WASHINGTON—When Elizabeth Owen, a frequent eBay user, got an e-mail that appeared to be from PayPal—the online auction company's payment service _asking her to update her credit information or be blocked from future purchases, she immediately went to work getting them the data.
Owen was just one click away from falling victim to "phishing"—the hottest new way to steal personal information over the Internet —before she deleted the information and turned off her computer.
She realized she should've known better: She's the executive director of the National Association of Consumer Agency Administrators, and her offices receive constant complaints about e-mail scams.
"If someone like me can do it, there is no one who is completely protected," Owen said.
Phishing is a thriving practice in identity theft, and it's growing at a record pace. The method has become so commonplace that the number of phishing attacks is incalculable.
The Anti-Phishing Working Group, which monitors the number of distinct e-mails used in phishing attacks, reports that over the last year they rose by 30 percent a month. In January, the number of new phishing e-mails detected jumped 42 percent over the previous month.
In a phishing attack, scammers send mass e-mails posing as banks, credit card companies, popular commercial Web sites and even the Federal Deposit Insurance Corp.
The e-mails ask recipients to "confirm" or "update" personal and financial information in a hyperlink to a look-alike Web site for the spoofed company, and usually threaten suspension or deactivation of accounts for noncompliance. Many of the e-mails claim to be anti-fraud departments at the institutions alerting the recipients to nonexistent suspicious transactions.
Bank or credit account numbers, passwords or PIN numbers, Social Security numbers and dates of birth are the most common information requested.
Once the information is obtained, scammers commit what's called transaction fraud by draining bank or credit accounts or selling the information to others who do the same. Any personal information that's stolen can be used to commit another type of fraud, popularly known as identity theft, in which the scammer uses the stolen data to pose as the victim.
Complicating efforts to prosecute these cases is the fact that phishing itself isn't illegal. Identity theft became a federal crime in 1998.
Identity theft is one of the fastest growing forms of fraud—with 9.91 million victims last year—and is largely attributed to a spike in online banking, according to Federal Trade Commission studies.
It's estimated that 1 in 5 people will become victims of identity theft this year.
"ID theft is changing our society," said Michael L. Jackson, the associate director of technology supervision at the FDIC.
The growth of identity theft is forcing industry leaders to re-examine the use and accessibility of sensitive personal information, such as Social Security and driver's license numbers.
Insiders with access to such information are also a concern: bank tellers, human resources personnel at offices and night cleaners at doctor's offices with access to files.
The Fair and Accurate Credit Transactions Act, enacted in 2004, was created primarily to help people combat identity theft through better access to their credit reports, new consumer rights and limits on information sharing. But banking officials are worried that phishing scams are developing with a speed and sophistication that are hard to combat with slow-moving government regulation.
The average lifespan of a phishing Web site is about five days, creating a revolving door of new sites. While most originate in the United States, there are increasing numbers of international sites.
The crime rings are becoming more organized, officials with the Anti-Phishing Working Group said. The thieves aren't just stealing identities, but also creating sites to buy, sell and trade them.
Government and business are scrambling to stay ahead of them.
Financial institutions are working on phishing-detection technologies and two-factor authentication systems, while Internet service providers are assisting in taking down the hosts of spoofed Web sites.
Sen. Patrick Leahy, D-Vt., introduced the Anti-Phishing Act of 2004 to criminalize phishing in the last congressional session and plans to reintroduce the bill, an aide said.
Congress also intends to conduct hearings soon on identity theft.
(c) 2005, Knight Ridder/Tribune Information Services.
ARCHIVE GRAPHIC on KRT Direct (from KRT Graphics, 202-383-6064): PHISHING
Need to map