Sure, that e-mail looks legit, but is it from a 'phisher'?

Online scammers are targeting some hotels' frequent guests. And the risk is growing for all consumers, experts say.

THE e-mail in my in-box looked official. It had the familiar E-Trade Financial logo across the top. The return e-mail address was a legitimate financial document delivery website. The e-mail informed me that my statement was now available online and that I could click a link embedded in the e-mail and log on.

The problem was the e-mail was not sent by E-Trade. It was a scam.

Clicking the link would have sent me to a site with an address that was just one letter different from the official E-Trade web address, dropping me into the clutches of someone trying to steal my account number and password and opening a whole world of personal information.

This type of scam, known as "phishing" or "spoofing," commonly targets customers of financial institutions, but it has also been used to scam customers of travel businesses.

"Anywhere [consumers] might have a stored profile might present the same risk," said Eric Olson, a vice president at Cyveillance, an Arlington, Va., company that specializes in tracking Internet risk and fraud.

It may be especially risky for the Internet-savvy frequent traveler.

"Super-platinum members of hotel chains spend a great deal of money on travel. That is a perfect target for a scammer."

Two of the largest hotel frequent-guest programs appear to have been targeted by phishers, the hotels' websites suggest: the Hilton HHonors program and the Starwood Preferred Guest program. Neither Starwood nor Hilton returned phone calls asking for comment about phishing.

Indeed, the risk to consumers is growing, according to a report by the Anti-Phishing Work Group, an industry and law enforcement group that is working to fight phishing scams.

In August, the most recent month for which data were available, the group detected 13,777 scams that targeted 84 companies and their customers.

That compares with 6,957 scams detected last October when it first began keeping data.

Financial services made up 85% of that number; retail, Internet service providers and miscellaneous other services made up the rest.

About 20% of Americans have been the target of "phishing" attacks in the last year, the group said. U.S. banks and credit card issuers report phishing cases cost them about $1.2 billion last year.

Olson described how the members of a hotel frequent-guest program were recently scammed, although he wouldn't say which company it was.



Lured to a website

MEMBERS received an e-mail that offered them a chance to win a free two-night stay in a hotel, he said. They had to log onto their frequent-guest program account to qualify.

The e-mail included a link to a website to enter the necessary information. It required only the account number and log-in password.

No credit card information or other identifying information was required, so even the most paranoid Internet user might not suspect it was a scam.

The link, however, was to a spoof website created by a scam artist. But what damage could someone do with access to a hotel frequent-guest account? The member's profile includes a billing address and phone number, but credit card information is crossed out, except for the last four digits.

A seemingly innocent ploy, but it had consequences. The scammers would access the guest's account to determine the date of their next hotel stay. The week before the guest was due to arrive, they would call the traveler, posing as a reservations agent from that hotel, and ask the guest to confirm his or her credit card information.