Identity Theft Gets Phishy

Several months ago my credit card company called to ask about some suspicious charges on my account. It was a card I hadn't used in a while--and certainly not to purchase bus tickets in St. Louis. There were a handful of other charges to my account, none of which were mine, I told the helpful rep. She asked me if the card had ever been out of my possession. In the brief moment it took me to tell her it had not, I became alarmed that a person with no direct access to a relatively inactive credit card account could use my number to make charges half a country away.

I never found out how someone got my credit card number and went on a spending spree in our nation's heartland. I've been monitoring my other accounts, and I'm happy to report that it doesn't appear anyone is out there impersonating me, buying stuff in my name, and shredding my credit rating. But many others don't share my good fortune.

The Federal Trade Commission said it received 215,000 complaints of identity theft last year. That's up 33 percent from the year before. The commission says identify theft is the number-one scam reported. And those are just the complaints made to the FTC. Experts say millions of people are victims of identity theft each year--and the number keeps rising.

Today's identity thieves are increasingly exploiting a new tool: the Internet.

Shooting Phish in a Barrel

The scam is called phishing, or spoofing, and it's been around longer than computers have. Crooked telemarketers used to do it to coax information out of people that they could use to clean out their checking accounts, among other things. Today's scam artists use spam and fake Web pages to do the same thing.

Soon after my credit card scare, an e-mail purporting to be from my bank was sent to the Yahoo account that I use to avoid being spammed at my primary e-mail account. The message asked for personal information, including my account number, for verification. It looked official, but the fact it was sent to my Yahoo account (not the one that the bank has on file) and included a few egregious misspellings led me to believe it was fake--which it was.

However, by some estimates, as many as 20 percent of people who receive this type of spam click the link in the message and enter their personal information at what looks like a legitimate Web site.

Last November, EBay customers received an e-mail that claimed their accounts had been compromised. When they clicked through to an authentic-looking EBay site, they were asked for credit and debit card information. And recently the Federal Deposit Insurance Corporation warned people of a particularly diabolical phishing scam: A bogus e-mail was circulating that claimed people's bank accounts had been denied insurance because of violations of the Patriot Act, the law the government put in place to protect citizens after September 11, 2001.

What makes the scams I've mentioned effective is that when people click the link in the e-mail, they're not only whisked to a legitimate-seeming site, but also their Internet Explorer address bar displays the appropriate address. For example, in the FDIC scam the link appeared as "www.fdic.gov"--but the phony site is actually hosted in Pakistan.

Another Microsoft Software Flaw

Phishers can make legitimate-looking sites appear in the IE status, address, and title bars thanks to a known flaw that took Microsoft more than a month to fix. Go to Microsoft's site to download the IE security patch and learn how to protect yourself from these scams.

Above all, remember the cardinal rule about using the Internet: Don't give out personal information unless you know exactly who's asking for it and why. In general, legitimate businesses do not request personal information via e-mail.

If you're unsure about an e-mail request you've received, wait, ask around, and find out if it's a scam. Do a search on the Web for news about the company that supposedly needs your data. And by all means, if you think it's a scam, report it to the FTC.

As for me, I'm reading my credit card statements more closely than I used to, and I'm making sure I don't help phishers in their chosen profession. I've downloaded the latest Internet Explorer fix and I'm assuming every e-mail that hits my in-box asking for info about me is a fraud--until I'm 100 percent sure it isn't.

Brad Grimes is a former executive editor for PC World. He lives near Washington, D.C.
To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Related:
  
Shop Tech Products at Amazon