Phishing E-mail

Take Caution as Phishing E-mails Increase

By Paige Engelhardt
Daily Universe Staff Reporter
March 21, 2005
"The first thing I thought was some person in Thailand is trying to make a quick buck," he said.

And that may have been just the case. Unknown to many, more and more scammers are using the World Wide Web as a snare to go "phishing" and catch innocent, unsuspecting users. If people like Kjelstrom are not careful, it can be a tumultuous sea with hooks and lures swallowing innocent victims in every surge.

In an Internet-savvy generation, personal protection is often overlooked as scammers steal the identities of trusting Web users.

Phishing gaining popularity among scammers

One of the deadly hooks snagging thousands of victims each year is identity theft phishing. The term "phishing" is used when an unknown person or entity sends mass e-mails that falsely represent legitimate enterprises to decoy users into releasing important financial and identification information to be used for identity theft. The e-mails redirect users to a different site, asking consumers to update personal information such as passwords, social security, and bank account numbers originally unrestricted to the imitated organization.

Counteracting phishing

These types of Internet e-mail scams are becoming increasingly common in the United States and abroad. According to statistics released by the Anti-Phishing Working Group, there was a 24 percent average growth rate of phishing sites from July through December 2004. In December alone, there were 1,707 active phishing sites reported to the Anti-Phishing Group. According to a Gartner research article, 57 million Americans think they have received a phishing e-mail.

Kjelstrom, a senior from Pasadena, Calif., majoring in accounting, said most of the people he knows get phishing e-mails.

As phishing sites on the Internet increase in regularity, Nyle Elison, product manager of BYU Office of IT, said the scammers are getting smarter.

"When these first started coming out, they were fairly obviously not from the company they supposedly came from," he said. "For example, you'd get an e-mail from someone from the US and the spelling was absolutely atrocious or the grammar was terrible. The newer ones are more sophisticated. They will use a logo, and the address looks like it's going to the right place."

Never respond to a phishing e-mail

Mari Frank, attorney and author of 'From Victim to Victor,' said about 18 percent of the people who receive phishing e-mails do respond to them, although not all proceed in giving out their personal information.

Frank said any type of response to a phishing e-mail is dangerous.

"If you're naïve enough to respond, even to say leave me alone, then they've captured your e-mail," she said. "Even if you've forwarded it to the FTC, as soon as you respond, they've captured who you are."

Kristen Wilde, director of communications for the Utah Bankers Association, said people will receive these e-mails with authentic-looking logos and immediately assume the e-mail came from that trusted organization. She said it's this fabricated trust that consequently leads people to give out their personal information to phishers. The most important issue to address is educating Internet users, she said.

"It's a newer scam and people aren't fully aware of it," she said. "If they're educated they will know not to respond [to the phishing e-mail]."

Educating against phishing

To help ensure a general understanding and awareness of the dangers posed by Internet phishers, Wilde said within the next few weeks the Utah Bankers Association will be launching a campaign focused on educating consumers about phishing.

Frank, a former identity theft victim, said students are especially at risk to becoming victims of this increasingly common type of phishing Internet malpractice.

"I can tell you that [college students] have grown up with IM, with computers, etc. "You're much more trusting than you should be," she said. "You're doing IM, video dating, and you don't think about your privacy. You're very lax about it and you get caught very easily. Students just don't think about the ramifications."

BYU counters spam and phishing

As this may be the case, BYU office of IT is currently working to install software to help protect students from receiving this type of phishing spam in their e-mail boxes. Elison, who works with the overall welfare of the network on campus, said installed programs already filter out a large amount of spam. Alas, problems like phishing are difficult to completely avoid.

"Unfortunately there won't be anything that will ever eliminate all spam," Elison said. "We are taking steps to improve our ability to detect and eliminate phishing and spam, but it is an ongoing battle."

Without full protection, people need to be alert to these fraudulent e-mails. Wilde said e-mails sent by phishers offer many clues revealing their lack of authenticity to the consumer. She said at her office they look for misspelled words, illegitimate Web sites, and imperfect graphics.

Most importantly, she said, banks will not work through this type of medium to obtain information from its patrons.

Banks will never ask for that [information]," she said. "They will never send you an e-mail asking for personal information.

Tips to thwart phishing attempts

Frank, an expert on identity theft, offers a few educated suggestions on how to avoid getting snagged by a phisher. Some of these include, never using or giving out your social security number, immediately deleting all phishing e-mails in your mailbox (don't try responding, forwarding, etc.), and personally contacting the supposed organization that sent you the e-mail.

People are going to have to watch out," she said. "They don't recognize the impact [of identity theft] on their life."

Anti-Phishing Tips Summary

Never use or give out your Social Security number

Immediately delete all phishing e-mails from mailbox

Do not respond to, forward, etc. any phishing e-mails

Personally contact the supposed organization that sent e-mail to verify authenticity of information request