-alike e-mails continue to fool consumers: the people behind them are getting much better at their craft.
"We've definitely seen quite an improvement in grammar, for example,"
Bonaparte said. "Early versions wouldn't have fooled too many people. Now,
they fool a number of us. We did the test here at work and some people had
embarrassing results." One very well-distributed PayPal look-alike e-mail, which claimed credit
card information needed to be updated, fooled 31 percent of users surveyed, she said. "That one was written widely about. You would not have thought that would have fooled people," she said. Meanwhile, a simple note from PayPal indicating that a payment had been
made, which asked for no personal information, was described as a fraud by 20 percent of those studied.
"We are losing on both ends right now," said Dave Jevens, chairman of the
Anti-Phishing Working Group, a consortium of companies fighting the problem.
He said he wasn't particularly surprised by the results of the study. "I've seen professionals who work in the industry fall for these. As we can see from this report, it's hard to tell bad mail from good mail. ... It's
undermining the ability of people to communicate." (Think you'd do better at sniffing out the real McCoy? MailFrontier has
published a "fair or phish" test similar to the one it used in its study on its Web site. )
Attacks on the rise, banks targeted
Not only are consumers unable to accurately spot fakes, they are regularly
surrendering personal information. According to a study released in April by
Gartner's Avivah Litan, 1.78 million Americans say they've fallen for a
fake e-mail and willingly provided credit card numbers, bank account PINs,
and other information to computer criminals.
Perhaps an additional 1 million users have done so and don't realize it, the
study said. In all, the study concluded that about $1.2 billion has been
stolen from U.S. financial institutions through phishing attacks.
A study to be released next week by the Anti-Phishing Working Group shows
phishing activity is still skyrocketing -- there was a 19 percent increase
in the amount of phishing attacks between May and June. There were nearly 50
new attacks per day in June, the report indicates.
The most popular target, with 492 separate phishing attacks in one month,
was once again Citibank. Attacks against banks in general continued to rise
in June, with US Bank-fake e-mails jumping 50 percent and FirstUSA attacks
up 67 percent. Attacks against AOL and Visa declined sharply, suggesting
they are less lucrative targets.
For the first time, analysts are tracking the country of origin for the
attacks, and results show a number of them are hosted by computers located
in Asia. About 20 percent of the Web sites devoted to stealing information
are hosted in South Korea; another 16 percent are in China, and 7 percent
are in Taiwan. The location doesn't suggest the criminals are located there,
but simply indicates they are using computers in those countries.
"This may be due in part to a desire by phishers to host their forged sites
in places where language and time zone barriers make it more difficult for
brand-owning companies to shut the sites down," the report says. The
technique apparently works. Phishing e-mails, and their companion
data-stealing Web sites, last an average of 2.25 days, the report says.
The phishing problem continues to get national attention. First Data Corp.
and the National Consumers League plan to launch a public service awareness
campaign next month warning people about look-alike e-mails.
"Phishing is the fastest growing scam," said Barbara Span, vice president of
market intelligence at First Data. Less than a year ago, the National
Consumers League hadn't received any complaints about phishing, she said;
now it's the 4th-most frequent complaint. "This problem continues to get
worse, despite all the publicity it's received."
MSNBC's Bob Sullivan is the author of the upcoming book "Your Evil Twin:
Behind the Identity Theft Epidemic."