'Phishing' Scammers Try New Tactics

It used to be that phishing attacks, a kind of computer fraud, centered around e-mails that attempted to trick users into giving up passwords.

But the assaults are getting more sophisticated. In some cases, phishers are employing special software that allows them to persuade users they're dealing with a legitimate Web site.

Scott London, an attorney in Santa Barbara, Calif., and thinks of himself as Internet savvy — not the sort of person who gets taken in by online scams.

Until he did.

"Everything just seemed like it was on the up and up — there was nothing that led me to believe I was on an improper site. In hindsight I look at it and say: What an idiot I was. Why didn't I look at this and see this?"

London had recently bought a bike and a set of skis on eBay, so he wasn't surprised when he got an e-mail claiming to be from the payment service Pay Pal. The e-mail asked for some information, then took him to a Web site that he says looked exactly like the real Pay Pal site.

He put in his password. Almost immediately London knew something was up, because money started disappearing from his accounts.

"It's one of those things, you're just going through all your e-mails, you're not giving 100 percent of your attention to what you are doing — and before you know it, you're getting a phone call from a watchdog organization saying, 'Hey, you're in trouble.'"

London was lucky. Someone saw his personal information on an online chat room and called to alert him. He put a hold on his accounts.

Experts say cases like London's have become increasingly common.

Analyst George Tubin from the Tower Group said this kind of fraud is organized crime, and is based in the United States and foreign countries. He said for around $1,000, people can buy software called a "Universal Phishing" kit. The software lets them set up what's known as a "Man in the Middle" phishing attack, where they create a phony Web site that sits between an unsuspecting computer user and a real Web site.

For instance, it can use a real bank site's interactive features to fool users into believing they are talking to their bank, when in reality they are feeding information to an identity thief.

In order to curb the problem, new federal guidelines require banks to establish multiple authentication procedures. But Tubin said the banks are facing determined adversaries.

"I think the thing that banks are starting to recognize is, this is not a one-time war," he said. "This is an ongoing battle, and as a gentleman from the FBI described it to me, the criminals try to come over our 10-foot wall with a 15-foot ladder. So we go out and build a 20-foot wall, and it's just a matter of time before they come back with a 25-foot ladder."

And researchers say there is another problem for the banks — human nature. They say as customers grow increasingly familiar with online banking, they tend to let down their guard.

A recent study conducted by Harvard and MIT found even when participants were confronted with increasingly alarming clues that a bank's Web site had been compromised most logged on anyway.

Banks say there are safeguards designed to prevent attacks on their online systems which consumers and hackers can't see.

However, the amount of money lost to online phishing attacks is on the rise.

There is also the fear that as big banks boost the security on their Web sites the fraudsters will simply move downstream, targeting smaller financial institutions with less elaborate security measures.

Comments

 

Please keep your community civil. All comments must follow the NPR.org Community rules and terms of use, and will be moderated prior to posting. NPR reserves the right to use the comments we receive, in whole or in part, and to use the commenter's name and location, in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.

Support comes from: