STOCK QUOTES     More market data...

Silicon Valley view
Phishing fraud learns to hook bigger catches

By Mike Langberg
Knight Ridder Newspapers

E-mail this article Print this article Search archive Most read articles Most e-mailed articles

The current presidential debates would center on candidates endlessly accusing each other of being soft on crime, instead of soft on terrorism.

Now the reality: There's a major crime wave sweeping through the online world. While there has been much reporting of individual incidents, little attention has been paid to the big picture.

TRUSTe of San Francisco, a nonprofit privacy group, recently commissioned a survey on "phishing," those notorious fake e-mails that lure unsuspecting recipients into giving up financial information. The organization hired to do the survey, Ponemon Institute of Tucson, Ariz., contacted 1,335 Internet users around the United States in August and September.

Some 15 percent of the group said they've been tricked into providing personal data to a phishing Web site. And 2 percent reported monetary losses, averaging $115 an incident.

Extrapolating to the entire U.S. population, where 70 percent of adults go online, Ponemon Institute says losses to individual victims are nearly $500 million. Banks and financial institutions have sacrificed much more, since in many cases credit-card holders are obligated to pay only the first $50 of any fraudulent charges.

There's a consensus the situation first got ugly about a year ago. Cybercriminals apparently figured out how to combine their efforts in ways that hadn't been seen before.

Spamming tools, for example, are now routinely used to generate phishing e-mails. Techniques for writing viruses have been adapted to create "key loggers," stealth programs that record every key stroke and send the information back to the criminals who unleashed the program.

Gartner estimates $11.7 billion was lost to online fraud in the United States in the 12 months ended in April 2004, with 9.4 million people victimized.

This is happening in several ways, including harvesting credit-card numbers through phishing, opening new credit-card or checking accounts with stolen identities, forging checks, transferring money out of checking accounts and even opening accounts for fictitious individuals.

"Fraudsters are increasingly combining online and offline techniques and channels to accomplish their goals," Gartner analyst Avivah Litan wrote in a report last month.
 
"For example, they may 'phish' for online-bank-account users' IDs and passwords, log on to consumers' online bank accounts, look at the check images, and record the check numbers and signatures; these can then be used in check-forgery schemes."

In a few very scary cases, identity thieves have taken out second mortgages on the homes of their victims. The thieves get thousands of dollars, and the crime often isn't uncovered until missed payments are referred to a collection agency months after the fact.

Only 17 percent of check-forgery incidents result in arrests, while the other categories are all under 10 percent.

Dave Jevans, chairman of the Anti-Phishing Working Group, a cross-industry alliance aimed at stopping online identity theft, says there has also been "a dramatic increase in criminal communities online" where phishers can sell lists of stolen account numbers to other cybercriminals.

Pessimists are convinced online commerce could be severely undermined by loss of trust in the system, while optimists believe enforcement efforts will grow as fast or faster than new criminal schemes.

You can protect yourself with up-to-date anti-virus, firewall and anti-spyware software. You also need to check each transaction on your credit-card and bank statements for suspicious activity.

I'm going to side with the optimists. The online world is too important to fall into the hands of criminals. We'll never eliminate online criminal behavior entirely, any more than we can in the real world, but it's not too late to keep losses to a minimum.

Mike Langberg is a columnist for the San Jose Mercury News