Incidents of phishing, a type of online identity theft, were up slightly in May after surging in March and April, according to a report from an industry group.
The number of unique phishing attacks reported to the Anti-Phishing Working Group increased 6 percent in May to 1197, with an average of 38.6 reports each day, slightly higher than in April. The numbers could have been higher, but scam artists may have taken a break for Memorial Day in the United States, keeping the final tally low, the report says.
Phishing scams are a form of online crime in which unsolicited commercial e-mail, or spam, is used to direct Internet users to Web sites controlled by the thieves but designed to look like legitimate e-commerce sites. Users are asked to provide sensitive information such as a password, Social Security number, bank account number, or credit card number, often under the guise of updating account information.
Financial services companies continued to be the primary target of the scams, and Citibank customers were the most frequent target of phishers. Scams using the names of EBay and PayPal, an EBay company, were also rampant in May, according to the group, which is sponsored by Microsoft, VeriSign, and antispam company Tumbleweed Communications, among others.
Phishing scams surged in recent months, to 1100 in April, a 178 percent increase from March, according to figures from the Anti-Phishing Working Group's April report. In May the group received reports of over 300 attacks a week, with a big drop-off the week of May 29, possibly due to the Memorial Day holiday, the report says.
Faked sender (or "From") addresses on e-mail messages continued to be a popular tool of scam artists. At least 95 percent of e-mail messages submitted to the Anti-Phishing Working Group used such addresses.
The spoofed addresses are frequently identical to legitimate addresses at the companies being targeted by the phishers: For example, email@example.com and firstname.lastname@example.org were common spoofed addresses. The remainder of phisher e-mail messages submitted to the group came from so-called social engineering addresses--online mailboxes at domains run by the scam artists that resemble those of actual e-commerce sites. The domains, such as ebay.billing.com (instead of ebay.com) or verify-visa.net (as opposed to visa.com), are designed to fool customers, the report says.
The phishing problem has received increased attention from both the private sector and governments in recent months, as online criminals have seized on the scams as a lucrative and relatively simple way to make money.
Earlier this week, credit card company MasterCard International said it was partnering with NameProtect, an online brand protection service, to combat online identity theft and a black market in stolen credit card numbers. The two companies plan to aggressively pursue those behind phishing scams and to work with law enforcement to shut down Internet sites and tools used by the identity thieves, the companies say in a statement.
Also, on June 16 a consortium of companies from across industries announced a new group that will tackle phishing. The Trusted Electronic Communications Forum has representatives from leading retail, telecommunications, financial services, and technology companies, including Best Buy, AT&T, Charles Schwab, Fidelity Investments, and IBM.
The TECF will work with the United States and other governments, as well as with standards organizations and companies, to fix problems such as e-mail and Web-site spoofing, which are contributing to a fast-growing online identity theft problem, the group says.