Identity theft is the name of the game. If someone can get vital authentication information, that person may be able to access another's bank accounts, charge accounts or credit information.
Still, identity theft flourishes, and one easy and increasingly popular way of capturing personal data is called phishing.
Phishing isn't really new -- it's a type of scam that has been around for years and in fact predates computers. Malicious crackers did it over the phone for years and called it social engineering. What is new is its contemporary delivery vehicle -- spam and faked Web pages. Phishing (sometimes called carding or brand spoofing) uses e-mail messages that purport to come from legitimate businesses that one might have dealings with -- banks such as Citibank; online organizations such as eBay and PayPal; Internet service providers such as AOL, MSN, Yahoo and EarthLink; online retailers such as Best Buy; and insurance agencies.
The messages may look quite authentic, featuring corporate logos and formats similar to the ones used for legitimate messages. Typically, they ask for verification of certain information, such as account numbers and passwords, allegedly for auditing purposes. And because these e-mails look so official, up to 20% of unsuspecting recipients may respond to them, resulting in financial losses, identity theft and other fraudulent activity against them.
The Phishing Lure Here's an example of how phishing works. On Nov. 17, 2003, many eBay Inc. customers received e-mail notifications that their accounts had been compromised and were being restricted. In the message was a hyperlink to what appeared to be an eBay Web page where they could re-register. The top of the page looked just like eBay's home page and incorporated all the eBay internal links. To re-register, the customers were told, they had to provide credit card data, ATM personal identification numbers, Social Security number, date of birth and their mother's maiden name. The problem was, eBay hadn't sent the original e-mail, and the Web page didn't belong to eBay -- it was a prime example of phishing.
Cutting the Line Even before phishing became so prevalent, legitimate businesses and financial institutions would hardly ever ask for personal information via e-mail. If you receive such a request, call the organization and ask if it's legitimate or check its legitimate Web site. Look for misspellings and bad grammar. While an occasional typo can slip by any organization, more than one is a tip-off to beware. If the e-mail refers you to a Web site, look carefully at the URL. It's easy to disguise a link to a site. Beware of the @ symbol in a URL. Most browsers will ignore all characters preceding the @ symbol, so this Web address -- http://email@example.com -- may look to the unsuspecting user like a page of Respected Company's site. But it actually takes visitors to thisisascam.com.
The longer the URL, the easier it is to conceal the true destination address. Other ways to disguise URLs include substituting similar-looking characters, so that paypal.com could be (and has been) spoofed as paypaI.com or paypa1.com. Similarly, a zero can be substituted for the letter O within a URL.