The Internet has revolutionized the way we communicate, share information, shop, and even date. Unfortunately, it's also revolutionized the growing crime of identity theft. Here's a story about the latest scam.
New online cons. I'm Bob Hirshon and this is Science Update.
If you get an urgent email from your bank asking for personal information, watch out. That's a common form of an Internet con called "phishing."
According to Markus Jakobsson, Professor of Informatics at Indiana University in Bloomington, phishing emails closely mimic the logos and even domain names of legitimate companies. They might even exploit your own behavior: for example, by saying you've won an item on eBay that you really are bidding on, then routing you to a phony website.
So now all it takes for the attacker is to figure out where does he send this email. So in other words, he'd have to link the eBay user ID to an email address to which he wants to deliver the thing.
He says websites could help by taking user ID's off their public pages. I'm Bob Hirshon for AAAS, the Science Society.
Making Sense of the Research
Not too long ago, Internet scammers could easily convince people to send them their social security numbers, bank account numbers, and other personal information just by pretending to be a poor refugee from Nigeria, or by telling them they've won a sweepstakes. And many still do. But most Web surfers have gotten pretty used to spam, so the con artists have had to take their game up a notch to stay competitive.
If you have an email address, chances are you've received a phishing email yourself by now. Compared to old-school spam, which comes from complicated-looking email addresses and is packed with bad spelling and grammar, phishing emails look deceptively professional. The Name line usually contains the name of a well-known corporation, like a bank or a credit card company. The subject is often urgent-sounding but vague, such as "Please update your information." The body of the email message might tell you to go to the bank's website to update your personal information—"or else" (for example, or else you won't be able to access your account). It will often include the company's logo, and the website and email address it comes from may look legitimate.
Unfortunately, it's not so hard to "spoof" (illegally hijack) a real company's domain name, or to create one that's phony but sounds real (like yourbank.net instead of yourbank.com). And as Jakobsson points out, phishers can also exploit your own online behavior. How many websites do you have usernames and passwords for? For many people, it's now in the dozens. And even when websites (like eBay) try to hide your personal information behind a username, all a phisher needs to do to get your real address is click on the username and send an email to you. If you reply, your real email address will probably appear in the message. And now that the phisher knows your email address and the types of things on which you're bidding, he or she can use that knowledge to win your confidence and get more personal information from you.
The point is, the Internet has created a new medium for con artists, and every new safeguard that's put in place will challenge the criminals to find a way around it. Online policies that may once have seemed harmless, like posting the usernames of the people who are bidding on an auction item, may need to be re-thought. And Internet users themselves will have to be more and more careful about where and when they send their personal information off into cyberspace.
Now try and answer these questions:
- What is "phishing"?
- How is "phishing" more sophisticated than older online scams?
- Who is most responsible for protecting Internet users from fraud and identity theft?
- If you were asked to come up with new ways to prevent phishing attacks, what obstacles do you think you would face?
- What freedoms might come in conflict with online fraud protection?
The Anti-Phishing Working Group is an industry association dedicated to fighting this kind of Internet fraud.
To learn how to protect yourself, check out Phishing, by the Federal Trade Commission.
To see if you can spot phishing emails, take the Phishing IQ Test by the security company MailFrontier.