Attention: Don't Bite These Phish
March 8, 2005
Whether you use a computer at work or at home, chances are you’ve received your share of unsolicited e-mail or SPAM. Many state workers in Kentucky have noticed a reduced amount of SPAM in recent months, or SPAM e-mails that are tagged with [WW SPAM} in the subject line. That’s because the Commonwealth Office of Technology (COT) has content security management in place today to help control the unsolicited e-mail state workers receive in their inbox. And while many people would consider SPAM more of an annoyance than a threat, there’s a growing trend in the world of SPAM that should be of concern to state workers. It’s called "phishing," and it can have devastating effects.
An Increasing Threat
The Anti-Phishing Working Group (APWG) found 9,019 new and unique phishing e-mail messages in December 2004, nearly four times the number reported in August. The group tracked 1,707 phishing Web sites in December, a 24 percent increase from November. The most targeted industry sector for phishing attacks continues to be financial services, from the perspective of total number of unique baiting sites as well as number of companies targeted. APWG is an industry association focused on eliminating the identity theft and fraud that result from the growing problem of phishing and email spoofing.
According to Doug Robinson, executive director for the National Association of Chief Information Officers (NASCIO), "Agencies should educate their own customers and respond urgently if they believe a phishing attack is underway. Government agencies and companies whose domains are spoofed or targeted by phishers may need to do damage control and recover the trust and confidence of their customers. In fact, becoming the successful target of a phishing scam may have serious liabilities for the agency as well as the individual. Banks are finding online customers are ignoring legitimate e-mails because they are scared about phishing. Online transactions may decline out of user fear."
So what do phishing e-mails look like? Here’s a list of some e-mail message subject lines posted to the Anti-Phishing Working Group Web site that users have reported receiving:
- 17-02-05 - Paypal - 'Unauthorized Access...'
- 15-02-05 - MSN - 'Microsoft Network customer dataverification'
- 08-02-05 - KeyBank - 'SECURE YOUR ACCOUNT NOW'
- 02-02-05 - Huntington Bank - 'Huntington - Urgent Security Notification'
- 31-01-05 - Amazon.com - 'Account Verification Notice'
- 27-01-05 - MSN - 'Warning Message'
- 25-01-05 - M&I Marshall & Ilsley Bank - 'Banking Online customer Report'
- 21-01-05 - Washington Mutual Bank - 'Re-Submit: wamu.com Urgent requirementvu'
- 19-01-05 - TCF Bank - 'TCF express checking card alert'
- 14-01-05 - Paypal - 'New e-mail address added to your account'
- 12-01-05 - Citizens Bank - 'Important Online Banking Alert'
- 11-01-05 - eBay - 'Account Verification'
- 10-01-05 - AOL - 'You've Got (2) Pictures@AOL.com'
What Should You Do?
Be suspicious of any e-mail with urgent requests for personal financial information. If you receive an e-mail or pop-up message asking for personal or financial information, do not reply or click on the link in the message. Legitimate businesses usually do not ask for sensitive information via e-mail. If you are concerned about your account, contact the business by telephone using a number you know to be genuine. Never e-mail personal or financial information unless encryption is used. If you initiate a transaction and want to provide your personal or financial information through a business’ Web site, look for indicators that the site is secure, such as a lock icon on the browser’s status bar or a URL for a Web site that begins with ‘https:’. Unfortunately, no indicator is foolproof—some phishers have forged security icons. Review credit card and bank statements as soon as you receive them to determine if there are any unauthorized charges. Use anti-virus software and keep it current. Some phishing e-mails contain software that can harm your computer or track your activities on the Internet without your knowledge. Anti-virus software and a personal firewall can protect you from inadvertently accepting such unwanted files.
If you get spam that is phishing for information, forward it to mailto:email@example.com. If you believe you’ve been scammed, file your complaint at http://www.ftc.gov, and then visit the FTC’s Identity Theft Web site at http://www.consumer.gov/idtheft to learn how to minimize your risk of damage from ID theft. Visit http://www.ftc.gov/spam to learn other ways to avoid e-mail scams and deal with deceptive spam. The Anti-Phishing Working Group(APWG) keeps the latest Internet scams and fraud on their Web page at http://www.antiphishing.org/. Ensure that your browser is up to date and security patches applied.
||Find Out More
For the latest on the privacy implications of phishing and suggestions for mitigating risk, see the National Association of State Chief Information Officers (NASCIO) recent brief, Welcome to the Jungle: The State Privacy Implications of Spam, Phishing and Spyware. It's available for download from NASCIO's Web site.