RealTime IT News

A Costly Identity Crisis

If it seems to you that the phishing/spam problem has gotten worse lately, it (unfortunately) isn't your imagination.

The Anti-Phishing Working Group, an industry association, reports a "massive increase in the amount of phishing sites" beginning in early October. Altogether, there were 1,142 reported phishing sites on the Web last month, more than double the 543 in September.

Phishing, of course, is an increasingly costly scam that usually begins with Internet users receiving e-mails that appear to be from legitimate businesses, such as BestBuy, MSN or America Online. The e-mails typically include a Web link that takes users to a counterfeit site, which looks almost identical to the "real" company's site. From there the scammers attempt to trick users into giving away personal and financial information that can be used to fake identities and commit financial fraud.

According to Jonathan Kraden, an attorney with the Federal Trade Commission's Bureau of Consumer Protection's Division of Marketing Practices, 4.6 percent of the U.S. population -- or nearly 10 million people -- were victims of identity theft in 2003. Given the APWG's report on phishing site growth in October, the number of victims this year should be considerably higher.

Kraden said the cost to the average victim in 2003 was $500 and 30 hours of time spent resolving the problem. That totals about $5 billion and 297 million hours (talk about lost productivity!).

But identity theft isn't just about ripping off individuals. For businesses, the losses are even more staggering. According to Kraden, businesses and financial institutions in 2003 lost a total of $47.6 billion, or about $4,800 per corporate victim.

Since November 2003, reports the APWG, a total of 117 brands have been "hijacked" -- that is, had their online identities spoofed in an effort to defraud users. About three-quarters of the victimized brands come from the financial world. Citibank is a favorite target, as are online auction giant eBay and electronic payment services provider PayPal.

And it's only going to get worse. Security companies this week warned that a Trojan-deploying phishing e-mail allows hackers to steal users' bank account information. The scam has been prevalent in Brazil and Great Britain; its arrival on U.S. shores reportedly is imminent.

While most phishing e-mails rely on immediacy -- the recipient clicking on a provided (and phony) link and inputting information -- the new one insidiously plants a Trojan virus on Windows machines that spies on the user. The malware waits for the user to visit an online banking Web site, then begins logging keystrokes and taking screen snapshots, giving the cyber-thieves all the information they need to impersonate the victims and break into their accounts.

Identity fraudsters are expanding beyond financial services firms and retailers, according to FBI special agent Maxwell Marker. New targets include the health care and mortgage industries. In the case of the former, the crooks impersonate health care providers in order to commit medicare fraud. Mortgage companies are bilked by thieves stealing the identity of appraisers and submitting bogus property-value estimates.

It's easy to feel helpless in the face of this depressing trend, but security experts say there are steps individuals and businesses can take to help safeguard themselves against phishing-related financial fraud and identity theft.

The bad news for computer users and enterprises is that there are no magic bullets. The good news is that there are tools already available that can help protect you.

The FTC recommends that computer users deploy a firewall and anti-virus software and install the necessary security patches.

If you already are a victim, the FTC urges you to immediately notify law enforcement, including your local police department and the FBI. Also, in cases where identity and information theft could affect businesses other than yours -- retailers, banks, etc. -- you should notify these potential victims immediately. When names and Social Security numbers are stolen, notify the major credit bureaus.

The FTC offers more advice here.