2 Million Bank Accounts Robbed:
Phishing Scams Revealed

How to keep yourself safe from Internet phishing scams during the holiday season

December 2004

This holiday season expect to be barraged by online scammers intent on stealing your personal identity—and your cash.

"During the holiday season, scammers multiply their efforts to try and get shoppers to give out personal information," says Steve Elderkin, President and CEO of WhiteCanyon Software, a leading security software provider. "Protecting passwords and logins for online accounts has never been more important to everyone's security."

In fact, according to a Gartner survey, nearly 2 million Americans have had their checking accounts raided by criminals in the past 12 months.

• So, What is Phishing?
• Internet Criminal Creativity
• Seven Steps to Protect Yourself from Phishing

So, What is Phishing?

The trouble all begins when your login ID and password have been compromised.

Cyber criminals are constantly developing new ways to steal your login IDs and passwords through a method commonly referred to as "phishing."

Phishing attacks use 'spoofed' e-mails and fraudulent websites designed to fool recipients into divulging personal financial data, such as credit card numbers, account user names and passwords, social security numbers, etc. By hijacking the trusted brands of well-known banks, online retailers, and credit card companies, phishers are often able to convince up to 5% of recipients to respond to them.

The Anti-Phishing Working Group, an association of financial institutions and e-commerce providers, said it has seen a "massive increase" in phishing attacks already this season.

In October, it reported 6,597 new, unique phishing e-mail messages, three times the number reported in August. The group also noted that attacks showed spikes in activity and increased sophistication that indicates some automation may now be involved.

J.A. Hitchcock, author and cybercrime expert, says, "I bet you'll see inboxes flood with 'your account is suspended' or 'you need to update your information' in the next few weeks. Scammers know how to take advantage of fear."

Recent Phishing Attacks:

Dec 3, '04 - America Online - 'Notice : Your account will be suspended!'
Dec 2, '04 - Earthlink - 'Earthlink payment is cancelled'
Nov 30, '04 - Suntrust - 'Security Alert on Microsoft Internet Explorer'
(Source: http://www.antiphishing.org)

Internet Criminal Creativity

Criminals are getting more and more creative in how they transfer money out of hijacked accounts. One new method has been made possible with the free Bill Pay service now offered by most banks. If cyber criminals can gain access to your online account, they can set up a bill payment from your account to theirs and pay themselves.

Another method involves taking advantage of the images of cancelled checks made available to online banking customers. Imposters use them to create authentic looking counterfeit checks; they have an added air of legitimacy, since the check numbers are appropriately in series.

Seven Steps to Protect Yourself from Phishing

With the Christmas shopping season now in full swing, a new and sophisticated method of phishing is quickly becoming a problem. In fact, the Federal Trade Commission warns, some phishing e-mails use software that can harm your computer or track your Internet activities without your knowledge, which is not what most people expect when they go holiday shopping.

"When shopping online this Christmas, be careful of free gift offers. As you browse the Internet, you will undoubtedly see many. You might see something like, 'download your free Christmas card maker,' only what you download is not what you might expect. Instead of downloading a program to create a Christmas card, you may just end up downloading a Trojan Key Logger program which will install itself on your computer as soon as you run it," says Elderkin.

What can you do?

1. If anyone or any email asks you for your personal information, do not give it. Always call the registered phone number of your financial institution to validate the request.
2. Keep your anti-virus software up to date. Anti-virus software is no longer an option, it's a necessity.
3. If you have online banking, make sure you check it at least every two weeks. Financial fraud can happen fast.
4. If you use your bank's free bill pay, keep watch for fraudulent accounts.
5. Only buy from trusted online stores. If you cannot confirm that the store is legitimate, do not buy from it. Always look for a company phone number and address and do not be afraid to call it to make sure it is real.
6. Keep you passwords stored in a safe location and do not let your browser or Windows remember your password for you. Auto-complete features are almost never secure storage areas. Phishing programs can steal auto-complete information.
7. Clean up your computer often to ensure that your personal information is not lurking in your Internet browser's history files. What isn't there can't be stolen.

References

2 Million Bank Accounts Robbed (MSNBC):
(http://msnbc.msn.com/id/5184077)

Anti-Phishing Working Group:
(http://www.antiphishing.org)

Kansas City Star:
(http://www.kansascity.com/mld/kansascity/business/10265573.htm?1c)