"Phishing" Is Foul on the Net

When Gleb Budman got an e-mail from Bank of America last month asking him to sign up for VisaBucks, he got very suspicious. Like other Internet users, Budman has seen his fair share of bogus e-mail asking him to give up key personal information, passwords, and account numbers.

When Gleb Budman got an e-mail from Bank of America last month asking him to sign up for VisaBucks, he got very suspicious. Like other Internet users, Budman has seen his fair share of bogus e-mail asking him to give up key personal information, passwords, and account numbers. The sender address on the e-mail Budman received looked like an imitation of an official BofA address, an all-too-common tactic used to trick people into believing the veracity of the e-mail. And like most fraudulent e-mail, the bank's message asked Budman to click through to a seemingly secure Web page where he was asked to fill out a form.

In fact, Budman discovered, the e-mail was an entirely legitimate message. But his confusion is frightening: In his day job, Budman is director of product management at MailFrontier, an antispam and antifraud e-mail services and software company. Every day he sees thousands of fake e-mail messages. And when a professional fraud spotter can't tell the difference between the real thing and the wrong thing, it's an ominous sign for Joe and Jane Internet user.

Budman's confusion underscores the dangerously high level of sophistication in a rapidly proliferating brand of e-mail fraud. Dubbed "phishing" in the Web vernacular, this type of scam entails cybercrooks posing as legitimate businesses asking users for key personal information. The perpetrators spray e-mail by the millions to random addresses using domain names of popular e-mail services such as aol.com, yahoo.com and earthlink.net. These messages request that recipients give up their passwords, account numbers, and other key information.

THREATENING LEVEL. Account holders at online auctioneer eBay and its PayPal electronic payment service, and customers at financial giant Citibank are favorite targets of phishermen. In mid-October phishing scams also hit such venerable British brand names as Lloyd's of London and Barclay's Bank. Electronics retailer BestBuy has also suffered a phishing scam. They've grown so sophisticated and so pervasive that FBI Assistant Director of Cybercrime Jana Monroe has called them the "most troubling new scam on the Internet."

"New," however isn't entirely accurate. Phishing has existed as long as the commercial Internet has operated. Evidence suggests, though, that it's hitting a new and more threatening level. In September, 2003, about 80 million fraudulent e-mail messages went out, according to MailFrontier estimates. That's up 43% from 56 million messages in August, the first month MailFrontier has culled specific data on e-mail fraud.

Compared to the tens of billions of plain-old spam messages sent each month, phishing is a relative rarity. MailFrontier estimates that only 1 out of every 12,500 messages is a phishing attempt. Further, Budman says it's too early to peg a trend. Fraud efforts might ebb and flow depending on the activities of high-volume senders.

MORE BRAZEN. Anecdotally, though, according to Budman and others, phishing is on the rise. And what it lacks in frequency, it makes up for in severity. As a fast-growing component of the scourge known as identity theft, victims of phishing scams often spend many hours trying to rescue their credit and salvaging their good names. According to the U.S. Federal Trade Commission, identity theft has cost U.S. consumers and financial institutions $53 billion over the past five years and affected 27 million individuals. Cleaning up a serious identity theft requies 600 hours, according to the Identity Theft Resource Center, a nonprofit advocacy group.

The majority of these thefts happen off-line. But the online thefts are growing remarkably sophisticated and brazen. Phishing e-mail often contains graphics and text lifted directly from Web sites or messages of legitimate companies. That's a marked change from even two years ago when most arrived with hackneyed graphics, atrocious grammatical errors, and clumsy falsified logos.

The phishing crooks have also adopted tactics that push psychological buttons. Many claim to be from fraud-investigation departments seeking information about your account to ensure that key information hasn't been stolen. Others notify victims that hundreds of dollars are waiting in an account for them to pick up if they can verify their identity. That might sound implausible in the real world, but PayPal's and Citibank's C2IT direct-payment systems often send out such notifications.

A QUESTION OF JUDGMENT. In a study conducted earlier this year by MailFrontier, 40% of people who read a fraudulent Citibank e-mail were fooled into thinking it was real. "What we found is that the fraudsters have gotten smarter over time. It's very similar to spammers," says Budman.

How to stop the phishing remains a tricky question. Often banks and credit-card companies contract out promotions to third-party digital marketing agencies. This means consumers might get an official-looking e-mail from Citibank that doesn't originate at a Citibank URL, a key red flag. And as the phishing messages and the accompanying Web sites they send you to more closely mimic the real deal, even expert Web surfers will have more trouble judging legitimacy.

This is a huge problem considering that e-mail is now such an inextricable part of sensitive commercial transactions. eBay's fraud department would indeed notify you with an e-mail if someone had broken into your account, and PayPal would send you an e-mail when a payment arrives in your account. If these messages get ignored or deleted, you may regret it.

SEVEN FACTORS. Despite these obstacles, a new wave of antifraud technologies is emerging. Managed e-mail services company BrightMail plans to harness a network of millions of "honeypot" e-mail accounts to spot phishing attempts soon after the messages hit the wires. BrightMail software then creates a signature of that mail and also warns its customers -- and the companies whose name is spoofed in the fraud attempt.

MailFrontier has built fraud-detection software that looks at each incoming message and checks for seven key factors. Budman won't reveal all seven, but most are easy to understand, such as a process that checks to make sure all hyperlinks in a message lead back to legitimate URLs. A favorite tactic of phishers is to include all legitimate URLs except for the one that clicks through to their collection page where they ask for the sensitive information. When MailFrontier's software detects what it believes to be a fraudulent mail, that message is directed to a separate folder on the customer's desktop.

In all likelihood, phishing damage will have to increase a whole lot more before companies and individuals start to think seriously about buying software or services to protect themselves. Even though spam affects just about everyone using e-mail, fewer than half of those holding e-mail accounts have antispam software either individually or through their Internet service providers. That means finding easy marks on the Internet is much like shooting phish in a barrel.

BusinessWeek Online originally published this article on 8 October 2003.