Phishing is a growth business on the Internet, and that is not a good thing for anyone. This includes companies that dream of doing more business online.
Phishing occurs when you receive an e-mail that purportedly comes from your bank, credit card company, eBay, ISP or other company known to you. The message tells a tale about an expiring account or stolen password and warns that you must act to prevent something undesirable or nefarious from happening.
If you haven’t been forewarned, you might easily fall for it. The message seems authentic and has a URL that looks like it is from the purported sender. Click on the link, and you will be sent to a Web site with the look and feel of the one that you are used to visiting. It might have a Trust-E logo, too, or another real but mostly useless Internet privacy or business seal.
You then will be asked for your name, number, password or other personal information needed to verify your identity and to prevent the harm or to provide the benefit. Fill out the form provided, and you soon will find your account looted, your credit card charged with purchases you never made or that you otherwise have become a victim of identity theft. A phisher is a plain vanilla crook.
Who would fall for such a silly scheme? Estimates are that 3 million Americans have become victims, and the losses are more than $1 billion. Those old numbers may be gross underestimates. Like I said, it’s a growth business. By the way, the name is a derivative of fishing, with a traditional hacker substitution of ph for the letter f. Some may remember phone phreaking (freaking) from an earlier era.
Companies are fighting back. They tell customers that they will never send mail asking people to disclose their account numbers or passwords. An industry-sponsored Anti-Phishing Working Group (www.antiphishing.org) exists. Consumer education is fine, but I put little hope in it. A zillion government advisory committees, interest groups and others want to educate consumers about nutrition, tire safety, the metric system or what have you.
Politicians also are getting into the act. Sen. Patrick Leahy, D-VT, recently introduced S. 2636, Anti-Phishing Act of 2004. It is interesting how much legislation is being proposed or passed to deal with unsavory conduct on the Internet. Phishing is already illegal, but proving the crime can be difficult, so the legislation essentially criminalizes the attempt.
The problem with using criminal law is that phishers run their Web sites for a week, hour or even a few minutes and then disappear. Many operate overseas so even if their conduct violates U.S. law, catching them is virtually impossible. It seems to be a nearly risk-free crime.
I can’t tell you how many phishing messages I have received. My ISP’s spam filter seems to find almost all of them, and very few reach my inbox. However, I estimate that I get several a week.
So what’s the lesson? For consumers, one lesson is not to be so gullible. Don’t believe everything that you read in an e-mail. Consumers know what to do with a message offering porn, body part enlargement or narcotics. These messages usually have the look and feel of sleaze. My favorite recent spam came from a person identified as “Random First Name” and “Random Last Name.” Spammers aren’t always that bright.
But a message from a phisher looks like it was designed by Madison Avenue, and that’s why it fools so many. It’s bad enough that when I got a notice recently from eBay about a class-action lawsuit, I spent 10 minutes on the Internet checking it out to ensure it was a legitimate message. Still, I felt better when I decided to ignore it for other reasons. Can’t be too careful.
Another lesson for consumers is that the Internet is dangerous. It’s full of crooks, vandals and others who are up to no good. If the phishers don’t get you, then maybe the spammers will make e-mail unpalatable by filling your inbox with trash. Or the virus distributors will destroy your computer by erasing files. Or the spyware merchants will bombard you with advertising, hijack your home page or otherwise interfere with your use of the Internet. Or someone else will surreptitiously install a keystroke logger program on your computer and steal all of your passwords.
I have grown increasingly reluctant to use the Internet for purchases. It is harder and harder to trust that the Web site on your screen is really what it purports to be. I am more wary about e-mail. I won’t use a public terminal to read it. You never know what programs have been installed to monitor your keystrokes and steal your information. I recently declined to use a relative’s personal computer unless I could first install and run a spyware program.
What’s the lesson for merchants? All the hype about doing business on the Internet is giving way to a new reality. The Internet is being nibbled – or perhaps gobbled – to death by crooks, and it is only going to get worse. So far, government action hasn’t made a dent in illegal or shady Internet activities.
I am beginning to have doubts about the long-term viability of the Internet.