Sure, that e-mail looks legit, but is it from a ‘phisher’?

THE e-mail in my in-box looked official. It had the familiar E-Trade Financial logo across the top. The return e-mail address was a legitimate financial document delivery website. The e-mail informed me that my statement was now available online and that I could click a link embedded in the e-mail and log on.

The problem was the e-mail was not sent by E-Trade. It was a scam.

Clicking the link would have sent me to a site with an address that was just one letter different from the official E-Trade web address, dropping me into the clutches of someone trying to steal my account number and password and opening a whole world of personal information.

This type of scam, known as “phishing” or “spoofing,” commonly targets customers of financial institutions, but it has also been used to scam customers of travel businesses.

“Anywhere [consumers] might have a stored profile might present the same risk,” said Eric Olson, a vice president at Cyveillance, an Arlington, Va., company that specializes in tracking Internet risk and fraud.

It may be especially risky for the Internet-savvy frequent traveler.

“Super-platinum members of hotel chains spend a great deal of money on travel. That is a perfect target for a scammer.”

Two of the largest hotel frequent-guest programs appear to have been targeted by phishers, the hotels’ websites suggest: the Hilton HHonors program and the Starwood Preferred Guest program. Neither Starwood nor Hilton returned phone calls asking for comment about phishing.

Indeed, the risk to consumers is growing, according to a report by the Anti-Phishing Work Group, an industry and law enforcement group that is working to fight phishing scams.

In August, the most recent month for which data were available, the group detected 13,777 scams that targeted 84 companies and their customers.

That compares with 6,957 scams detected last October when it first began keeping data.

Financial services made up 85% of that number; retail, Internet service providers and miscellaneous other services made up the rest.

About 20% of Americans have been the target of “phishing” attacks in the last year, the group said. U.S. banks and credit card issuers report phishing cases cost them about $1.2 billion last year.

Olson described how the members of a hotel frequent-guest program were recently scammed, although he wouldn’t say which company it was.

Lured to a website

MEMBERS received an e-mail that offered them a chance to win a free two-night stay in a hotel, he said. They had to log onto their frequent-guest program account to qualify.

The e-mail included a link to a website to enter the necessary information. It required only the account number and log-in password.

No credit card information or other identifying information was required, so even the most paranoid Internet user might not suspect it was a scam.

The link, however, was to a spoof website created by a scam artist. But what damage could someone do with access to a hotel frequent-guest account? The member’s profile includes a billing address and phone number, but credit card information is crossed out, except for the last four digits.

A seemingly innocent ploy, but it had consequences. The scammers would access the guest’s account to determine the date of their next hotel stay. The week before the guest was due to arrive, they would call the traveler, posing as a reservations agent from that hotel, and ask the guest to confirm his or her credit card information.

“Your sense of caution is allayed because the person you are talking to knows an awful lot about you,” Olson said.

Armed with credit card information and home addresses, the phishers could charge at will.

“There is an increase in sophistication” of the scams, said Dave Jevans, chairman of the Anti-Phishing Work Group and chief executive of IronKey, a company that builds security and authentication systems. A scheme across multiple channels such as e-mail and telephones is just one sign of scammers’ evolving cunning, he said.

James Gilden writes the Daily Traveler blog for the Los Angeles Times at latimes.com/thedailytraveler.

*

(BEGIN TEXT OF INFOBOX)

Warning signs

How to protect yourself:

* Be wary of e-mails asking you to provide or confirm sensitive information, such as account numbers or passwords, even if they appear to be from legitimate companies with which you do business.

* Watch for misspellings and grammatical errors, which can be used by phishers to foil spam blockers.

* Note that phishers often try to convey a sense of urgency, perhaps threatening to close your account or impose fees if you do not respond immediately.

What to do:

* If an e-mail has any of these signs, do not respond, click on any of the links or call the phone numbers.

* If you conduct business with the company represented, contact it through an e-mail address or phone number that you know to be legitimate.

* Report suspected phishing and spoofs to the Federal Trade Commission at spamuce.gov.

-- James Gilden