How to Avoid the "Phish" Hook

Posted on May 23, 2004

"Phishing" is Web lingo for the practice of cyber scammers sending out millions of e-mails hoping to reel in a small percentage of Internet users who will supply them with valuable personal information. Typically, the e-mail preys on individuals' fears that they have a problem with an online account. It links them to a fictitious (or "spoof") site, where they're urged to supply a password, Social Security number, or credit-card account number.

GETTING SLICKER. In the eBay-related phishing attack I encountered, the online scammer was likely hoping to hook the password of a reputable eBay dealer and then fraudulently list items on the account -- with the intent of collecting cash without having to fill an order, says Rob Chesnut, deputy general counsel at eBay. For other scammers, the goal may be credit-card fraud or wholesale identity theft.

As phishing has exploded in frequency and sophistication, nearly every major financial-services company or online retailer has been targeted, according to security experts. Research firm Gartner, which estimates that as many as 57 million Americans have received this kind of fraudulent e-mail, puts the cost to banks, credit-card companies, and online shopping sites last year at $1.2 billion. In a survey released May 6, Gartner found that as many as 3% of online users (an estimated 1.78 million adults) had responded to phishing attacks by divulging personal information in the past year.

"Attacks are getting much cleverer," says Phil Libin, president of software maker CoreStreet, which on May 3 released a free program called SpoofStick that helps users recognize spoof sites. Where the phishing e-mails were once almost always unprofessionally worded and the spoofed sites clearly fake, now "it's pretty hard to tell," he says.

As good as phishing attacks are getting, you can take some relatively easy steps to evade them, and some new technologies are available to help. Here are six ways to avoid getting hooked:

1. Be suspicious of requests for personal information. Financial-services companies and online retailers will e-mail you ad nauseam about special offers and promotions. But these days, they're unlikely to ask you for personal information in an e-mail. Says eBay's Chesnut: "We've altered our practices and are far less willing to e-mail someone regarding their account or finances."

That's not always the case, but if you're suspicious of an e-mail, look closely at the wording and you may soon realize it's a scam. My review of the phishing e-mails I have received in recent weeks shows that even though they're generally more professional looking, most contain typos, misspellings, or ungrammatical constructions.

For example, one recent phishing e-mail warned, "If the account information is not updated to current information within 5 days then, your access to bid or buy on eBay will be restricted." Note the awkward wording as well as the comma in the wrong place -- mistakes you can bet eBay's crackerjack communications team wouldn't make.

2. Don't click the link.

This is the simplest advice, if in some ways the least satisfying, for avoiding phishing attacks. If an e-mail gets you worried about the status of your eBay account, for example, just type the URL of eBay's homepage in your browser and log in that way. If a problem with your account really exists, customer service will likely contact you right away via a pop-up window, says Chesnut.

A variant of this rule: "Never give your personal information unless you have initiated contact with the merchant," says Neal Creighton, president and CEO of security firm GeoTrust. It's a good rule of thumb in any online transaction.3. Try some of the new Web tools that unmask fake sites.

CoreStreet's Spoofstick works as an extension to Internet Explorer or Mozilla FireFox browsers. It alerted me instantly that I wasn't really on eBay -- I was on "www.com.1.vg.com" -- when I linked from the phishing e-mail I described.

"It's not like your browser is being fooled," says Libin. "It just won't tell you where you are." (That's mainly because Web-site addresses can be so long and confusing.) SpoofStick may still not be foolproof if a spoof site is a "close cousin" domain name that sounds legit, like "eBaysecure," for example, says Jonathan Penn, an analyst specializing in messaging security at Forrester Research. Still, I've found it to be a handy tool for unmasking fakes.

eBay and Internet service provider Earthlink (ELNK

) recently added a similar feature to their toolbars. Best of all, these two outfits are sharing their lists of confirmed spoof sites, making the roundup much more robust. There's even a button to report a spoof site, which means frauds will get uncovered quicker. "You'll see more companies working together like this to share lists," says Chesnut.

4. Contact your credit-card company, bank, or the Web site immediately, if you suspect you've been hooked in a phishing attack.

One reasons phishing succeeds so often is that it plays on people's fears, inciting them to act before they think. (That's also why security experts believe it's not enough just to educate consumers to be wary of these scams -- they have to stop the bogus messages before they reach the in-box.)

If you realize you've entered your personal information on a fraudulent site, get on the phone with your credit-card or bank customer service right away, and you may avoid any damage. A lot of personal data collected via phishing is sold on the black market and not used right away. One tip security experts recommend: Always use the same credit card online, so you can check on your account easily.

5. Lobby your ISP to do something about the problem.

Internet users shouldn't have to be constantly on their guard to avoid scams, say security experts. Much of the pain Internet companies are experiencing due to scams like phishing and spoofing is ultimately their fault for failing to present a consistent image (using lots of different domain names, for example) and making it too easy for scammers to pretend they're someone else. "They haven't been consistent in their online persona," says Penn. "They've spent years ingraining bad practices" in users and "training people to just do whatever," he says. "You can't untrain them."

ISPs should adopt technologies to eradicate this problem. For example, mail programs could validate that e-mail really comes from a server associated with the same Internet-protocol (IP) address. Likewise, companies could adopt better antispam tools that distinguish legitimate (or certified) mass e-mailers from phishers. "You should be able to get an e-mail, and if it says it's from eBay, know it's from eBay," says Libin. As the technology improves and is more widely adopted, someday soon you'll be able to know that.

6. Warn family and friends who may be new to the Internet and susceptible to scams.

For now, spreading the word about phishing and spoofing is the best defense. "Sophisticated users need to think of anyone they know who wouldn't be aware" of the potential for fraud, says Libin. "Sit down with them and explain what to do."

If phishing and spoofing continue to succeed so often, they'll contribute to a general sense among the public that doing business online makes one vulnerable to fraud, warn security experts. Online companies need to do more, "or it will absolutely start eroding trust," says Creighton.

As phishing attacks become more skillful, consumers have to be vigilant as well. A little thought before acting on a threatening e-mail can go a long way. "People should keep this in perspective," says Libin. "It doesn't have to be that damaging if you don't let it be." Stone is senior writer for BusinessWeek Online in New York