• by Kate Kaye , March 15, 2004

Phishing is on the rise, but not the kind associated with Grateful Dead-inspired jam bands. As the newest Internet fraud phenomenon, phishing refers to efforts to lure personal information such as credit card numbers and passwords from unwitting consumers through spoof emails that mimic legitimate email communications.

A surge in so-called phishing attacks intended to obtain consumers' personal information has inspired government action, a watchdog trade group, and education initiatives on anti-phishing strategies. On Monday, McAfee Research, the technology research division of security software provider Network Associates, released a research brief outlining the problem as well as anti-phishing strategies.

"We've seen growth week-to-week and month-to-month," says Dan Maier, senior product marketing manager at Tumbleweed Communications Corp., a provider of email security software. The firm established the Anti-Phishing Working Group (APWG) in November 2003 to help track and counteract nefarious phishing expeditions. Maier contends that phishing attacks could be on the rise as a result of increased awareness and press coverage of previous attacks.

The APWG tracked 176 new phishing attacks in January, up 52 percent from December. Phishing attack mailings, which are usually sent in bulk like spam, ask recipients to update private information--often via a form within the email message itself. Sometimes they're accompanied by spyware email attachments disguised as harmless screen savers or virtual greeting cards. One Tumbleweed bank client fielded 90,000 unanticipated calls per hour from concerned customers.

Financial Services and Retail marketers, as well as Internet Service Providers and their customers, are among the main targets of phishing offensives. In January, eBay was the victim of 51 phishing attempts, Citibank experienced 35, and America Online saw 34, according to the APWG.

The organization reported a phishing scam that occurred on March 10 in an attempt to obtain the personal identity, credit card, personal information numbers for automatic teller machine accounts, and account information of AOL customers through a phony Web form. On March 9, Wells Fargo was hit when phishers sent email threats hoping to scare account holders into verifying bank account ownership information to prevent blocks on their accounts. Online auction house eBay was struck by a similar attack on the same day.

McAfee Research's "Anti-Phishing: Best Practices for Institutions and Consumers" white paper details the typical routes taken by phishers to gather personal information from unsuspecting consumers, and suggests ways that both companies and their customers can evade phish net entrapment. Among the recommendations: Don't use email forms, offer simple visual or audio mechanisms to verify email authenticity, and include digital signatures, one-time-only passwords, or other icons certifying authorization when sending high-value email communications to customers. Even including the customer's name in an email can help separate legitimate emails from the fakes, according to the McAfee paper.

The research firm also advises companies to implement anti-virus and anti-spam software in addition to monitoring the Web for instances of their company logo or trademarks, which may be featured in phishing-related Web pages. In addition, McAfee has invited interested parties to attend a free webcast on the topic on March 17 from 11:00 a.m. to 12:00 p.m. Pacific Standard Time.

"Consumers are getting more suspicious of the email they receive, unfortunately, by necessity," observes Tumbleweed's Maier. Software firms like his have begun introducing phishing-specific products. Tumbleweed, for instance, enables clients to embed a red ribbon icon in the corner of recipients' email client interfaces to validate digital signatures. PassMark Security offers a similar verification product that displays a personalized icon whenever a customer logs on to a site using its system.

Anti-spam software firm Brightmail detects fraudulent email messages and notifies clients when a phishing attack has occurred. It also filters out phishing emails to protect its user base.

Some victims are taking action on their own. eBay, for example, allows users to download a toolbar that glows red if a user visits an imposter eBay site. The U.S. Department of Justice has also responded to phishing fraud, which may violate federal criminal statutes by successfully prosecuting cases involving phishing and releasing a special report on the subject.

"ISPs, banks, and retailers need to do something, or they risk losing the trust of those customers," warns Maier. "They could be in serious trouble."