Phishing and pharming: Is your personal identity being harvested?

Phishing and pharming: Is your personal identity being harvested?

The terms “farming” and “fishing” have taken on new meaning, and this year’s “bumper crop” might include the harvesting of your personal and business identity.
Every day, millions of Internet users are bombarded with official looking e-mails sent by con artists masquerading as MasterCard, EBay, Earthlink or US Bank.

Recently, scammers have stooped to new lows, taking advantage of tsunami victim relief efforts and families of soldiers killed in the Iraq war, by creating bogus Web sites messages that appeared like legitimate organizations. In February, Harry Potter fans were warned by author J.K. Rowling to watch out for internet fraudsters claiming to sell copies of her latest wizard saga – while all they wanted was to steal credit card and bank information.
Phishing, also called brand spoofing, refers to phony e-mails or pop-up messages created to lure victims to fake Web sites, which appear identical to the site you are familiar with. The idea is that the bait is thrown out with the knowledge that most users will ignore it, while some will be tempted to take a bite. These messages entice you to divulge financial information. If you see a message like this, delete it right away. Banks and other financial institutions never use e-mail to update accounts.
Millions of consumers who have relationships with merchants and financial institution receive these online messages everyday. Phishing is a numbers game.
According to Mark McLane, president of Madison-based NameProtect, which specializes in identity theft and brand protection, “The average scam mailing is one million e-messages, with a direct response rate of 2 to 5 percent. This exceeds the average response for legitimate direct marketing.”
Pharming is the potential next generation of scams in which your identity is harvested. In a pharming attack your browser gets hijacked through DNS cache modifications or other viruses and spyware that unknowingly get installed on your computer. In this scenario you type a legitimate URL into the address bar on your browser and a redirection scheme takes you to a fake site without any clue that you have been tricked.
These scams are a growing problem and will be one the biggest threats for computer users in 2005, as the barriers to entry and risks of getting caught are low. And the motivation to respond is high. “The user reads that they might lose banking and merchant privileges or have their power disconnected if they don’t respond,” McLane said.
Detection and prevention of these scams has not reached a strategic level for many CEOs and CIOs. When it becomes obvious to the CEO that their balance sheet has been impacted by fake products and Web sites or when they face embarrassment of disclosing that their customer’s identifies have been compromised, they will take this more seriously, McLane said.
“If you don’t understand the characteristics of phishing, it can cost you your profits; if you think it can’t happen to you, it can cost you your business,” said Frank Ace, chief information officer of the Wisconsin Department of Justice. “It is becoming increasingly easy for someone to hijack and misuse your organizations information for their profit, at your customer’s expense.  At the same time, it is becoming more difficult to predict, prevent and punish those involved.”
There is the potential that as these scams continue to proliferate that they could have a negative impact on the rapidly growing market for online financial transactions.
“Security issues related to internet transactions and a perceived lack of security is certainly keeping people away,” said Dan Vaccaro, a partner at law firm Michael Best & Friedrich.
“People are not aware or are dealing with the downstream implications of online transactions. Identity theft is going to be the biggest category of financial crime over the next 10 years,” Vaccaro said.
To protect yourself, beware of messages that ask you to click a link to verify your personal information. Don’t e-mail personal or financial information. Review your bank and credit card statements for unauthorized charges, as soon as you receive them. Always use firewall, anti-virus and spyware software. Update these programs at least weekly.
Be cautious of opening or downloading attachments in e-mails, regardless of who appears to have sent them. And if in doubt, call your bank or merchant. You can also report suspicious activity to the Federal Trade Commission by forwarding it to spam@uce.gov or by filing a complaint at www.ftc.gov.

Mike Klein is WTN’s editorial director and can be reached at mike@wistechnology.com.