Internet ‘Phishing’ Scams on the Rise

Sitting at his home in Virginia Beach, Va., Joe Yuhasz almost reached for his wallet when an e-mail message popped into his in-box and told him America Online needed to verify his credit card information.

The site linked to the e-mail looked identical to AOL’s billing center, until Yuhasz noticed the domain name was a fake -- a scam commonly known as “phishing.” Most people recognizing a possible scam would have deleted the message and moved on. But Yuhasz, a cyber crime specialist for the FBI, had other plans.

The ensuing investigation led to the conviction of two people, one of whom was sentenced three weeks ago to four years in prison, and netted hundreds of stolen credit card numbers from across the United States.

This type of scam, which tricks people through fake websites and sob stories into giving up their credit card and bank numbers, is threatening to swamp the bureau’s Internet crime center with the volume of attacks.

And though the scams were once the product of a few small-time hackers or anti-establishment loners in the United States, FBI officials and computer experts are seeing growing signs that the culprits are members of organized crime and terrorist support groups, almost all of whom are working from abroad.

“It has been significantly increasing month after month,” says Dan Larkin, chief of the FBI’s Internet Crime Complaint Center. “United States citizens and businesses are very attractive targets for the world.”

The e-mails, which ask people to “update” their personal information -- Social Security numbers, dates of birth, passwords and the like -- or tell a well-concocted tale meant to trick people into divulging their credit card and bank account numbers, now constitute more than half of the 15,000 monthly citizen complaints filed to the FBI’s Internet crime center.

The scams have become the single most prevalent crime on the Internet, experts say, and they have become markedly more sophisticated over the last few months.

In December, Tumbleweed Communications, a 5-month-old anti-phishing consortium in Redwood, Calif., clocked more than 60 million phishing schemes sent over e-mail -- the highest monthly total.

The problem, though, is not just that there are more messages coming, but that more people are falling for them.

Dan Maier, senior program marketer for Tumbleweed, says that a year ago phishers could be easily spotted by their poor English and bad logo designs. One example was an e-mail purportedly from Citibank written in what Maier’s team calls “Russian English.” Now phishers seem to have mastered the proper grammar and lingo, usually stolen from actual company messages, as well as detailed graphics that, for example, warn customers with a “fraud alert: please confirm your account.”

Only 0.01% of all computer users respond to regular spam, but as many as 5% of phishing recipients reply.

“They’re playing on the trust people already have in their banks, their [Internet service providers], EBay,” Maier says. “They hijack the brand because people trust the brand. They trust e-mails they get from their bank.”

FBI officials suspect the scammers’ growing skill is a sign not of a learning curve but of the introduction of more savvy and experienced criminals into the fraud schemes.

They also believe terrorist sympathizers, possibly operating out of Africa and the Middle East, have begun using phishing schemes to steal identities and make fast cash after being shut out by counterterrorism measures from their traditional avenues of funding such as bogus charities.

“There’s a lot more thought going into them and to keeping law enforcement at arm’s length,” Larkin said.

Until recently, there has been little that law enforcement could do to catch phishers abroad. Most host countries have been uninterested in devoting resources to stopping the elusive perpetrators.

“[Phishers] believe the United States law enforcement is too far away and that their transactions are too well concealed for them to actually be caught,” Larkin said.

Real companies will never ask for account and credit card information over e-mail, FBI officials say; all e-mails that ask for such information should be reported to the FBI at www.ic3.gov.