It can be tough spotting a phisher’s bait

A week seldom goes by without someone forwarding me an email of dubious authenticity, typically appearing to be from some business urging you to log in to your account or perform some other transaction.

Most such emails fall into the category of “phishing” — phony messages that are basically fishing trips by scammers seeking your personal information. It’s a growing problem affecting millions of Internet users and hundreds of businesses.

It’s also becoming more difficult to spot phishing emails as frauds.

Case in point: the email that John Lajeuness and other AT&T customers received the other day informing them that their latest bill is ready.

“It sure looks legitimate,” Lajeuness, 65, of La Crescenta, told me. “You could see how easy it would be to click on it.”

The reason he hesitated: The payment due date was written in European style (day/month/year). When his real bill notice arrived from AT&T only a couple of hours later, Lajeuness saw that the due date was written in the proper American style (month/day/year).

“That was the only thing they got wrong,” he said.

I showed the email to AT&T, and even they were impressed by the quality of the fraud.

“This was definitely a good fake,” said Lane Kasselman, a company spokesman. “It looks real.”

It’s unclear how many customers may have received the email, he said, or how many may have been duped into giving the scammers access to their accounts.

The AT&T phishing emails serve as a reminder of the prevalence of online scams and the need for consumers to remain vigilant as more and more commerce moves online.

The typical phishing scam will try to trick you into visiting a website that looks like it belongs to a well-known business. But any information you submit, such as a credit card number or even just your user name and password, will end up in the hands of identity thieves.

The Anti-Phishing Working Group, a nonprofit organization focused on email fraud, said in a recent study that as many as 26,000 different phishing scams were reported monthly during the first half of 2011. The scams involved more than 300 corporate brands.

While many cyber-rackets are based overseas, the group found that most phishing sites are in the United States. In other words, it’s a largely homegrown crime.

“Each campaign can target hundreds of thousands or sometimes millions of users,” the Anti-Phishing Working Group said in its study. “There are thousands of fake phishing websites established online every day, luring any number of consumers to trouble and loss.”

The AT&T email shows how easy it is to be duped by phishers. The look of the email is almost identical to an actual AT&T bill reminder, including additional links to sign up for paperless billing or automatic payments.

Clicking on any of the links takes you to a sign-in page that, again, appears to be the real McCoy. Some of the links on this page, such as for those who may have forgotten their password, actually take you to AT&T’s own site.

But if you fill in your user name and password and click “log in,” nothing seems to happen. In fact, you’ve just handed access to your AT&T account to scammers.

AT&T’s Kasselman said that by accessing a customer’s online account, the phisher will gain access to that person’s full name, address, phone number and email address (but no financial info). The phisher will also be able to see the numbers and businesses you call frequently.

“This can provide a road map for additional fraud,” Kasselman said.

The AT&T email was even more insidious because it arrived in people’s in-boxes on the same day the company’s actual billing reminders were sent out. Kasselman said phishers pay attention to such things and time their attacks for maximum credibility.

How can you keep these guys at bay? First, always make a habit of double-checking the sender’s email address whenever you get a message that invites you to submit information. That generally means holding your cursor over the links.

In the case of the AT&T email, the sender’s address appears as AT&T Online Services. But holding your cursor over the link reveals that it came not from AT&T’s “att.com” domain but from an unrelated website.

Similarly, the links within the email for paying your bill or signing up for automatic payments take you to an address registered to something called uneekvision.com.

The uneekvision.com address is registered to a Los Angeles company called Uneek Entertainment. No one there returned my calls for comment.

Nearly all real businesses won’t ever ask for personal information via email. If you receive an email asking you to respond with confidential data, ignore it.

If you click on an email and end up at what looks like a legitimate website, don’t provide any sensitive info unless you see two things: a little yellow padlock icon somewhere in the browser or in a corner of the screen, and an address that begins with “https” (the S is for “secure”).

Even then, it’s wise to limit your online transactions only to reputable companies that use the latest technologies to safeguard customers’ data.

It’s a given that scammers will keep trying to get at you via the Net. Don’t make it easier for them. Take that extra moment to give a suspicious email or website the once-over.

It could be as simple as spotting a European-style date.

David Lazarus’ column runs Tuesdays and Fridays. He also can be seen daily on KTLA-TV Channel 5. Send your tips or feedback to david.lazarus@latimes.com.