A Costly Identity Crisis

If it seems to you that the phishing/spam problem has gotten worse lately,
it (unfortunately) isn’t your imagination.

The Anti-Phishing Working Group,
an industry association, reports a “massive increase in the amount of
phishing sites” beginning in early October. Altogether, there were 1,142
reported phishing sites on the Web last month, more than double the 543 in

Phishing, of course, is an increasingly costly scam that usually begins with
Internet users receiving e-mails that appear to be from legitimate businesses,
such as BestBuy, MSN or America Online. The e-mails typically include a Web
link that takes users to a counterfeit site, which looks almost identical to
the “real” company’s site. From there the scammers attempt to trick users
into giving away personal and financial information that can be used to fake
identities and commit financial fraud.

According to Jonathan Kraden, an attorney with the Federal Trade
Commission’s Bureau of Consumer Protection’s Division of Marketing
Practices, 4.6 percent of the U.S. population — or nearly 10 million
people — were victims of identity theft in 2003. Given the APWG’s report on
phishing site growth in October, the number of victims this year should be
considerably higher.

Kraden said the cost to the average victim in 2003 was $500 and 30 hours of
time spent resolving the problem. That totals about $5 billion and 297
million hours (talk about lost productivity!).

But identity theft isn’t just about ripping off individuals. For businesses,
the losses are even more staggering. According to Kraden, businesses and
financial institutions in 2003 lost a total of $47.6 billion, or about
$4,800 per corporate victim.

Since November 2003, reports the APWG, a total of 117 brands have been
“hijacked” — that is, had their online identities spoofed in an effort to
defraud users. About three-quarters of the victimized brands come from the
financial world. Citibank is a favorite target, as are online auction giant
eBay and electronic payment services provider PayPal.

And it’s only going to get worse. Security companies this week warned that a
Trojan-deploying phishing e-mail
allows hackers to steal users’ bank account
information. The scam has been prevalent in Brazil and Great Britain; its
arrival on U.S. shores reportedly is imminent.

While most phishing e-mails rely on immediacy — the recipient clicking on a
provided (and phony) link and inputting information — the new one
insidiously plants a Trojan virus on Windows machines that spies on the
user. The malware waits for the user to visit an online banking Web site,
then begins logging keystrokes and taking screen snapshots, giving the
cyber-thieves all the information they need to impersonate the victims and
break into their accounts.

Identity fraudsters are expanding beyond financial services firms and
retailers, according to FBI special agent Maxwell Marker. New targets
include the health care and mortgage industries. In the case of the former,
the crooks impersonate health care providers in order to commit medicare
fraud. Mortgage companies are bilked by thieves stealing the identity of
appraisers and submitting bogus property-value estimates.

It’s easy to feel helpless in the face of this depressing trend, but
security experts say there are steps individuals and businesses can take to
help safeguard themselves against phishing-related financial fraud and
identity theft.

The bad news for computer users and enterprises is that there are no magic
bullets. The good news is that there are tools already available
that can help protect you.

recommends that computer users deploy a firewall and anti-virus software and
install the necessary security patches.

If you already are a victim, the FTC urges you to immediately notify law
enforcement, including your local police department and the FBI. Also, in
cases where identity and information theft could affect businesses other
than yours — retailers, banks, etc. — you should notify these potential
victims immediately. When names and Social Security numbers are stolen,
notify the major credit bureaus.

The FTC offers more advice here.

News Around the Web